SlideShare a Scribd company logo

[CB19] Hardware Wallet Security

CODE BLUE
CODE BLUE

In the time when software is so complex and rapidly changing so, the users cannot trust their own computers and smartphones to protect their secrets from attackers, more and more solutions rely on hardware to be the last measure of protection. As a result, there are a number of manufacturers developing hardware wallets which are meant to protect cryptocurrency private keys. This talk presents a wide range of attacks, which can be successfully applied to most popular hardware wallets on the market, from app isolation bypass to fault injection attacks on the microcontroller. Additionally the talk presents secure design requirements and countermeasures making life of an attacker much more difficult, which are applicable to all kings of secure hardware devices.

Presentations & Public Speaking
1 of 41
1 Hardware Wallet Security Sergei Volokitin
2 What is a hardware wallet? • Secure device with: • Connection to PC/smartphone/network • Trusted screen • Trusted controls • Protected firmware • Tamper resistant
3 What is a hardware wallet?
4 Who is your attacker? • Somebody who controls your computer • Malware • Another user • Somebody who has physical access to the device • Flatmate • Evil maid • Thief • Somebody who had access to the device before you got it: • Courier • Evil maid government • Previous owner
5 Security features • Secrets never leave the device • Small API • Protected memory • There is no easy way to access keys • Protected firmware • The authenticity of firmware is verified on boot and updates Generated Stored Used Wiped
6 Software attacks – Leger Nano S
7 Software attacks
8 Software attacks
9 Software attacks • MPU isolates memory • Application has • ~16 KB of Flash • ~1 KB of RAM • Over 100 syscalls
10 Vulnerabilities • x4 vulnerabilities in the system calls • partial memory disclosure of the following app • partial memory disclosure due to null pointer dereferencing • memory oracle on all the system memory • Vulnerability in memory protection of debug app • Vulnerability in device wipe process • Vulnerability allowing supply chain attack
11 Vulnerabilities • x4 vulnerabilities in the system calls • partial memory disclosure of the following app • partial memory disclosure due to null pointer dereferencing • memory oracle on all the system memory • Vulnerability in memory protection of debug app • Vulnerability in device wipe process • Vulnerability allowing supply chain attack
13 Debug app installation flag • There are per application flags you can set, such as: • Application with debug flag can read ~16kB of flash belonging to another app!
14 Debug app installation flag U2F App Flash BTC App Flash System Flash Debug App Flash
15 Debug app installation flag U2F App Flash BTC App Flash System Flash Debug App Flash
16 Debug app installation flag BTC App Flash System Flash Debug App Flash
17 Debug app installation flag System Flash Debug App Flash
18 Flash state after device wipe
19 Secrets in Flash memory • The keys should not be stored in flash if possible
21 Conclusions • Software cannot be trusted • Large attack surface difficult to protect • Even small bugs, combined, can lead to an attack The end?
22 No software bug no exploit?
23 Features • STM32 • Flash on the chip • Large attack surface (22 input commands without auth) • Built-in 4 digit PIN security lock • Open Source (bootloader and firmware) • Built-in onboarding (seed generation and recovery) • USB connectivity • Super secure boot with three signatures and five keys!
24 Using HW wallet
25 Hardware architecture • STM32F205 • 1MB of internal flash • There is secure boot
26 Why bother with a hardware attack? • Popular open source project • SW is tested and patched over time • General purpose MCU is used to keep the secrets
27 What is FI and how can it help? • Corrupt data (0x00, 0xFF, 0x??) • Corrupt instructions • Skip instructions • ...
28 Cracking the case
29 Can we glitch it?
30 No code execution, no easy trigger • The power comes from USB and is quite noisy • No modifications to the device were made • When a command is sent a similar pattern is observed CMD RESP GLITCH!
31 Characterization results
32 DEMO
33
34 Glitching the screen output
35 Glitching the screen output
36 Getting full access to the device GLITCH!
37 SW Design leading to exploitable FI • The glitch of the if statement is possible but does not change the flash • fsm_msgResetDevice command once glitched only changes the PIN in RAM • fsm_msgChangePin compares against the PIN in RAM and saves a new one to FLASH KeepKey RAM PIN FLASH PIN fsm_msgResetDevice fsm_msgChangePin
38 The attack: 1. Steal Find a device 2. Glitch the lifecycle check 3. Set a new PIN on the device, keep the seed 4. Unlock the device using the new pin ... 5. Get full access to the coins on the device Getting full access to the device GLITCH!
39 Getting full access to the device #2 GLITCH! 1. fsm_ResetDevice() GLITCH! GLITCH! PIN RAM 2. 3. PIN FLASH fsm_msgChangePin(PIN RAM) GLITCH!GLITCH! GLITCH! Profit! 4. … 5.
40 Results Success rate ~1.2% Attempt rate 0.3 att/sec On average it takes 5 minutes to glitch the PIN
41 Conclusions • Software cannot be trusted • Large attack surface is difficult to protect • Even small bugs, combined, can lead to an attack • Hardware cannot be trusted • Non-secure hardware is easily glitchable • Simple FI counter measures are not sufficient against EMFI
42 The end?
43 Challenge your security Sergei Volokitin Security Analyst 📩 sergei@riscure.com

