Offensive IoT for Red Team Implants – Part 1

IoT 4周前 admin
44 0 0
Offensive IoT for Red Team Implants – Part 1

This is part one of a multipart blog series on researching a new generation of hardware implants and how using solutions from the world of IoT can unleash new capabilities.  

Background 背景

Back in April 2023, I took a deep dive into the state of cybersecurity in space systems. One of the initial goals of the effort was to learn as much as I could and then build something that others could play with, hands on, to get their first taste of how things in space work. That goal was actualized at Wild West Hacking Fest in October of 2023, where two 1u CubeSats1 were deployed for attendees to work through a guided lab that mimicked real world threats to space systems.
早在 2023 年 4 月,我就深入研究了太空系统的网络安全状况。这项工作的最初目标之一是尽可能多地学习,然后构建一些其他人可以玩的东西,动手实践,让他们第一次体验太空中的事物是如何工作的。这一目标在 2023 年 10 月的狂野西部黑客节上得以实现,在那里部署了两个 1u 立方体卫星 1 ,供与会者通过模拟现实世界对空间系统威胁的引导实验室进行工作。

Why am I telling you this? Well, as part of the development process for the CubeSat labs, I knew fundamentally the success or failure of the effort was dependent on having a solid bi-directional communication system that allowed for not only being able to receive telemetry data from the CubeSats but, most importantly, also allowed for telecommands to be issued remotely without physically being connected to the CubeSat.
我为什么要告诉你这些?好吧,作为 CubeSat 实验室开发过程的一部分,我知道从根本上说,这项工作的成功或失败取决于拥有一个可靠的双向通信系统,该系统不仅能够从 CubeSat 接收遥测数据,而且最重要的是,还允许远程发出遥控命令,而无需物理连接到 CubeSat。

Ultimately, I settled on an implementation that leveraged LoRa (Long Range)2 modulation because it was relatively affordable, operated in a US ISM Band of 915Mhz (thus not requiring any specialized RF circuitry or license to operate) and avoided the grossly over-crowded 2.4GHz portion of the spectrum.
最终,我选择了利用 LoRa(长距离) 2 调制的实现,因为它相对实惠,在 915Mhz 的美国 ISM 频段运行(因此不需要任何专门的射频电路或操作许可证),并避免了频谱中严重过度拥挤的 2.4GHz 部分。

For the CubeSats themselves, I used a commercially available breakout board that used a RFM95 LoRa module, and it worked well. However, for the ground station side of the equation, I could not just plug one of the breakout boards into a computer, so I ended up developing a custom PCB that utilized the same RFM95 LoRa module as the commercial option but also included a Raspberry Pi Pico W to control the module and interface with a computer.
对于 CubeSats 本身,我使用了使用 RFM95 LoRa 模块的商用分线板,效果很好。然而,对于等式的地面站方面,我不能只将其中一个分线板插入计算机,所以我最终开发了一个定制 PCB,它使用与商业选项相同的 RFM95 LoRa 模块,但也包括一个 Raspberry Pi Pico W 来控制模块并与计算机连接。

It all worked, the labs were a success but, again, why is this important? Well, let’s dive in…

0x01: Hardware 0x01:硬件

Right before the 2023 holiday season, I conversed with a friend regarding possible practical applications of the CubeSat research. Thinking about the various details of the CubeSat project, it did not take very long before I really homed in on the foundational element that made it possible – communications. Specifically, command and control of a remote system over LoRa. That was it; that was the key. I knew there would be a way to pivot from CubeSats to figuring out how to use the communication channel for offensive purposes.
就在 2023 年假期之前,我与一位朋友讨论了 CubeSat 研究可能的实际应用。考虑到 CubeSat 项目的各种细节,没过多久,我就真正找到了使它成为可能的基本要素——通信。具体来说,通过 LoRa 对远程系统进行命令和控制.就是这样;这是关键。我知道有一种方法可以从立方体卫星转向弄清楚如何将通信渠道用于攻击目的。

Like most projects I start, I just dove in headfirst, without even as much as a quick Google search to see if anyone else had done or was doing what I was thinking about. YOLO dev, am I right??

