Submit Search
Upload
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
•
1 like
•
1,383 views
N
NoSuchCon
Follow
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
Read less
Read more
Technology
Report
Share
Report
Share
1 of 61
Download now
Download to read offline
Recommended
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
Michael Smith
Splunk for Real time alerting and monitoring. www.gtri.com
Splunk for Real time alerting and monitoring. www.gtri.com
Zivaro Inc
Apex day 1.0 oracle apex 5.0 patrick wolf
Apex day 1.0 oracle apex 5.0 patrick wolf
APEX Solutions - Natural Intelligence
The Ultimate Titanium CLI Toolchain
The Ultimate Titanium CLI Toolchain
Fokke Zandbergen
[db tech showcase 2015 Sapporo HOKKAIDO] MySQL as document database!?
[db tech showcase 2015 Sapporo HOKKAIDO] MySQL as document database!?
Ryusuke Kajiyama
[db tech showcase 2015 Sapporo HOKKAIDO] MySQL 5.7
[db tech showcase 2015 Sapporo HOKKAIDO] MySQL 5.7
Ryusuke Kajiyama
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
Hack one iot device, break them all!
Hack one iot device, break them all!
Justin Black
Recommended
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
Michael Smith
Splunk for Real time alerting and monitoring. www.gtri.com
Splunk for Real time alerting and monitoring. www.gtri.com
Zivaro Inc
Apex day 1.0 oracle apex 5.0 patrick wolf
Apex day 1.0 oracle apex 5.0 patrick wolf
APEX Solutions - Natural Intelligence
The Ultimate Titanium CLI Toolchain
The Ultimate Titanium CLI Toolchain
Fokke Zandbergen
[db tech showcase 2015 Sapporo HOKKAIDO] MySQL as document database!?
[db tech showcase 2015 Sapporo HOKKAIDO] MySQL as document database!?
Ryusuke Kajiyama
[db tech showcase 2015 Sapporo HOKKAIDO] MySQL 5.7
[db tech showcase 2015 Sapporo HOKKAIDO] MySQL 5.7
Ryusuke Kajiyama
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
DefconRussia
Hack one iot device, break them all!
Hack one iot device, break them all!
Justin Black
NSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
NSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
NoSuchCon
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NoSuchCon
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NoSuchCon
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NoSuchCon
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NoSuchCon
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NoSuchCon
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NoSuchCon
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NoSuchCon
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NoSuchCon
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NoSuchCon
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NoSuchCon
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NoSuchCon
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
More Related Content
More from NoSuchCon
NSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
NSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
NoSuchCon
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NoSuchCon
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NoSuchCon
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NoSuchCon
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NoSuchCon
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NoSuchCon
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NoSuchCon
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NoSuchCon
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NoSuchCon
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NoSuchCon
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NoSuchCon
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NoSuchCon
More from NoSuchCon
(16)
NSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
Recently uploaded
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Recently uploaded
(20)
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
1.
Reverse&engineering*a*real*estate*lockbox* Exploita)on+of+a+hardened++ MSP4307based+device+
2.
Who+am+I+ Braden+Thomas+(@drspringfield)+ • Senior*Research*Scien5st,*Accuvant* • Primarily*focus:*embedded*devices,*reverse&engineering,*exploit* development* •
Previously*worked*at*Apple*Product*Security* • So#ware(background*
3.
Agenda+ • What*is*this*lockbox?* • Android*app* •
Opening*the*device* • MSP430*Firmware*extrac5on:*techniques*used*and*tried* • Findings* • Demo*
4.
Why+is+this+interes)ng?+ • Devices*aKemp5ng*to*to*store*crypto*secrets*in* general&purpose*microcontrollers*flash* • Just*because*it’s*cheap*and*easy,*it’s*not* necessarily*smart* –
This*lockbox*is*a*case*study*of*why* • Hack*into*houses…* – Over*Bluetooth!*
5.
• Real*estate*physical*key* container* • #1*in*market,*main* compe55on*is*SentriLock* Unnamed+real+estate+lockbox+ Lockbox*
Lockbox*BT* Lockbox*BT*LE*
6.
Keys+ • Legacy*key* • Cell*radio* •
eKey:*iOS/Android* app* • Dongle/Keyfob*for* Bluetooth/IR*
7.
