Design Solutions Research & Design Hub

Embedded System Security: Live from Las Vegas

Written by Colin O'Flynn

This month Colin summarizes a few interesting presentations from the Black Hat conference in Las Vegas. He walks you through some attacks on bitcoin wallets, x86 backdoors and side channel analysis work—these and other interesting presentations from Black Hat 2018.

  • What were the interesting presentations at Black Hat 2018?

  • Bitcoin wallet attacks

  • Side-channel power analysis

  • Industrial control system (ICS) attacks

  • Power analysis attacks

  • Convolutional neural networks (CNNs)

  • Attacks through hardware backdoors in x86

  • Ledger Nano S

  • VIA C3 family of x86 processors

  • ChipWhisperer-Lint (open source)

Iwanted to run a few interesting attacks past you. I’m writing now just after attending Black Hat, which is one of the major “hacker” conferences that occurs in Las Vegas, NV every year. While a majority of the work presented at the show covers attacks that I find less interesting—mobile app attacks, website attacks—and network security—there is a chunk of work around embedded systems that always makes it worthwhile.

Here, I summarize some of the recent presentations you might find interesting. The presentation slides are available for these talks—many of them have additional white papers—and you can often find videos of the talks posted at later dates. So, if you are interested in learning more about these talks, the resources should be out there for you.

BITCOIN WALLET ATTACKS

Bitcoin wallets are an interesting design problem. They are designed to hold bitcoins, because “stealing” the bitcoin requires access to only electronic information. That means that storing a bitcoin on a computer has a potential risk that someone with a key logger or remote control of the computer could steal bitcoins. And at their current market value, bitcoins are a very valuable commodity.

A solution to that is to move to a hardware bitcoin wallet. Attacks on them have been presented before, and this year at Black Hat we saw Alyssa Milburn present “Software attacks on hardware wallets” (with the work done by Sergei Volokitin, who couldn’t make it to Black Hat). This specifically looked at the Ledger Nano S (Figure 1).

FIGURE 1 – The Ledger Nano S is used to protect cryptocurrency by storing it in a hardware device. A number of cryptocurrency attacks were presented at Black Hat 2018.

A number of exploits are detailed in this talk, but not all of them result in an actual exploit. That is some of the attacks cause unintended operation, but aren’t immediately capable of being used in an attack. Two are of particular interest, and those two I will summarize here. The Ledger Nano S has a Trusted Execution Environment (TEE), which is used because there is an ability to install additional apps onto the device to support new cryptocurrencies. Sergei discovered that with the debug flag enabled on these apps, they were able to read areas of memory outside of their allowed space.

In addition, a device reset (that is, clearing memory to remove all sensitive information) does not clear all expected secrets out of flash memory. This can be used with the previous attack to steal information from a resold or stolen wallet, since the reset event is used to “clear” the wallet for use by a new customer. With some secret information potentially still inside the wallet, an attacker could load a malicious application to help read this information out. Of course, there are limits on where that is applicable, but the talk still demonstrated that just moving security to “hardware” is not a catch-all solution.

— ADVERTISMENT—

Advertise Here

SCREAMING CHANNELS

One of my favorites was a presentation called “Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers” by Aurélien Francillon, Giovanni Camurati, Marius Muench, Sebastian Poeplau and Tom Hayes. This talk took the side-channel power analysis I’ve covered previously, and moved it to new distances. The basic idea is based on the integrated chips you see in Figure 2—a digital device with an integrated radio will likely be modulating unintended information onto the radio transmission. This can be used to perform power analysis at a distance. It’s not just limited to very nearby attacks.

FIGURE 2 – Many highly integrated devices have a radio transceiver placed into the same device substrate as the digital circuitry (source: presentation slides).

The recovered data is shown in Figure 3, which is an excerpt from the presentation slide. This shows a spectrogram, where the frequency is along the Y-axis and time along the X-axis. You can see for example up to time 3.0 ms the measurement is basically noise, because the radio is off. Once the radio turns on there are some stronger peaks (shown in brighter yellow) related to the center frequency of the radio transmissions. The darker vertical lines are marked “packet boundaries.” Those are where the radio would be momentarily off between packet transmissions.