Recommended

ATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingAlexandru Gherman
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Symantec Freak Vulnerability Infographic
Symantec Freak Vulnerability InfographicSymantec Freak Vulnerability Infographic
Symantec Freak Vulnerability InfographicSymantec
 
Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever AloneOlga Kochetova
 
Tek systems it guidelines
Tek systems it guidelinesTek systems it guidelines
Tek systems it guidelinesviplavsarkar
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam OWASP Foundation
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneSebastian Krzyszkowiak
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionageMuts Byte
 

Recommended

ATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingATM Compromise with and without Whitelisting
ATM Compromise with and without WhitelistingAlexandru Gherman
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Symantec Freak Vulnerability Infographic
Symantec Freak Vulnerability InfographicSymantec Freak Vulnerability Infographic
Symantec Freak Vulnerability InfographicSymantec
 
Leave ATM Forever Alone
Leave ATM Forever AloneLeave ATM Forever Alone
Leave ATM Forever AloneOlga Kochetova
 
Tek systems it guidelines
Tek systems it guidelinesTek systems it guidelines
Tek systems it guidelinesviplavsarkar
 
RCS Demo HackingTeam
RCS Demo HackingTeam RCS Demo HackingTeam
RCS Demo HackingTeam OWASP Foundation
 
Neo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneNeo900: Crafting The Private Phone
Neo900: Crafting The Private PhoneSebastian Krzyszkowiak
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionageMuts Byte
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
Tek systems it guidelines - animation
Tek systems it guidelines - animationTek systems it guidelines - animation
Tek systems it guidelines - animationviplavsarkar
 
EntroWatch V1.2 (1)
EntroWatch V1.2 (1)EntroWatch V1.2 (1)
EntroWatch V1.2 (1)Helen Williams
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDavid Sweigert
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
 
Trusted platform module copy
Trusted platform module copyTrusted platform module copy
Trusted platform module copyRishi Kumar
 
Necto 16 training 18 access security
Necto 16 training 18 access securityNecto 16 training 18 access security
Necto 16 training 18 access securityPanorama Software
 
The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architectureG Prachi
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
Introduction to Trusted Computing
Introduction to Trusted ComputingIntroduction to Trusted Computing
Introduction to Trusted ComputingMaksim Djackov
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentationCHIACHE lee
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Mobile device security using transient authentication
Mobile device security using transient authenticationMobile device security using transient authentication
Mobile device security using transient authenticationPaulo Martins
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldCodiax
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesGENIANS, INC.
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAEsecuritysytem
 
Comelit 6231 Data Sheet
Comelit 6231 Data SheetComelit 6231 Data Sheet
Comelit 6231 Data SheetJMAC Supply
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?Justin Black
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoNCCOMMS
 

More Related Content

What's hot

Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
Tek systems it guidelines - animation
Tek systems it guidelines - animationTek systems it guidelines - animation
Tek systems it guidelines - animationviplavsarkar
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDavid Sweigert
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assPROIDEA
 
Trusted platform module copy
Trusted platform module copyTrusted platform module copy
Trusted platform module copyRishi Kumar
 