Android+App+
8.
• Focused*on*authen5ca5on*algorithm* • Each*eKey*has*a*serial*number*and*a*“syscode”* –
Syscode*is*an*integer*corresponding*to*regional*market** (e.g.*Atlanta)* • Serial*number/Syscode*are*required*at*first*app*launch* in*an*obfuscated*blob* eKey+Android+app+
9.
eKey+Android+app+ • Serial*number/syscode*are*used*as*creden5al*to*speak*to* back&end*web*service* • Web*service*provides*authen5ca5on*“cookies"*(binary*blobs* of*data)* •
App*transmits*cookies*to*the*Lockbox*over*Bluetooth/IR* • Must*provide*PIN*code*(associated*with*serial*number/ syscode)*to*open*the*lock*
10.
Programmed+auth+flow+ • Two*authen5ca5on*modes:* – Programmed*and*deprogrammed*authen5ca5on* • Programmed*authen5ca5on*used*exclusively*in*the*field* – Send*IDENTITY*cookie* – Send*CONFIGURATION*cookie* – Send*OBTAIN*KEY*message* – Send*KEYAUTH*cookie* – Send*DEVICE*OPEN*message*
11.
Programmed+auth+ • All*cookies*contain*AES*MACs*so*cannot*be*modified* • eKey*also*sends*“update*bytes”*which*change*daily* –
Only*available*from*Manufacturer*server*(AES*MAC)* • eKey*can*generally*only*open*lockbox*in*same*syscode*
12.
Must+access+firmware+ • AKacker*doesn’t*have*a*valid*serial/syscode* • Even*if*obtained*one*(social*engineering),*don’t*have* keyholder’s*PIN* •
And*doesn’t*want*to*communicate*with*Manufacturer’s* server*to*obtain*cookies*
13.
Opening+the+Device+
14.
Physical+access+ • Lockbox:* – Cut*off*hard*plas5c*shell* – Remove*hex*screws* – Open*key*container** • Use*legi5mate*eKey*or*exploit* • Lockbox*BT:*(above,*plus)* – Cut*off*shackle* – Must*pop*rivets*(big*pain!)*
15.
Board+photos+ Lockbox* Lockbox*BT*
16.
Internals+ Lockbox:+ • MSP430F147* • TFBS4710*serial*IR* transceiver* •
24LC256*serial* EEPROM* Lockbox+BT:+ • MSP430F248* • STMicroelectronics* bluetooth*serial*module* • Atmel*EEPROM*
17.
Reverse7engineering+steps+ • Focus*on*Lockbox* – Board*easier*to*obtain*(no*annoying*rivets)* –
Older*sooware*more*likely*to*be*insecure* – Keys*are*the*same*anyway!* • Map&out*the*test*pads* • Find*debugging*interfaces* • Perform*firmware*extrac5on*
18.
Firmware+Extrac)on+
19.
MSP430+firmware+extrac)on+ • JTAG+ – 4&wire*and*2&wire* –
MSP430F147*only*supports*4&wire* – JTAG*security*fuse*is*blown,*prohibi5ng*JTAG* • BSL+
20.
BSL+Overview+ • “Bootstrap*loader”* • Serial*interface* •
Permits*read/write*access*to*flash*memory* • Implemented*with*code*stored*in*special*flash*region* • Nearly*all*acccess*is*restricted*with*password* – Interrupt*vector*table*is*used:*inherently*unique*and*secret* – Only*mass&erase*can*be*performed*without*password*
21.
Exis)ng+BSL+aWacks+ • Travis*Goodspeed:*“Prac5cal*AKacks*Against*the*MSP430* BSL”*in*2008* – Voltage*glitching*aKack* –
BSL*password*comparison*5ming*aKack*
22.
Voltage+glitching+ aWack+ • Used*GoodFET22*with*ADG1634*+*DAC* for*glitching*during*authen5ca5on* check* • Remove*the*chip*from*the*board*to* avoid*interference* •
Step*down*voltage*on*all*lines*using* resistors* • Only*feasible*on*BSL*1.x*to*avoid*mass& erase*on*incorrect*password* – MSP430F147*has*BSL*1.1*
23.