FIGURE 3 – The AES algorithm can be extracted from the RF signal. This spectrogram shows time along the X axis, and a measurement across a band of frequencies, where brighter colors indicate stronger signal. (source: presentation slides).

The section labeled “Demod” shows demodulating a small window of frequencies for a specific time. Demodulating this is done with a standard radio receiver circuit and seems to be generating a specific pattern. In fact, the pattern looks almost tantalizingly like a software AES implementation due to the ten distinct peaks.

Amazingly, this was demonstrated to work up to 10 m (32’) away in an anechoic chamber. Although this setup was used to reduce outside noise, knowing that such an attack is possible at this distance suggests that it should be possible in “real” scenarios too. The authors demonstrated in an office environment that they could recover the key up to 1 m (3’) away. Such an environment would have considerable background noise. Performing side-channel power analysis at even one or two feet away is a powerful attack. That means the attacker does not need to be physically tapped into, or even touching, the device.

TRITON ATTACK FRAMEWORK

Another interesting talk was by Marina Krotofil, Andrea Carcano and Younes Dragoni entitled “Triton: How It Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems Forever.” This talk looked at industrial control systems (ICS), which often control very critical processes such as those at power plants and oil refineries.

An attack on this type of system was used during the Stuxnet attack, which damaged Iranian centrifuges to delay their nuclear weapons program. But such an attack was very complicated and required (presumed) nation-state support. Since then a number of new attacks have come out, including ones—such as Triton—that could be used to build on by less sophisticated attackers with more limited resources.

Triton in particular was interesting as it targets not only an ICS, but specifically its Safety Instrumented System (SIS). The SIS is responsible for preventing accidents by shutting down processes when out of range events occur, and when failure is impossible to avoid, they fail in the “best” way possible. Triton was a malware found first in a Saudi Arabian petrochemical processing plant, where Triton was actually reprogramming the SIS units and causing them to enter a failed state. Had Triton not caused the units to enter the shutdown mode, it could have caused considerable damage to the plant. It is currently assumed the attacker accidently crashed one of the units when performing an invalid memory access, which would cause the other units to enter shutdown mode.

The naming of embedded systems intersects with the Internet of Things (IoT), and a talk at the conference entitled “IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies” by Andrei Costin and Jonas Zaddach covered some interesting research into attacks on embedded systems. You might not realize how prevalent malware for embedded/IoT devices is, but they looked across about 60 malware “families” that target devices such as routers, Internet-connected cameras and other small Internet-connected devices. They are often used to build botnets that launch further attacks, such as the Mirai attack that brought down many large websites such as GitHub, Twitter and Netflix.

POWER ANALYSIS FOR ALL

Two presentations had a theme of making side-channel power analysis more accessible. The first was by Baris Ege and Jasper van Woudenberg entitled “Lowering the Bar: Deep Learning for Side Channel Analysis.” This presentation demonstrated that convolutional neural networks (CNN) could be used to perform side channel power analysis attacks. The objective of this work is to reduce some of the “user effort” required in order to build a side channel attack. This worked even when the input data was not well formed. A typical problem in these attacks is that you have to “resynchronize” the input data, such that you have many measurements of the same operation. The CNN could be trained to ignore these problems, which simplifies use of the attack.

— ADVERTISMENT—

Advertise Here

The second presentation was by yours truly, entitled “I, For One, Welcome our new Power Analysis Overlords.” This talk was to release a new tool I’ll talk about in another column, called ChipWhisperer-Lint. This tool is designed to simplify detection of power analysis leakage in both software and hardware cryptographic implementations. This uses a simple method to provide information on where a specific device is potentially leaking side-channel information. An example plot is shown in Figure 4. The plot shows the result of a statistical comparison, where a higher number indicates a potential “leakage.” We are using a threshold of about 3.0 here to indicate that, with reasonably high confidence, there is some information leakage that requires further investigation.

