Security Laboratory: Wireless Security
This series covers wireless security. We will post papers on the latest threats as well as fundamental tutorial information you need to design and pen test a wireless network.
Other Related Articles in Security Laboratory: Wireless Security
Hardware Hacking: Linksys WRT54G
By Stephen Northcutt
We recently did a book review of Paul Asadoorian and Larry Pesce's Linksys WRT54G: Ultimate Hacking and we were so intrigued with the work they did, we asked Paul if he was willing to participate in an interview for the Security Lab, and we certainly thank him for his time! Paul, what is “Embedded Device Hacking”?
To understand how knowledge of embedded devices can benefit you, and your organization, you must understand the definition of an embedded device. Embedded devices, or embedded systems, are defined as a set of hardware and/or software designed to perform a small set of dedicated tasks. These small, purpose-built, systems are all around us in the form of printers, network switches, wireless routers, cell phones, network cameras, etc. The list is truly endless as embedded systems become the mainstay for providing services that we use on a daily basis, such as that long distance telephone call to a client or wireless Internet access at your favorite coffee shop.
How does hacking come into play with embedded devices? What does it mean? I remember reading a paper on NTP trickery that could impact embedded devices, but the book goes way beyond that. How do you define embedded device hacking?
Well, Stephen, there are four different categories of embedded device hacking:
Building an Embedded Device. There are many different embedded systems available to end-users for building and customizing. Most often, experiences with these systems are masked by larger vendors providing a service. A great example of this is a wireless solutions provider, who buys and customizes embedded devices and re-sells them to you in the form of access points. For large organizations, this works well as they do not have to go through all the work of finding an embedded platform and developing software for it. However, for small projects and tasks it may be worthwhile, from a cost and customizability standpoint, to build and develop your own embedded system. There are two companies, Soekris  and Routerboard , that make this very easy. They provide the hardware and make it compatible with Linux and/or BSD operating systems, which already have many tools available to easily build and customize your own operating system and subsequently embedded system. This process is often referred to as “hacking”, because you are taking a device and using it for your own purposes, not necessarily one for which it was intended. Special projects in this category can include building your own mesh wireless public network or Asterisk VoIP PBX.
Customizing an Existing Device Creating your own embedded device platform can be quite an extensive process, but offers the most flexibility. For this reason, and many others such as cost, you can find many off-the-shelf products, such as wireless routers, that can be “hacked” to run different software and provide functions for which they were not intended. The best example is the Linksys WRT54G  series routers, which have a long history of hacking and have become such a staple for embedded hackers that Linksys produces a special version, the WRT54GL. This model, and others, allows hackers to replace the stock operating system (called “firmware”) with customized versions. Most of the third-party firmware offerings use Linux and other open-source tools to unlock the devices and allow the user to customize functionality. This allows you to take a $59 WRT54GL router, and turn it into a wireless sniffer, customized DNS/DHCP, and even a wireless bridge. OpenWrt  is a popular firmware replacement for the WRT54G platform, as well as many other embedded devices, and is used and re-branded by several other projects.
Using Embedded Devices to Hack Computer Networks Whether you’ve built an embedded system yourself, or customized an existing platform, a great use case is penetration testing. Having a small device with wireless and routing capabilities is a perfect hardware platform to hide in a customer's network as a backdoor. Once planted in the target network, you can then use it as a gateway for other attacks, and/or use it sniff the wireless network for analysis.
Attacking Embedded Devices Embedded systems are often forgotten about when it comes to firmware upgrades and security. They are typically found on the “inside” of the network where protections tend to be relaxed in favor of the “If it's not broke don’t apply updates or security to it” mentality. What most do not realize is that network embedded systems, such as printers, switches, and access points, carry your organization's most sensitive information. Attacking these systems potentially allows attackers to access, or eavesdrop, on these pathways and steal your organization’s most prized assets.
I understand there is a SANS course that can help me understand embedded devices and the security aspects?
But of course! SANS SEC 535, Network Projects Using Hacked Wireless Routers, is a one-day course that focuses on embedded systems. In this course you will learn the components that make up an embedded system, in this case the WRT54GL router (included with the course). Understanding the hardware and software in this router will allow you to further customize it, build your own embedded systems and, more importantly, understand how to attack and secure embedded systems in your own environment. You will gain hands on experience customizing firmware and using it to sniff wireless networks, create network bridges, and build customized VPN tunnels and DNS/DHCP servers. This is a fun and exciting new course! One of the distinctions of SANS courses is that they ask authors to do an "Author Statement", mine is shown below:
Let's try to get our arms around this topic a bit more; how do I hack an embedded device and put new firmware on it? What are the basic steps?