Results+of+voltage+glitching+ • Failed*to*reproduce* • Device*con5nued*running*undeterred*or*died*altogether* •
GoodFET's*MSP430*is*too*slow*to*glitch*another*MSP430* – BSL*runs*at*1Mhz,*and*GoodFET*(MSP430F2618)*can*be*clocked*up* to*16Mhz*
24.
BSL+)ming+aWack+ • Password*byte*comparison*has*a*single*clock&cycle*5ming*difference* between*the*"correct"*and*"incorrect"*paths* • Send*each*byte*([0x00&0xff]*x*32)*and*measure*#*of*clock*cycles*to* determine*byte*makeup*of*password* BSL*1.10*
25.
Timing+aWack+problems+ • 1*start*bit,*8*data*bits,*parity*bit,*1*stop*bit* • Bit&banged* •
Between*bytes,*will*wait*for*start*bit*to*go*low*when*receiving* • If*this*loop*executes*>*1*5me,*you*have*destroyed*all*prior*5ming* informa5on* • Device*will*check*that*RX*line*aoer*stop*bit*is*high,*or*cause*an*error*
26.
Timing+aWack+problems+ Byte*N&1** stop*bit* Byte*N** start*bit* Device*checks* here* Timing*info** destroyed*here*if*not*low* Tinterbyte*
27.
Timing+aWack+problems+ • Ideal*Tinterbyte*=*number*of*instruc5ons***clock*speed* – Clock*speed*is*highly*inconsistent* •
BSL*uses*DCOCLK*(sooware*clock),*cannot*force*crystal* – Number*of*instruc5ons*varies* • Due*to*5ming*vulnerability* • Any*mistakes*are*mul5plied*34x*(since*34*post&header*bytes* per*auth)*
28.
Timing+aWack+problems+ Stop* Timing*info*destroyed* (produces(bad(data)( Tinterbyte*too+large++ Stop*bit*s5ll*low* (causes(NAK)( Miss*start*bit* (produces(bad(data)( Tinterbyte*too+small++ and/or* Stop* Start* Start*
29.
Timing+aWack+problems+ • If*5ming*is*bad,*you*will*receive*a*NAK*response* • Since*password*is*inherently*wrong,*you*will*receive*a*NAK** response* •
No*good*way*to*differen5ate*between*the*NAKs!*
30.
Timing+aWack+game+plan+ • Test*with*same&model*chip*(with*known*BSL*password)*to* find*ideal*5ming* • Use*external*crystal*on*GoodFET*to*eliminate*aKacker&side* clock*problems* •
Slowly*decrease*Tinterbyte*un5l*correct*password*is*no*longer* ACKed* – Find*the*run*with*the*lowest*overall*total*5me* – You*have*found*ideal*Tinterbyte* – Re&use*on*target*chip*
31.
Timing+aWack+results+ Total*5me*vs*decrease*in*Tinterbyte* ideal*Tinterbyte*
32.
Timing+aWack+results+ • Looks*good*at*macro*level* • Wildly*inconsistent*at*micro*level* •
Overall*total*5mes*will*vary*by*thousands*of*aKacker*clock* cycles* • Tried*modifying*BSL*to*expose*bit*read*5me*on*a*line* • Tried*just*focusing*on*last*byte:*only*need*to*get*three* Tinterbyte*correct* – last*byte*+*checksum*
33.
Modified+aWack+results+ Guessed*byte*vs*overall*5me*
34.
Timing+aWack+conclusions+ • AKack*was*a*failure* • Likely*due*to*DCOCLK*inconsistencies*during*the*tare* rou5ne,*which*produces*vic5m*chip’s*5ming*for*serial* communica5on*(length*of*“sleep”s)* •
If*this*tare*rou5ne*value*is*inconsistent,*the*5ming*used*for* every(serial(bit*will*differ,*mul5plying*errors* • Doesn’t*appear*to*average*out*in*the*short*term*
35.
“Paparazzi”+aWack+ • Firmware*extrac5on*technique* – Goodspeed*told*me*about*this* –
Permits*bypassing*JTAG*security*fuse* – Most*likely*due*to*photoelectric*effect*
36.
