pentesting embedded

Pentesting Embedded

Introduction

Thesis

Everything is insecureWe should hack insecure thingsWe should hack everything

Summary

• Show why embedded security doesn’t exist• Attack vectors (real world and

theoretical)• Mitigations• Tools used for identification of

issues in a product

Embedded Security

• The security features built into a device or circuit– i.e. Juke Box Remote controls, router

circuit board, TV’s, mobile phones

• AKA Hardware Hacking

Risk

• Threat: how likely the attack occurs based on its frequency in the “real” world

• Exploitability: how likely is it that it will work• Cost: How much it’s going to hurt when it gets popped• The amount of security invested into an embedded

device is directly influenced by risk• The lack of these attacks being exploited in the wild,

and the skills required to exploit them, keep the risk level appearing low

Risk = Threat x Exploitability x Cost

Attackers Perspective

• Theft-of-service – getting something for free• IP Theft – cloning and idea and remaking it

(China)• Information disclosure – find the secrets

hidden on a device• Spoofing – horizontal privilege escalation • DoS – causing un-servicable issues means

loss of revenue

Attack Surface

• Cases and enclosures – to prevent attackers from accessing internals• Circuit board• Firmware

External Interfaces Attacks

• JTAG, USB, interfaces, Bluetooth, WIFI, RF*• Accessing debug/diag operation modes• Cut traces able to be repaired• Fuzzing the interface to deobfuscate the

protocol• Sensitive information disclosure

(encryption, server side info)• EMI emissions leak info

Mitigations

• Diag/debug modes should be disabled at the circuit level

• JTAG should be removed ideally from production else disabled

• Protect against malformed communication

• EMI shielding• Tamper protections

Mitigations: Tamper Protections

• Tamper Resistant: difficult to access components– One-way screws, steel case, epoxy on Ics

• Tamper Evident: If access happens, it is easily identifiable– Sealed cases, glues, tapes

• Tamper Detection: the hardware knows when it’s been tainted– Pressure switches, temperature sensors, puncture detection

• Tamper Response: the hardware reacts when tainted (like detection but with a counter-measure)– Flash memory, self destruct with explosive charge

Circuit Board Attacks

• Reverse engineer components and gather information– PCB hooking – access traces and test points

• Probe boards• Delid chips • Access memory: EEPROMS, RAM• Simple and Differential Power Analysis• EMI attacks• Clock/Timing attacks – muck with the clock to cause

issues• Epoxy removal – dremel or chemical based• Use an X-ray to determine location of components

Mitigations

• Remove ID’s from Ics (“black topping”)• Hide vias and test points when possible• Epoxy critical areas• Implement probe detection on unused pins• Add digital watermarks that uniquely ID

your product• Noise generators to defend against power

analysis

Cryptographic Attacks

• No matter what algorithm or key size you use, a static key must be stored somewhere on the device. Find it

• Algorithm mis-implementations are exploitable

• Custom crypto means custom pwning• Side-channel attacks (power analysis,

etc)

Firmware Attacks

• Extracting the firmware is the first step to exploitation• Reversing the firmware

usually means death• Bad programming flaws

cause exploitation

Mitigations

• Be a good programmer :)• Limit attack vectors - remove

unnecessary components• Protect firmware from being

easily extracted

Tools For Attack

• Standard hardware hacking components– DMM, O-Scope, dremel, hobby knife, soldering iron, wire

strippers, microscope, logic analyzer

• Probe adapter: – emulation.com, advintcorp.com, ironwoodelectronics.com

• RF Analysis– SDR like USRP,

• USB: SnoopyPro, Facedancer, Bus Pirate• JTAG – GoodFET,

Insane Tools

• Scanning electron microscope• Voltage contrast microscopy• Focused Ion Beam (FIB)

Attack In Practice

• Passive Recon – learn about the device, manuals, data sheets

• Active Recon – perform the initial inspection. – Can you see ICs? Components? Tamper protections?

• Risk Assessment – determine threats, risky areas, loot to focus your time on. – Make sure your end goal is either an exploit or more information (skip time

wasters)

• Collect necessary tools for attack• Probe and interface: Connect to serial interfaces, hook

vias or test points, use a probe board• Extract and reverse firmware or sensitive information

Defense In Practice

• Make breaking into the device cost more than the value of the result

• Built in vs Bolt On later (same old story)• Test your own security (at least the

basics)• When in doubt, epoxy (but know that if

you do this, you are dead to me)

No questions

I don’t know the answer