Stefan Kiese

skiese1Speaker Name: Stefan Kiese

Title: Dropping the MIC; picking up the keystore

When remote workers or third parties need to connect securely to their workspace in a plug&play-manner, the major network component suppliers offer some solutions. A solution by one supplier is wireless access points which establish a connection via a DTLS-tunnel.
During a past project we were able to have a closer look at such a device. Fiddling around a bit, the Manager Installed Certificate (MIC) and the private key were gathered without manipulating the hardware. Doing this, the device turned unusable because of an accidental security feature, or rather some firmware bug.
After analyzing the PCB, following some traces and soldering action, we were able to unbrick the access point and also gain access to the keystore. Now, the certs and keys could easily be exchanged. We were then able to clone a complete access point, including the resulting access to a corporate network. As the extracted certificate and key are valid in the vendors’ domain we might also be able to sign data impersonating the vendor.
This talk will cover the whole process starting from the initial look into the device, to over accessing the keystore, and finally manipulating the device. Both software and hardware will be explained in this talk. There will also be some demos on dumping keys and impersonating the AP.
About the Speaker
Stefan works as a security researcher and analyst at ERNW and has extensive experience in hardware security. Through his former work he has background in SCADA and R&D of embedded systems. His personal main areas of interest are embedded systems, the IoT and – of course – their security issues.