MSP430+JTAG+security+ • MSP430F1xx/2xx/4xx:*physical*fuse* – Once*blown*(“programmed”),*it’s*blown* •
MSP430F5xx/6xx:*electronic*fuse*mechanism* – Can*be*unprogrammed*by*erasing*0x17fc* – Not*successful*at*aKacking*these*
37.
MSP430+1/2/4xx+fuse+ • Fuse*check*is*performed*by*toggling*TMS*line*twice*with* TDI*high* • Current*is*measured*from*TDI*across*the*fuse* Chip(logic(remembers(the(result(
38.
“Paparazzi”+aWack+ • Decap*the*chip* – Ensure*bonding*wires*remain*intact* •
Jet*etching*may*be*required* – <$100*outsourced*to*lab* • Run*a*5ght*JTAG*loop*on*reset& tap*+*fuse&check* • Every*~200*itera5ons*aKempt* authen5cated*ac5on* – Read*first*address*in*BSL*memory*space*
39.
“Paparazzi”+aWack+ Expose*the*die** and*hit*with** camera*flash*
40.
• When*valid*data*returned,*success!* • Do*not*power*the*chip*down,*or*flip*reset*line* –
Requires*GoodFET*sooware*modifica5on* • Be*sure*to*power*the*chip*externally*during*aKack* • Don’t*expect*chip*to*be*in*normal*state* – I*usually*just*read*BSL*password*then*reset* “Paparazzi”+aWack+
41.
• JTAG*fuse*check*works*by*measuring*current*across*fuse* – Photoelectric*effect*causes*transistor*to*release*electrons*when* struck*with*photons* –
Causes*current*to*appear*to*pass*across*the*fuse* – Alterna5ve*theory*is*UV*erasing*memory*cell*where*JTAG*state* stored*(e.g.*bunnie’s*aKack*on*PIC*microcontroller),*but*digital* camera*flash*produces*minimal*UV*and*aKack*is*instant* “Paparazzi”+aWack:+Why?+
42.
Paparazzi+Demo+ (Video)+
43.
FINDINGS+
44.
MSP430+firmware+reversing+ • Calling*conven5on* – R12* –
R14* – Remaining*arguments*pushed*to*stack* – Return:*R12* • Occasionally*R13*is*also*used,*if*32&bit*return*
45.
MSP430+firmware+reversing+ • Only*unique*thing*was*“sparse*index”*switch*statement*construc5on* • Used*a*common*helper*func5on*that*reads*func5on*return*address*off* the*stack,*then*parses*data*structure*aoer*call*to*find*out*jump* des5na5on*
46.
IrDA+ • Surprisingly*large*(~25%)*amount*of*firmware*dedicated*to*IrDA* • Bit&banged*serial&ish*with*short*pulse*width* •
Can*be*sniffed*from*test*pad*on*board*and*decoded*with*custom*Logic* plugin* • Export*from*Logic,*post&process*with*python*into*pcap,*and*Wireshark* does*the*rest*
47.
Firmware+reversing+finds+ 1. How*Manufacturer’s*crypto*really*works* 2. Actually*three*authen5ca5on*modes* 3. Hardware*backdoor!* 4. Memory*read/write*command*permits*reading/ wri5ng*flash*using*hidden*mode*
48.
Manufacturer’s+crypto+architecture+ • All*crypto*keys*used*are*derived*from*or*encrypted*with*two*keys*(AES128)* • Device+Key+ –
Rarely*used*in*the*field,*used*to*get*high*authen5ca5on*level*(i.e.*for* “deprogramming”*a*device*to*use*it*in*another*syscode*region)* • Syscode+Key+ – Root*of*trust*for*all*normal*opera5ons*(e.g.*opening*the*key*container)* – Shared*by*en5re*geographical*region* • Neither(are(ever(accessible(to(the(eKey(app(or(readable(via(remote( commands( 1+
49.
Syscode+Key+ • Provisioned*during*unknown*process*at*local*MLS*office* – Device*must*be*in*deprogrammed*mode* –
They*must*have*some*authen5cated*channel*to*obtain*the*syscode*key*for* their*region* • A*MAC*key*and*an*Encryp5on*key*are*derived*from*syscode*key,*and* used*to*validate*cookie*integrity*and*decrypt*other*ephemeral*keys* • Compromising*this*key*permits*aKacker*to*generate*fake* “authen5ca5on*cookies”* – Can*open*any*lock*in*geographical*region*without*leaving*a*trace* 2+
50.