For the rest of this post, I am going to focus on the hardware only. I may mention some software aspects, but I will not be going into detail about any software specifics beyond functionality and capabilities. Do not fret though, part two of this series will be focused on the software and implementations, so stayed tuned.

If you remember, in the background section, I ended up creating a custom PCB to facilitate PC to LoRa module communication. Well, that was the result, but it started here. It actually started on a breadboard, but this was what came next: a PCB with a Raspberry Pi Pico W and Adafruit RFM95 LoRa module soldered using through-hole header pins to the PCB.
如果你还记得, 在背景部分, 我最终创建了一个定制 PCB 以促进 PC 到 LoRa 模块的通信.嗯,这就是结果,但它从这里开始。它实际上是从面包板开始的,但接下来是这样的:带有 Raspberry Pi Pico W 和 Adafruit RFM95 LoRa 模块的 PCB,使用通孔接头引脚焊接到 PCB。

Offensive IoT for Red Team Implants – Part 1
Unpopulated Through-Hole PCBs
未填充的通孔 PCB
Offensive IoT for Red Team Implants – Part 1
First Iteration of a Pico-LoRa Board
Pico-LoRa 板的第一次迭代

This setup worked well for my testing purposes and there really was nothing wrong with it other than the cost was higher than I wanted it to be, with it being about ~$32 USD, give or take, per board.
这种设置在我的测试中效果很好,除了成本高于我想要的之外,它真的没有任何问题,每块板大约是 ~32 美元,无论付出还是付出。

Eventually, after multiple failed PCB designs, I ended up with a PCB that used surface mount components and reduced the cost to about ~$14 USD per board, and I got to learn all about PCB design and fabrication; win-win.
最终, 在多次失败的 PCB 设计之后, 我最终得到了一个使用表面贴装元件的 PCB,并将成本降低到每块板约 ~$14 美元, 我开始学习所有关于 PCB 设计和制造的知识;双赢。

Offensive IoT for Red Team Implants – Part 1
Completed Pico-LoRa PCB in Acrylic Case
完成的 Pico-LoRa PCB 在亚克力外壳中

Cool, so we have hardware now what? I am so glad you asked.

First, we need a little primer on LoRa.
首先, 我们需要一些关于 LoRa 的入门知识.

“LoRa (short for long range) is a spread spectrum modulation technique derived from chirp spread spectrum (CSS) technology. Semtech’s LoRa is a long range, low power wireless platform that has become the de facto wireless platform of Internet of Things (IoT).”  –
“LoRa(长距离的缩写)是一种源自啁啾扩频 (CSS) 技术的扩频调制技术。Semtech 的 LoRa 是一种长距离、低功耗无线平台,已成为物联网 (IoT) 事实上的无线平台。

I am not going to bore you with the details of chirps and what not, but what you really need to know is that LoRa is a low-bandwidth communication that can traverse much greater distances than, say, traditional Wi-Fi in the 2.4 or 5.8GHz bands of the spectrum. (NOTE: 802.11ah Halow is the exception here. Range should be more or less the same given the same output power.)
我不会让你厌烦啁啾的细节,但你真正需要知道的是,LoRa是一种低带宽通信,可以穿越比传统Wi-Fi更远的距离在2.4或5.8GHz频段的频谱。(注意:802.11ah Halow 是这里的例外。在相同的输出功率下,范围应该或多或少相同。

Now, imagine bolting on the ability to communicate with a device over LoRa, instead of using the more ubiquitous Wi-Fi options typically used when it comes to physical implant devices. Are you with me?
现在,想象一下通过 LoRa 与设备通信的能力,而不是使用物理植入设备通常使用的更普遍的 Wi-Fi 选项。你和我在一起吗?

I am not going to name any specific physical implant devices, but you know the type of devices I am talking about. Those that will emulate keyboards and mouse inputs, automatically run commands and scripts (as well as other attacks) most automagically upon the device being connected to a host computer.