FIGURE 4 – A large spike beyond some chosen threshold indicates a likely location of side-channel power analysis leakage on this specific device (Kinesis K24F AES hardware accelerator).

An interesting use-case of this tool is that you can automate detection of software stacks, where changes in the compiler might result in minor changes to the binary file itself. The result is that a software library you think does not have any leakage problems suddenly shows up as highly vulnerable to power analysis. The setup for this is shown in Figure 5, where various source code files are compiled onto different hardware platforms. The result is a large test report indicating that specific software libraries—with specific compiler options on specific hardware platforms—may have leakage that is not found in any other configuration.

FIGURE 5 – More complex arrangements can be used to find leakage across a variety of implementations and hardware targets. (Click to enlarge)
X86 HARDWARE BACKDOORS

The idea of backdoors in devices is always interesting, but proof of true hardware backdoors has always been hard to find in practice. In “God Mode Unlocked – Hardware Backdoors in x86 CPUs”, Christopher Domas looks at the VIA C3 family of x86 processors. This presentation was interesting as it began by him seeing a small note in a patent application, suggesting a method of allowing bypass of security mechanisms could be built into certain CPUs. The patent in question (US 8,341,419) contains this paragraph:

“Additionally, accessing some of the internal control registers can enable the user to bypass security mechanisms, e.g., allowing ring 0access at ring 3. In addition, these control registers may reveal information that the processor designers wish to keep proprietary. For these reasons, the various x86 processor manufacturers have not publicly documented any description of the address or function of some control MSRs.”

Following a long trail of patents and other research led Christopher to discover there was a “Deeply Embedded Core” (DEC) that was alongside the x86 core in the VIA C3 processor. This was not a documented feature, and potentially was very dangerous since the DEC had access to the same information as the x86 core.

This work is interesting because, not only was the fundamental problem identified, but Christopher had to reverse-engineer what this DEC was (the unknown instruction set) along with registers and other mapping. Over the course of many weeks of automated analysis he was able to discover the actual instruction set, and finally build several demos. The amount of work hidden behind those last few sentences is immense. As a developer, think about how annoying incomplete documentation is. Now imagine you have zero documentation! All this led to an example of a “privilege escalation” where code running at the lowest level (known as ring 3) could be moved to the highest level (ring 0). This means code would now have access to everything the kernel itself would, effectively making all anti-virus or other protection mechanisms useless.

EVEN MORE TALKS

I hope you enjoyed this short summary, and encourage you to take a look at the research in more detail. I know it’s hard to keep up with all the latest presentations and talks between events, so hope this summary was useful for you. I couldn’t hope to cover every hardware-related or similar talk, and I didn’t even touch on talks at DEF CON (an event occurring around the same time). But in upcoming articles you can expect to see another summary of interesting work that came out this year, to keep you updated on the latest attacks on embedded systems. 

RESOURCES

Black Hat USA 2018 | www.blackhat.com/us-18/

PUBLISHED IN CIRCUIT CELLAR MAGAZINE • NOVEMBER 2018 #340 – Get a PDF of the issue

Keep up-to-date with our FREE Weekly Newsletter!

Don't miss out on upcoming issues of Circuit Cellar.


Note: We’ve made the May 2020 issue of Circuit Cellar available as a free sample issue. In it, you’ll find a rich variety of the kinds of articles and information that exemplify a typical issue of the current magazine.

Would you like to write for Circuit Cellar? We are always accepting articles/posts from the technical community. Get in touch with us and let's discuss your ideas.

Sponsor this Article
Website | + posts

Colin O’Flynn has been building and breaking electronic devices for many years. He is an assistant professor at Dalhousie University, and also CTO of NewAE Technology both based in Halifax, NS, Canada. Some of his work is posted on his website (see link above).

Supporting Companies

Upcoming Events


Copyright © KCK Media Corp.
All Rights Reserved

Copyright © 2022 KCK Media Corp.

Embedded System Security: Live from Las Vegas

by Colin O'Flynn time to read: 9 min