Third+authen)ca)on+mode+ • Permits*access*to*visitor*log*in*EEPROM* – Useful*if*the*lock*has*been*unlocked*before* •
Requires*no*authen5ca5on*cookies*for*access* • Visitor*log*contains*the*serial*number/syscode*of* connec5ng*eKeys* – This*solves*one*of*our*earlier*problems,*but*s5ll*need*PIN*to*use* 2+
51.
Brute+Force+ • PIN*only*4*digits* • However*device*has*PIN*brute&force*protec5on* –
eKey*will*get*"locked*out"*and*cannot*communicate*for*10m* – Exhaus5ve*PIN*brute*force*would*take*about*1*week*wai5ng*for* lockouts* – However,*lockout*counter*stored*in*EEPROM*and*can*be*erased* with*physical*access* 3+
52.
Hardware+backdoor+ • Deprogrammed*authen5ca5on* – Android*app*only*uses*this*method*when*device*is*deprogrammed* •
Can*actually*be*used*when*device*is*programmed*if*you* know*the*Device*Key* – Highest*access*mode,*permits*overwri5ng*keys* – Likely*used*by*MLS*office,*they*must*have*a*secure*channel*to*get* Device*Keys*for*their*devices* • Implementa5on*contains*hardware*backdoor* 3+
53.
Hardware+backdoor+ • P3.1*goes*high* • Immediately*test*P3.2* •
If*low,*backdoor*is*in*effect* 3+
54.
Hardware+backdoor+ • P3.1*and*P3.2*are*connected* to*each*other*(through*a* resistor)* • Desolder*the*resistor*and*you* can*bypass*per&device* authen5ca5on* •
Destroy*the*resistor*with*a* single*drill*hole*in*back*of* closed*lockbox*and*you*can* open*it*up*with* deprogrammed*auth* 3+
55.
Flash+write+erase+aWack+ • Way*to*extract*Syscode*Key*without*decapping?* • Keys*are*in*“Informa5on*Memory”*which*is*erased*by*BSL*mass&erase* •
Generally,*must*erase*flash*between*writes* • Lockbox*has*Memory*Write*command*that*permits*wri5ng*to*same* informa5on*memory*segment*where*keys*are*stored* – En5re*segment*is*copied*to*stack*buffer,*Flash*segment*is*erased,*modified,* and*then*wriKen*back* – Stack*is*in*RAM…*which*is*not*erased*by*BSL*mass&erase* 4+
56.
Flash+write+erase+aWack+ • First*use*hardware*backdoor*to*“authen5cate”* • Ini5ate*a*Memory*Write*command*to*informa5on*page*(at*an* unused*loca5on)* •
Informa5on*page*will*be*copied*to*stack*buffer,*modified,*and* wriKen*back*to*flash* • Quickly*reset*device*and*perform*mass&erase*of*flash*via*BSL* • Read*RAM*using*BSL*(using*default*password)* 4+
57.
Flash+write+erase+aWack+ • Great+success!+ • Special*GoodFet*applica5on*that*counts*clock*cycles* –
Run*applica5on*right*before*sending*Memory*Write* command* – Send*Memory*Write*command* – Applica5on*will*reset*chip*and*put*into*BSL*mode* – Subsequently*can*mass&erase*and*read*RAM* – AKack*can*only*be*performed*once,*but*Syscode*Key*is* obtained* 4+
58.
Demo+
59.
Conclusions/solu)ons+ • Manufacturer* – Discussed*issues*with*them*in*June* –
Very*recep5ve,*started*working*on*fixes* • Other*applica5ons:* – Avoid*storing*cryptographic*secrets*in*general*purpose* microcontrollers*flash*memory* • Hack*all*the*devices!*
60.
Greetz+ • Hardware*socket*by*Aaron*Kobayashi* • Thanks*to*Nathan*Keltner*and*Kevin*Finisterre* •
Thanks*to*Travis*Goodspeed*for*prior*work*
61.
Ques5ons*
Download now