This class of physical implant device works well, but there are some limitations you must account for when using them. The biggest limitation is around control of the device itself. With most of the common implant devices out there, there are basically a couple of options for being able to control the implant device. The first method would be to have a device to use the host computer’s internet connection and traverse that to a web service where control commands can be issued and sent back to the device. This often can work, but there is no guarantee. Then, there is a similar option of having the device join an open Wi-Fi network and backhauling command and control traffic via that network. Again, this works, but is reliant on the presence of an open network. There is also the option of using Bluetooth to be able to connect to the device as a C2 channel, but Bluetooth is limited range and, in some cases, the presence of a new Bluetooth device in the environment can be an instant indicator that something is afoot. The same thing could be said for using the device to host a wireless network that, as an operator, you would connect to in order to initiate control of the device, but it suffers the same issues as Bluetooth in terms of limited range and potential detection.
这类物理植入设备运行良好,但在使用它们时必须考虑一些限制。最大的限制是设备本身的控制。对于大多数常见的植入设备,基本上有几种选择可以控制植入设备。第一种方法是让设备使用主机的 Internet 连接,并将其遍历到 Web 服务,在该服务中可以发出控制命令并将其发送回设备。这通常可以工作,但不能保证。然后,还有一个类似的选项,即让设备加入开放的 Wi-Fi 网络,并通过该网络回传命令和控制流量。同样,这是有效的,但依赖于开放网络的存在。还可以选择使用蓝牙作为 C2 通道连接到设备,但蓝牙的范围有限,在某些情况下,环境中存在新的蓝牙设备可以立即指示某些事情正在发生。使用设备托管无线网络也可以这样说,作为运营商,您将连接到该网络以启动对设备的控制,但它在有限的范围和潜在的检测方面与蓝牙存在相同的问题。

LoRa enters from stage left…
LoRa 从舞台左边进入……

By utilizing LoRa-based communication for command-and-control capabilities of a physical implant device, many of the limitations and potential points of detection are eliminated. For instance, many mature organizations have robust wireless intrusion preventions solutions that can detect a rogue access point or even rogue Bluetooth device. How many people have even thought about detecting LoRa, much less actually implemented a method for doing so? Unlike other IoT protocols — like Zigbee and X-bee that primarily operate in the 2.4GHz spectrum, which is heavily populated and, in some cases, monitored — the 915 MHz band used by LoRa is largely unmonitored, especially from a rogue device perspective. By simply augmenting the existing communication options with current day physical implants with a LoRa-based solution, the likelihood of detection on the airwaves goes down considerably.
通过利用基于 LoRa 的通信实现物理植入设备的命令和控制功能, 消除了许多限制和潜在的检测点.例如,许多成熟的组织都拥有强大的无线入侵防御解决方案,可以检测流氓接入点甚至流氓蓝牙设备。有多少人甚至考虑过检测 LoRa, 更不用说实际实施了这样做的方法.与其他物联网协议不同——如 Zigbee 和 X-bee,它们主要在 2.4GHz 频谱中运行,该频谱人口稠密,在某些情况下受到监控——LoRa 使用的 915 MHz 频段在很大程度上不受监控,尤其是从流氓设备的角度来看。通过使用基于 LoRa 的解决方案简单地使用当今的物理植入物来增强现有的通信选项,在无线电波上检测到的可能性大大降低。

You may be asking yourself, “Couldn’t you just monitor the airwaves for LoRa devices?” and that would be a great question to ask. The answer is yes, you can, BUT it is not as simple as that. First, LoRa is a proprietary modulation scheme that requires physical hardware to be able to use it. That also means you need to have physical hardware that understands the modulation of LoRa to listen to it.
你可能会问自己,“你不能只监控LoRa设备的无线电波吗?”这将是一个很好的问题。答案是肯定的,你可以,但事实并非如此简单。首先, LoRa 是一种专有的调制方案,需要物理硬件才能使用它.这也意味着您需要拥有了解 LoRa 调制的物理硬件才能收听它.