[Below is an excerpt from “Linksys WRT54G Ultimate Hacking”, the book, written by Paul Asadoorian and Larry Pesce we mentioned earlier, dedicated to hacking the WRT54G series routers by installing custom firmware and software]
For the WRT54G series, this process is fairly straightforward. Using the TFTP protocol, you can send the router new firmware. Below are some general guidelines to follow before you get started, as a mishap during the process could cause your device not to function properly:
2. Connect the computer and WRT54G to a reliable power source.
3. Connect the computer to the WRT54G with a reliable Ethernet cable. Verify the link lights on the computer (if available, typically they are solid green) and the WRT54G.For most WRT54G models, the LED associated with that port should be solid green and flashing when there is activity.
4. Assign a static IP address to the computer in the 192.168.1.0/24 subnet (e.g.,
192.168.1.10/24,or anything that is not 192.168.1.1 and a valid IP address) and disable any DHCP clients on the host in accordance with the operating system instructions.
5. To ensure that there are no stale ARP entries, remove the entry for 192.168.1.1 by issuing the command arp –d 192.168.1.1.This command should work in OS X, Linux,and Windows; however, refer to your operating system-specific documentation for more details.
6. On the computer, if you are using Linux or OS X, issue the appropriate TFTP commands , being certain to use 192.168.1.1 as the destination. Do not yet send the image (via the TFTP put command) to the WRT54G.
7. Unplug the WRT54G from its power source.
8. Send the firmware image via TFTP. For Linux and OS X, run the TFTP put command. For Windows, run the tftp command.
9. Plug the power source back into the router, making sure that you do not unplug the router while the TFTP transfer is taking place or in the time thereafter.
10. Once the firmware transfer completes, the router will then reboot on its own and you should be able to ping it (using the command ping 192.168.1.1).
For reference, the TFTP commands to send new firmware to a device are:
irmware>tftp –I 192.168.1.1 put openwrt-wrt54g-squashfs.bin
Only the first two commands are different, the rest are exactly the same as the Linux commands above:
Thanks for that, and before I hack my Linksys, is there a risk to this? Can anything go wrong?
Oh yes, Stephen, you need to follow the process or you may create a brick; that is the term we use to describe what used to be an embedded device that, after frying its firmware or running its clock too fast and burning it up, now has the functionality of a piece of building material. In the book and in the class we talk about recovery strategies, of course, but sometimes we end up with a brick.
What will the future bring for embedded systems?
The trend of making embedded devices more ubiquitous will continue. Our everyday lives will include more time interfacing with small, embedded computers, including everything from the gas pump, to the supermarket checkout, cell phone, and your car navigation system. Tasks that are normally performed by analog devices will be performed by embedded systems; for example, paperback books and newspapers are being replaced by embedded devices such as ebook readers. The trend to interconnect embedded devices will continue, as we see more TV and DVD players using wireless connectivity to get updates, and car navigation systems running software from Microsoft. This sets the stage for attackers to target embedded systems in favor of the personal desktop or laptop computer. Security professionals must come to understand these platforms, how they work, how users interact with then, and, most importantly, how to secure them.
Great, I appreociate that! Can you tell us just a bit about yourself?
I (GCIA, GCIH) currently work for OSHEAN as the Senior Network Security Engineer, providing penetration testing, security training, and intrusion detection services to colleges, universities, and non-profits in the New England area. My previous positions include Lead IT Security Engineer for a large University where I was responsible for intrusion detection, firewalls, VPN, and networking assessments/penetration testing in the educational IT space, and providing similar services to a company in the lottery industry. I speak frequently on topics such as wireless security at events such as MIT Security Camp. My security research has been featured in numerous publications, including Network Intrusion Detection, 3rd edition, Securityfocus.com, (IN)Secure Magazine, and the SANS Reading Room.
Fantastic, thanks and just to share a bit more:
In addition to owning and operating an independent security consulting company, Defensive Intuition, Paul is also the host of PaulDotCom Security Weekly, a weekly podcast discussing IT security news, vulnerabilities, hacking, and research, including interviews with some of the most respected security professionals. He is also the co-author of Linksys WRT54G: UltimateHacking, a book dedicated to embedded device hacking and wireless security. He holds two SANS GIAC certifications, intrusion detection (with honors) as well as incident handling and hacker exploits, in addition to teaching and authoring courses for The SANS Institute, including SEC535 “Embedded Device Hacking." Paul graduated from Bryant College with a degree in Computing and Information Systems, and is currently on the SANS GIAC advisory board.
6. http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf - “Attacking Consumer Embedded Devices”