Necto 16 training 18 access security
Necto 16 training 18 access securityNecto 16 training 18 access security
Necto 16 training 18 access securityPanorama Software
 
The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architectureG Prachi
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
Introduction to Trusted Computing
Introduction to Trusted ComputingIntroduction to Trusted Computing
Introduction to Trusted ComputingMaksim Djackov
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentationCHIACHE lee
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Mobile device security using transient authentication
Mobile device security using transient authenticationMobile device security using transient authentication
Mobile device security using transient authenticationPaulo Martins
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldCodiax
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesGENIANS, INC.
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAEsecuritysytem
 
Comelit 6231 Data Sheet
Comelit 6231 Data SheetComelit 6231 Data Sheet
Comelit 6231 Data SheetJMAC Supply
 

What's hot (20)

Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’s
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
 
Tek systems it guidelines - animation
Tek systems it guidelines - animationTek systems it guidelines - animation
Tek systems it guidelines - animation
 
EntroWatch V1.2 (1)
EntroWatch V1.2 (1)EntroWatch V1.2 (1)
EntroWatch V1.2 (1)
 
Disabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road WarriorDisabling Ports 135 and 445 to protect the Road Warrior
Disabling Ports 135 and 445 to protect the Road Warrior
 
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their assCONFidence 2014: Yaniv Miron: ATMs – We kick their ass
CONFidence 2014: Yaniv Miron: ATMs – We kick their ass
 
Trusted platform module copy
Trusted platform module copyTrusted platform module copy
Trusted platform module copy
 
Necto 16 training 18 access security
Necto 16 training 18 access securityNecto 16 training 18 access security
Necto 16 training 18 access security
 
The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangout
 
Introduction to Trusted Computing
Introduction to Trusted ComputingIntroduction to Trusted Computing
Introduction to Trusted Computing
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentation
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Mobile device security using transient authentication
Mobile device security using transient authenticationMobile device security using transient authentication
Mobile device security using transient authentication
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
 
CCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAECCTV UAE, DVR CCTV Camera, IP Camera UAE
CCTV UAE, DVR CCTV Camera, IP Camera UAE
 
Comelit 6231 Data Sheet
Comelit 6231 Data SheetComelit 6231 Data Sheet
Comelit 6231 Data Sheet
 

Similar to [CB19] Hardware Wallet Security

Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?Justin Black
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoNCCOMMS
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsRiscure
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
eu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdf
eu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdfeu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdf
eu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdfssuser6e61b3
 
Safe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSafe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSoumitra Bhattacharyya
 
The Truth About Viruses on IBM i
The Truth About Viruses on IBM iThe Truth About Viruses on IBM i
The Truth About Viruses on IBM iHelpSystems
 
Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Justin Black
 
TC and TPM.ppt
TC and TPM.pptTC and TPM.ppt
TC and TPM.pptyhaxpsos
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 

Similar to [CB19] Hardware Wallet Security (20)

Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami Laiho
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis Protocols
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
eu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdf
eu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdfeu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdf
eu-19-LimitedResults-Fatal-Fury-On-ESP32-Time-To-Release-Hardware-Exploits.pdf
 
Safe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSafe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devices
 
The Truth About Viruses on IBM i
The Truth About Viruses on IBM iThe Truth About Viruses on IBM i
The Truth About Viruses on IBM i
 
Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics
 
Internet security
Internet securityInternet security
Internet security
 
TC and TPM.ppt
TC and TPM.pptTC and TPM.ppt
TC and TPM.ppt
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Lecture 7 - Security
Lecture 7 - SecurityLecture 7 - Security
Lecture 7 - Security
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Baileyhlharris
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCamilleBoulbin1
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoKayode Fayemi
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 

Recently uploaded (20)

VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 

[CB19] Hardware Wallet Security

  • 2. 2 What is a hardware wallet? • Secure device with: • Connection to PC/smartphone/network • Trusted screen • Trusted controls • Protected firmware • Tamper resistant
  • 3. 3 What is a hardware wallet?
  • 4. 4 Who is your attacker? • Somebody who controls your computer • Malware • Another user • Somebody who has physical access to the device • Flatmate • Evil maid • Thief • Somebody who had access to the device before you got it: • Courier • Evil maid government • Previous owner
  • 5. 5 Security features • Secrets never leave the device • Small API • Protected memory • There is no easy way to access keys • Protected firmware • The authenticity of firmware is verified on boot and updates Generated Stored Used Wiped
  • 6. 6 Software attacks – Leger Nano S
  • 9. 9 Software attacks • MPU isolates memory • Application has • ~16 KB of Flash • ~1 KB of RAM • Over 100 syscalls
  • 10. 10 Vulnerabilities • x4 vulnerabilities in the system calls • partial memory disclosure of the following app • partial memory disclosure due to null pointer dereferencing • memory oracle on all the system memory • Vulnerability in memory protection of debug app • Vulnerability in device wipe process • Vulnerability allowing supply chain attack
  • 11. 11 Vulnerabilities • x4 vulnerabilities in the system calls • partial memory disclosure of the following app • partial memory disclosure due to null pointer dereferencing • memory oracle on all the system memory • Vulnerability in memory protection of debug app • Vulnerability in device wipe process • Vulnerability allowing supply chain attack
  • 12. 13 Debug app installation flag • There are per application flags you can set, such as: • Application with debug flag can read ~16kB of flash belonging to another app!
  • 13. 14 Debug app installation flag U2F App Flash BTC App Flash System Flash Debug App Flash
  • 14. 15 Debug app installation flag U2F App Flash BTC App Flash System Flash Debug App Flash
  • 15. 16 Debug app installation flag BTC App Flash System Flash Debug App Flash
  • 16. 17 Debug app installation flag System Flash Debug App Flash
  • 17. 18 Flash state after device wipe
  • 18. 19 Secrets in Flash memory • The keys should not be stored in flash if possible
  • 19. 21 Conclusions • Software cannot be trusted • Large attack surface difficult to protect • Even small bugs, combined, can lead to an attack The end?
  • 20. 22 No software bug no exploit?
  • 21. 23 Features • STM32 • Flash on the chip • Large attack surface (22 input commands without auth) • Built-in 4 digit PIN security lock • Open Source (bootloader and firmware) • Built-in onboarding (seed generation and recovery) • USB connectivity • Super secure boot with three signatures and five keys!
  • 23. 25 Hardware architecture • STM32F205 • 1MB of internal flash • There is secure boot
  • 24. 26 Why bother with a hardware attack? • Popular open source project • SW is tested and patched over time • General purpose MCU is used to keep the secrets
  • 25. 27 What is FI and how can it help? • Corrupt data (0x00, 0xFF, 0x??) • Corrupt instructions • Skip instructions • ...
  • 28. 30 No code execution, no easy trigger • The power comes from USB and is quite noisy • No modifications to the device were made • When a command is sent a similar pattern is observed CMD RESP GLITCH!
  • 31. 33
  • 34. 36 Getting full access to the device GLITCH!
  • 35. 37 SW Design leading to exploitable FI • The glitch of the if statement is possible but does not change the flash • fsm_msgResetDevice command once glitched only changes the PIN in RAM • fsm_msgChangePin compares against the PIN in RAM and saves a new one to FLASH KeepKey RAM PIN FLASH PIN fsm_msgResetDevice fsm_msgChangePin
  • 36. 38 The attack: 1. Steal Find a device 2. Glitch the lifecycle check 3. Set a new PIN on the device, keep the seed 4. Unlock the device using the new pin ... 5. Get full access to the coins on the device Getting full access to the device GLITCH!
  • 37. 39 Getting full access to the device #2 GLITCH! 1. fsm_ResetDevice() GLITCH! GLITCH! PIN RAM 2. 3. PIN FLASH fsm_msgChangePin(PIN RAM) GLITCH!GLITCH! GLITCH! Profit! 4. … 5.
  • 38. 40 Results Success rate ~1.2% Attempt rate 0.3 att/sec On average it takes 5 minutes to glitch the PIN
  • 39. 41 Conclusions • Software cannot be trusted • Large attack surface is difficult to protect • Even small bugs, combined, can lead to an attack • Hardware cannot be trusted • Non-secure hardware is easily glitchable • Simple FI counter measures are not sufficient against EMFI
  • 41. 43 Challenge your security Sergei Volokitin Security Analyst 📩 sergei@riscure.com