You can use software-defined radio devices, like the RTL-SDR or HackRF, to pick up on the potential presence of LoRa communications by looking for the characteristic chirps, but that is about it. You will not be able to demodulate it (as of now) and really will not have any more context to what is happening other than that something is happening. Here is the kicker though: Remember how LoRa “has become the de facto wireless platform of Internet of Things (IoT)?” Well, that is a very true statement, and there is very likely a device using LoRa within range of where you are reading this from. Everything from power and gas meters to proliferation of “smart devices” are using LoRa to communicate. There are entire global-wide area networks (WANs) built using LoRa and subsequent LoRaWAN protocols to carry data to and from the internet from IoT devices.
您可以使用软件定义的无线电设备, 如 RTL-SDR 或 HackRF, 通过寻找特征性啁啾声来获取 LoRa 通信的潜在存在, 但仅此而已.你将无法解调它(截至目前),除了正在发生的事情之外,你真的不会有更多的背景来了解正在发生的事情。不过,这里有一个踢球者:还记得 LoRa 如何“成为事实上的物联网无线平台 (IoT)”吗?嗯, 这是一个非常真实的陈述, 很可能有一个使用 LoRa 的设备在您阅读本文的范围内.从功率表和燃气表到“智能设备”的激增,一切都在使用 LoRa 进行通信.有使用 LoRa 和后续 LoRaWAN 协议构建的整个全球广域网 (WAN),以从物联网设备将数据传入和传出互联网.

Even if you are able to detect the presence of a rogue LoRa device within your environment, you are going to have an uphill battle of isolating, communication, and being able to see what data is being sent over this out-of-band channel. Assuming you can identify the traffic, you would need to configure a LoRa radio module to the exact settings, such as spreading factor (SF), coding rate (CR), and bandwidth to see the content of the data stream. Then, you would also need to brute force your way to determining the node address that data is being sent to — luckily, there are only 255 options. Lastly, if you are able to fine tune your radio with all these parameters, you probably are going to be faced with encrypted data. Again, good luck.
即使您能够检测到环境中是否存在流氓 LoRa 设备, 您也将面临隔离、通信和能够查看通过此带外信道发送的数据的艰苦战斗.假设您可以识别流量, 您需要将 LoRa 无线电模块配置为确切的设置, 例如扩频因子 (SF), 编码速率 (CR), 和带宽 查看数据流的内容.然后,您还需要暴力破解来确定数据发送到的节点地址——幸运的是,只有 255 个选项。最后,如果您能够使用所有这些参数微调您的收音机,您可能会面临加密数据。再次,祝你好运。

You will be better off just trying to find the rogue device than trying to see the data stream. Time to go fox hunting. (

Needless to say, it can be very difficult to detect if a device is using LoRa, much less a rogue device connected to one of your organization’s assets. Got it, hard to detect with current tooling. But why else should LoRa be used? Again, another fantastic question my reader friend!
毋庸置疑, 检测设备是否正在使用 LoRa 可能非常困难, 更不用说连接到您组织的资产之一的流氓设备了.明白了,用当前的工具很难检测到。但是为什么还要使用 LoRa?再一次,我的读者朋友又提出了一个很棒的问题!

The short but long (pun) answer is range. I will not bore you with the physics of radio signal propagation in relationship to frequency, but the ability to plant a device and then control it remotely without the need to be in close proximity to said device is kind of important. Don’t want to get caught hanging outside the secretary’s office trying to run an attack, right?

This is where LoRa can shine. In July 2023, a new world record distance a LoRa communication traveled and was received was 830 miles.
这就是 LoRa 可以大放异彩的地方.2023 年 7 月,LoRa 通信传播和接收的距离创下了新的世界纪录,为 830 英里。

Understand, that is far from the norm, but that is ~4.3x increase of the world record Wi-Fi connection. Using increase of ~4.3x when compared to Wi-Fi is probably a little high for real world everyday experience, but in my testing, a 3x improvement of distance was pretty standard. Now, I did not in any way perform very scientific experiments to determine this but rather the ‘crude drive down the road to see when the signal drops out’ method. Your mileage will vary, but in most normal cases, the small LoRa modules with even a basic wire antenna is strong enough to have its signal escape out of the building, into the parking lot, and beyond.
理解,这与常态相去甚远,但这是世界纪录 Wi-Fi 连接的 ~4.3 倍。与 Wi-Fi 相比,使用 ~4.3 倍的增加对于现实世界的日常体验来说可能有点高,但在我的测试中,距离提高 3 倍是相当标准的。现在,我没有以任何方式进行非常科学的实验来确定这一点,而是“粗略地开车在路上看看信号何时消失”的方法。您的里程会有所不同, 但在大多数正常情况下, 即使是基本的有线天线的小型 LoRa 模块也足够强大,可以将其信号从建筑物中逸出, 进入停车场, 甚至更远的地方.

