0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101智能设备 安全分析手册安全分析绿盟科技官方微信© 2018绿盟科技关于绿盟科技北京神州绿盟信息安全科技股份有限公司（以下简称绿盟科技），成立于2000年4月，总部位于北京。在国内外设有40多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供具有核心竞争力的安全产品及解决方案，帮助客户实现业务的安全顺畅运行。基于多年的安全攻防研究，绿盟科技在检测防御类、安全评估类、安全平台类、远程安全运维服务、安全SaaS服务等领域，为客户提供入侵检测/防护、抗拒绝服务攻击、远程安全评估以及Web安全防护等产品以及安全运营等专业安全服务。北京神州绿盟信息安全科技股份有限公司于2014年1月29日起在深圳证券交易所创业板上市交易，股票简称：绿盟科技，股票代码：300369。关于绿盟科技格物实验室绿盟科技格物实验室专注于工业互联网，物联网和车联网三大业务场景的安全研究。实验室以“格物致知”的问学态度，致力于以智能设备为中心的漏洞挖掘和安全分析，发布了多篇研究报告。绿盟科技格物实验室作为绿盟科技智慧安全核心战略中的重要一环，研究成果已被广泛应用于绿盟科技的产品和解决方案中，更加全面的解决网络中的安全问题。实验室将积极共建万物互联的安全生态，为企业和社会的数字化转型安全护航。0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101智能设备安全分析手册2018年12月0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101智能设备 安全分析手册安全分析绿盟科技官方微信0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101B智能设备安全分析手册目录前言 ························································································································ 11. 智能设备基础 ···································································································· 31.1 概述 ··································································································································· 41.2 智能设备终端安全 ·········································································································· 51.2.1 硬件 ·········································································································································· 51.2.2 固件 ·········································································································································· 51.2.3 攻击面 ······································································································································ 61.3 移动终端 APP 安全 ········································································································· 71.4 云服务端安全 ··················································································································· 71.5 网络通信协议安全 ·········································································································· 82.硬件安全 ············································································································ 92.1 PCB信息收集 ················································································································ 102.1.1 PCB丝印 ······························································································································· 102.1.2 芯片信息 ································································································································ 102.1.3 PCB加固建议 ······················································································································· 112.2 侧信道攻击 ····················································································································· 122.2.1 基本原理 ································································································································ 122.2.2 加固建议 ································································································································ 122.3 中间人攻击 ····················································································································· 122.3.1 基本原理 ································································································································ 122.3.2 加固建议 ································································································································ 123.固件安全 ·········································································································· 133.1 固件存储位置 ·················································································································143.1.1 集成式固件存储 ···················································································································· 143.1.2 分离式固件存储 ··················································································································· 163.2 固件获取方法 ················································································································163.2.1 网络升级截获（FTP、HTTP ） ························································································· 163.2.2 直接读存储芯片 ··················································································································· 173.2.3 通过串口等通信总线读取 ··································································································· 183.2.4 通过调试接口读取 ··············································································································· 193.3 固件解包 ························································································································ 203.4 固件加固建议 ················································································································213.4.1 通信传输加密与认证 ··········································································································· 210101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101智能设备 安全分析手册安全分析绿盟科技官方微信C0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101智能设备 安全分析手册安全分析绿盟科技官方微信3.4.2 隐藏接口 ······························································································································· 213.4.3 设置主控芯片读保护 ··········································································································· 213.4.4 固件加密与认证 ··················································································································· 214.调试技术 ·········································································································· 234.1 分析环境 ························································································································· 244.1.1 QEMU ····································································································································· 244.1.2 交叉编译环境 ························································································································ 264.2 模拟运行 ························································································································· 284.2.1 单文件模拟运行 ···················································································································· 284.2.2 全系统模拟运行 ···················································································································· 294.3 设备调试 ························································································································ 304.3.1 调试接口 ································································································································ 304.3.2 串口识别 ································································································································ 314.3.3 USB-TTL ································································································································ 324.3.4 Xshell连接 ···························································································································· 334.3.5 GDB远程调试 ······················································································································· 345. 通讯协议 ·········································································································· 365.1 载波分析 ························································································································· 375.1.1 SDR ·········································································································································375.1.2 调制技术 ································································································································ 375.1.3 术语说明 ································································································································ 375.1.4 SDR的简单使用 ··················································································································· 375.2 无线协议 ························································································································· 405.2.1 ZigBee ···································································································································· 405.2.2 蓝牙 ········································································································································ 426. 终端软件APP安全 ························································································· 626.1 Android ···························································································································636.1.1 Dex格式解析 ······················································································································· 646.1.2 Jadx ········································································································································ 656.1.3 自动化分析 ···························································································································· 666.1.4 存储数据分析 ························································································································ 676.1.5 Android虚拟机调试 ············································································································· 676.1.6 Xposed Hook ························································································································ 706.1.7 Cydia Substrate Hook ·········································································································· 700101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101D智能设备安全分析手册6.2 IOS ···································································································································716.2.1 IOS应用程序解密 ················································································································· 716.2.2 自动化分析 ···························································································································· 736.2.3 存储数据分析 ························································································································ 747. WEB 安全 ········································································································· 767.1 命令注入 ························································································································· 777.1.1 命令注入案例一 ···················································································································· 777.1.2 命令注入案例二 ···················································································································· 787.2 未授权访问 ····················································································································· 797.2.1 未授权访问 -修改用户名密码验证功能 ············································································ 797.2.2 未授权访问 -开启远程服务 ······························································································· 807.2.3 未授权访问 -重启设备 ······································································································· 807.2.4 未授权访问 -获取设备用户信息 ······················································································· 817.3 XSS ··································································································································828. 服务安全 ·········································································································· 838.1 口令破解 ························································································································· 848.1.1 在线破解 ································································································································ 848.1.2 离线破解 ································································································································ 858.2 二进制漏洞 ···················································································································· 868.2.1 常规方法 ································································································································ 878.2.2 缓冲区溢出示例 ···················································································································· 889. 业务逻辑安全 ·································································································· 909.1 测试账号 (后门账号 ) ···································································································919.2 任意密码重置 ·················································································································92参考文献 ·············································································································· 93特别声明为避免合作伙伴及客户数据泄露，所有数据在进行分析前都已经过匿名化处理，不会在中间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101