Threat Research

Insomni'hack 2017

By Axelle Apvrille | April 02, 2017

This year I again participated in the Insomni'hack conference held in Geneva, Switzerland.


The conference started off with workshops, including mine on Android malware reversing - provided at cost. The workshop's virtual environment for reversing can be downloaded here from github.

That's me in the middle (no, rather the beginning) of the workshop

I also heard very positive feedback about the Hardware Hacking workshop. Nicolas Oberli provided each attendee with a custom board to work on. He designed the board himself, specifically for the workshop, and it's meant to be a smart lock, with WiFi, an LED for an open door, another for a closed door, etc.


The next day was the opening day of the conference. Each year it is more crowded. I attended Olivier Thomas's presentation "On the need for Integrated Circuit Security." He explained how professional hardware reverse engineering can be done by pirates (or legitimately), with lots of equipment to polish the board or view the circuitry on each layer. Basically, they have the ability to take millions of pictures of a given board, and their software reassembles the pictures cleverly so as to understand the structure. Impressive.

He also talked about fault attacks, for instance using a laser beam on a given transistor. I didn't even know there was equipment to actually modify precise parts of the circuitry, add insulation here or there, or add conductive metal at another place, all which helps probe or attack a particular point.

Olivier Thomas starting his talk on Integrated Circuit Security

I also enjoyed the talk of Riscure, giving feedback on their embedded security challenge, RHME2 CTF. They have designed a board, a custom Arduino if I am correct, that they sent out to challenge participants. The behind-the-scenes info was quite amusing. They were surprised at how many participants subscribed, and hadn't thought about the logistics of shipping 500 boards... Good news, there will be a new edition, RHME3, in a couple of months if you feel like trying.

The various challenges of RHME2, nicely displayed on a map

Of course, I wouldn't have missed my colleague's talk, Raul Alvarez, on xxx-morphic Virlock ransomware. Honestly, it's not because he's a colleague, but his talk was excellent, well illustrated, and technical. His talk included a good sense of humor as well, such as seeing that ransomware educate end-users on bitcoins, and where to find a bitcoin ATM close to their location so they can pay the ransom. Virlock is a very advanced ransomware, with many stages to unpack the malware and retrieve the routines to encrypt/decrypt files on the PC. If there's one thing to remember, it's that everything changes at each run, at each loop, and you never point to the same areas. The conference room was packed, and it looked like the audience was impressed.

Raul Alvarez (Fortinet) talking about ransomware

CTF (Capture The Flag)

Finally, Insomni'hack ended with a CTF. It is always very impressive to see so many people sitting and concentrating on their laptops for various challenges. I had the feeling this year the challenges were particularly difficult. No really easy challenge to solve. Or, not at first sight.

I scored on one of the Android forensic challenges.

We found a Machine's Android phone and managed to dump its memory (Yes machines use Android too ;-). We need your help to recover the phone's password. We heard that the lock password format is INS{XXXXX}. Good luck! The memory image is here.

I retrieved the memory dump, and grepped it over and over, finding interesting stuff such as there was a ch.scrt.secr3tmgr Android application running, with a Secr3tEntry class. But not the flag, or anything leading to it.

My neighbour suggested I used bulk_extractor. Password_uid is the entry to look for in SQLite database to find lock passwords. I grepped and found the flag straight away, it was INS{t1MmY}.

$ grep -ai password_uid *

Why didn't I find it in the first place? I had grepped for INS{, I should have found it! The reason lies below:

00795590 49 00 4e 00 53 00 7b 00 74 00 31 00 4d 00 6d 00 |I.N.S.{.t.1.M.m.| 007955a0 59 00 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 |Y.}.............|

This is 16-bit little endian string encoding. Instead of using strings file | grep INS{, I should have specified the correct encoding:

$ strings --encoding=l 160108576.sqlite3 | grep INS

Stupid, I should have thought of that, we would have flagged 2 hours earlier!

My small 3-person team also struggled on a challenge showing an ASCII-art like captcha. The challenge was to be able to fill in 50 captchas correctly in 100 seconds. So, of course, no other solution than to script it. We went very far, very close to the solution, but for some reason I haven't checked yet, it didn't quite work. Probably coding at 2am is part of the issue. A bit sad we didn't score that one, but at least, we understood it, and were probably close.


That's all folks!

-- the Crypto Girl