With a device indoors, I have been able control an implant device from close to 500 meters away. Yay physics!
通过室内设备,我已经能够在近 500 米外控制植入设备。耶物理!

Let’s recap: physical implant device modified with LoRa module produces a long(er) range convert communication channel for controlling said implant. Sweet.
让我们回顾一下:用 LoRa 模块修改的物理植入设备产生用于控制所述植入物的长距离转换通信通道.甜。

It’s been around 1000 words since I was talking about hardware, so let’s circle back to that. The original testing used the PCBs I designed for the CubeSat lab, which worked great for testing purposes and could reasonably be used in the field, but due to the technical limitations of the Raspberry Pi Pico W, such as lack of mass storage capability and not easily reprogrammed over-the-air, I felt the need for a complimentary device with more capabilities and just a little more ‘oomph’ if you will.
自从我谈论硬件以来,已经有大约 1000 个单词了,所以让我们回到那个方面。最初的测试使用了我为 CubeSat 实验室设计的 PCB,它非常适合测试目的,并且可以合理地用于现场,但由于 Raspberry Pi Pico W 的技术限制,例如缺乏大容量存储能力并且不容易通过无线重新编程,我觉得需要一个具有更多功能的免费设备,如果你愿意的话,只需多一点“魅力”。

So, here enters the next iteration of hardware implant.

Offensive IoT for Red Team Implants – Part 1

What you see above is a pretty simple setup, all based around a Raspberry Pi Zero W. These tiny single board computers have been around for a long time now, and there have been some incredible projects built using them for physical implants, such as P4wnP1 –
你在上面看到的是一个非常简单的设置,都是基于Raspberry Pi Zero W的。这些微型单板计算机已经存在了很长时间,并且已经有一些令人难以置信的项目使用它们进行物理植入,例如 P4wnP1 –

 Along with the Raspberry Pi Zero W, there is an USB On-the-go (OTG) breakout board that allows you to mount the Pi Zero to it and, in turn, you get a full-size USB type A port that allows you to plug the entire device into a PC USB port to power the device and use the host connected to perform attacks such as keystroke and mouse click injection attacks (and more). Essentially, it becomes a USB stick computer. Here is the one I used for most of my testing:
除了Raspberry Pi Zero W,还有一个USB On-the-go(OTG)分线板,允许你将Pi Zero安装到上面,反过来,你会得到一个全尺寸的USB Type A端口,允许你将整个设备插入PC USB端口,为设备供电,并使用连接的主机进行攻击,如击键和鼠标点击注入攻击(等等)。从本质上讲,它变成了一台 U 盘计算机。这是我在大部分测试中使用的那个:

I am a little embarrassed to say that I did not know these sorts of thing existed prior to jumping down this rabbit hole. But they are incredibly simple PCB that use pogo pins or SMD spring contacts to contact the test points on the bottom of the Pi Zero. So brilliant!
我有点不好意思地说,在跳进这个兔子洞之前,我并不知道这些东西的存在。但它们是非常简单的PCB,使用弹簧针或SMD弹簧触点来接触Pi Zero底部的测试点。太棒了!

The last, and frankly more crucial piece of the puzzle, is adding the LoRa module to the device. Luckily for us, I stumbled across a design someone had made for… let me check my notes… yep, you guessed it: a Raspberry Pi Zero and a LoRa RMF95 module!! The details for the LoRaPi breakout board can be found here:
最后一个,坦率地说,也是更关键的一块拼图, 是将 LoRa 模块添加到设备中.幸运的是,我偶然发现了一个有人为之设计的设计……让我检查一下我的笔记……是的,你猜对了:Raspberry Pi Zero 和 LoRa RMF95 模块!!LoRaPi 分线板的详细信息可在此处找到:

Offensive IoT for Red Team Implants – Part 1
Offensive IoT for Red Team Implants – Part 1

I immediately downloaded the design files and sent an order for 10 PCBs and waited for them to arrive. Once they finally arrived from China, I whipped out the tape of RFM 95 modules sitting on my desk and started assembling a couple.
我立即下载了设计文件并发送了 10 个 PCB 的订单并等待它们到达。当他们终于从中国运来时,我拿出桌上的RFM 95模块磁带,开始组装一对。

