In the past 18 months we have seen a dramatic increase in research and presentations on the security of medical devices. While this has been exciting and brought much needed attention to the issue, little has been done to help with the defense of these devices. There is a great deal of confusion on this topic due to the broad term “Medical Device”. In this presentation, we will clarify the issue, divide it into three separate categories with their own unique problems, and dispel the FUD around medical devices. Additionally, the recent GAO report published by the US Congress will prompt action by various regulatory bodies on the issue of security. These agencies are not designed to evaluate the security of embedded computers, and without guidance, will cause more problems than they will solve. This presentation will provide realistic recommendations on what can be done by regulatory agencies to bolster the defense of medical devices and highlight specific focus areas the community should be targeting with future research. This presentation will focus on what can be done by regulatory agencies to bolster the defense of medical devices as well as what the community should focus on going forward in research.

We present FRAK**, the firmware reverse analysis konsole. FRAK is a framework for unpacking, analyzing, modifying and repacking the firmware images of proprietary embedded devices. The FRAK framework provides a programmatic environment for the analysis of arbitrary embedded device firmware as well as an interactive environment for the disassembly, manipulation and re-assembly of such binary images.

We demonstrate the automated analysis of Cisco IOS, Cisco IP phone and HP LaserJet printer firmware images. We show how FRAK can integrate with existing vulnerability analysis tools to automate bug hunting for embedded devices. We also demonstrate how FRAK can be used to inject experimental host-based defenses into proprietary devices like Cisco routers and HP printers.

Near Field Communication (NFC) has been used in mobile devices in some countries for a while and is now emerging on devices in use in the United States. This technology allows NFC enabled devices to communicate with each other within close range, typically a few centimeters. It is being rolled out as a way to make payments, by using the mobile device to communicate credit card information to an NFC enabled terminal. It is a new, cool, technology. But as with the introduction of any new technology, the question must be asked what kind of impact the inclusion of this new functionality has on the attack surface of mobile devices. In this talk, we explore this question by introducing NFC and its associated protocols.

Next we describe how to fuzz the NFC protocol stack for two devices as well as our results. Then we see for these devices what software is built on top of the NFC stack. It turns out that through NFC, using technologies like Android Beam or NDEF content sharing, one can make some phones parse images, videos, contacts, office documents, even open up web pages in the browser, all without user interaction. In some cases, it is even possible to completely take over control of the phone via NFC, including stealing photos, contacts, even sending text messages and making phone calls. So next time you present your phone to pay for your cab, be aware you might have just gotten owned.

On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by hackers to extract program code, modify memory contents, or affect device operation on-the-fly. Depending on the complexity of the target device, manually locating available OCD connections can be a difficult and time consuming task, sometimes requiring physical destruction or modification of the device.

In this two-hour extended session, Joe will introduce the JTAGulator, a hardware tool that assists in identifying OCD connections (specifically JTAG, Texas Instruments Spy-By-Wire, and Microchip ICSP) from test points, vias, or components pads. He will discuss traditional hardware reverse engineering methods and prior art in this field, how OCD interfaces work, and how JTAGulator can simplify the task of discovering such interfaces. Joe will have some prototype JTAGulators available for attendee experimentation."

In 2012, Capitol Hill Consultants LLC (CHC) was awarded a Cyber Fast Track (CFT) project focused on an overall analysis of the Machine 2 Machine (M2M) landscape. M2M, a new movement in technology which incorporates the cellular/wireless augmentation of legacy engineering applications such as automobiles, medical devices, and SCADA, bridges our physical lives with digital systems. After an initial analysis of over two-hundred M2M-centric companies world wide, the team isolated a group of approximately eighty (80) organizations whose business plan directly involved M2M solutions. The CHC team spent the next few months analyzing products and services from those organizations, categorizing the tools and technologies used in the development and deployment of M2M solutions. The result is the M2M Risk Assessment Guide, a fully encompassing play book for M2M security to be released for the first time at Black Hat Amsterdam 2013. The Guide provides both engineers and analysts with a strategy for auditing existing products and securely designing new prototypes. It provides high level insight into the six (6) primary M2M industries while delving deep into the low level components used to effect solutions in each industry. The presenter will provide a walk through of how the Guide can be used by a consulting team or an internal security team, and how it can be easily augmented as M2M evolves.

Power analysis attacks present a devious method of cracking cryptographic systems. But looking at papers published in this field show that often the equipment used is fairly expensive: the typical oscilloscope used often have at least a 1 GSPS sampling rate, and then various probes and amplifiers also add to this cost. What is a poor researcher to do without such tools? This presentation will give a detailed description of how to setup a power analysis lab for a few hundred dollars, one that provides sufficient performance to attack real devices. It's based on some open-source hardware & software I developed, and is small enough to fit in your pocket. This will be demonstrated live against a microcontroller implementing AES, with details provided so attendees can duplicate the demonstration. This includes an open-hardware design for the capture board & open-source Python tools for doing the capture. Underlying theory behind side-channel attacks will be presented, giving attendees a complete picture of how such attacks work

As vehicles rely more on communication systems to handle distributed systems, Denial Of Service is likely the most pressing issue network engineers face. I will demonstrate the basic operations to enable such an attack and I will discuss test on various automotive platforms and how they reacted to a denial of service attack while comparing the over all performance of the industry. Also we will explore how to correct these issue in the future.