In the assembly instructions, there is a basic configuration that is mentioned, and, if you plan to replicate this setup, that is all you need. PCB, LoRa Module, 2×8 header, and an antenna connector (SMA or u.fl). Pretty simple stuff.
在组装说明中,提到了一个基本配置,如果您打算复制此设置,则只需此即可。PCB、LoRa 模块、2×8 接头和天线连接器(SMA 或 u.fl)。很简单的东西。

After soldering up the first set of boards and connecting them to a Pi Zero, I couldn’t get them to work. The radio would just never configure itself over SPI, and it errored out indicating there could be a wiring issue. This was the same as the second one I tried. UGH.
在焊接了第一套电路板并将它们连接到Pi Zero之后,我无法让它们工作。无线电永远不会通过SPI进行自我配置,并且它错误地表明可能存在接线问题。这与我尝试的第二个相同。呸。

A little troubleshooting later, I determined that I needed to use the CE1 chip selection pin instead of CE0 for some reason on the Pi Zero. Simple enough, I just need to desolder the solder jumper on the LoRaPi breakout board from CE0 and resolder the chip select (NSS) jumper pad to the CE1 pin on the header. Once I did this, everything worked just as expected.
经过一些故障排除后,我确定由于某种原因,我需要在Pi Zero上使用CE1芯片选择引脚而不是CE0。很简单,我只需要将 LoRaPi 分线板上的焊料跳线从 CE0 拆焊,然后将芯片选择 (NSS) 跳线焊盘重新焊接到接头上的 CE1 引脚上。一旦我这样做了,一切都按预期进行。

Offensive IoT for Red Team Implants – Part 1
Example Solder Jumper from CE1 to NSS pad

Here is a completed LoRaPi module with 2×8 pin header to connect to Pi.
这是一个完整的 LoRaPi 模块,带有 2×8 引脚接头,用于连接到 Pi。

Offensive IoT for Red Team Implants – Part 1
LoRaPi Breakout Board w/SMA
带 SMA 的 LoRaPi 分线板

Here is an example of the LoRaPi module connected to a Pi Zero W with 5dBI antenna attached.
这是连接到带有5dBI天线的Pi Zero W的LoRaPi模块的示例。

Offensive IoT for Red Team Implants – Part 1

If you build one of these devices to play around with, I do recommend that you use a 2×8 pin header so that you can easily remove the module from your Pi if you want to repurpose the Pi. Otherwise, if you are looking to make a more permanent version, you can solder the module directly to the header pins of the Pi. I found that the black plastic portion on the header was just tall enough to provide clearance for the LoRaPi module to sit flush with it and not touch the second Micro USB port on the Pi Zero W. I did put a layer of Kapton tape on the bottom of the PCB just in case, but it really is not needed.
如果你构建了这些设备之一来玩,我建议你使用一个 2×8 引脚接头,这样如果你想重新利用 Pi,你可以很容易地从你的 Pi 上移除模块。否则,如果您想制作更永久的版本,您可以将模块直接焊接到 Pi 的接头引脚上。我发现接头上的黑色塑料部分刚好足够高,可以为LoRaPi模块提供间隙,使其与它齐平,而不会碰到Pi Zero W上的第二个Micro USB端口。为了以防万一,我确实在PCB的底部放了一层Kapton胶带,但实际上不需要。

Offensive IoT for Red Team Implants – Part 1
Just enough clearance when soldered directly to Pi Zero
直接焊接到Pi Zero时,间隙刚好足够

So, there you have it, a Pi Zero W with USB OTG and LoRa RFM95 module for out-of-band communication!
所以,你有它,一个带有USB OTG和LoRa RFM95模块的Pi Zero W,用于带外通信!

Stayed tuned for the next blog in this series focusing on the software for configuring and using the RFM95 LoRa Module.
请继续关注本系列的下一篇博客,重点介绍用于配置和使用 RFM95 LoRa 模块的软件。


  1. ↩︎
    ↩ ︎
  2. ↩︎
    ↩ ︎

原文始发于 Tim Fowler:Offensive IoT for Red Team Implants – Part 1

版权声明:admin 发表于 2024年5月18日 上午9:51。
转载请注明:Offensive IoT for Red Team Implants – Part 1 | CTF导航