Hacking A Chip With A Wave of Your Hand

Uploaded on 2017-07-03 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

When you think of a standard hacker toolkit, software vulnerabilities and malware come to mind. But a pair of researchers are testing a different type of instrument: a physical tool that can break into devices with a wave of your hand.

At the recent REcon computer security conference, Red Balloon Security founder Ang Cui and research scientist Rick Housley presented a new approach to hacking a processor that uses electro-magnetic pulses to produce specific glitches in hardware. By disrupting normal activity at precise intervals, the technique can defeat the Secure Boot protection that keeps processors from running untrusted code.

Researchers have experimented with “fault injection attacks”, hacks that cause a strategic glitch, which in turn triggers abnormal, exploitable computer behavior, for decades. Those attacks, though, typically require physical access to a target's components.
“The advantage of this technique is that it’s physically non-invasive. You don’t have to touch the device, and you don’t leave any physical marks behind,” Cui says. “There’s no exchange of data at the electro-magnetic pulse stage, so this would never be caught by a firewall.”
Insecure Boot

Red Balloon specialises in Internet-of-Things Intrusion Defense; think of it as antivirus software for IoT. But the company has run into problems putting its security tool on IoT devices guarded by Secure Boot. Red Balloon's products don't undermine this safeguard; the company works with vendors to make its software compatible. But the dilemma got Cui and Housley interested in the theoretical question of whether a fault-injection attack could circumvent Secure Boot on locked-down IoT devices.

They started experimenting with the Cisco 8861 VoIP phone model that they had tried and failed to equip with their security product. (Cui also has a history of hacking Cisco phones.) 

The two found that if they poked the phone’s flash memory with a charged wire at the right moment while it booted up, they could cause a glitch that stopped the boot process. Instead, the phone surfaced access to a command-line interface that Cisco normally uses for debugging. Consumers are never supposed to see it. Cui and Housley also found vulnerabilities in the TrustZone security scheme of the phone's processor that allowed them to write code on processor memory that was supposed to be protected. (They disclosed these bugs to Cisco in April 2016.) Once they had access to the troubleshooting portal during boot, the researchers could load and execute their own code in a secure part of the processor to override Secure Boot.

Invisible Touch

All of which makes for a complicated hack, and one that requires cracking a phone open when you have a charged wire handy. But Cui and Housley wanted to take the attack a step farther, and realised that a well-timed EMP blast could trigger the same fault. They could execute the whole hack without needing to tamper with the components of the phone.
Lab-grade EM pulsing equipment costs hundreds of thousands of dollars, so instead the researchers built their own system for about $350 using a 3-D printer and readily available components. They plan to release open source schematics of the setup so other researchers can use it too.

Eventually, Cui and Housley worked out that delivering a 300 Volt pulse to the phone's RAM 4.62 seconds into startup reliably created the glitch they wanted. With access to the debugging portal, they could use the phone’s console port, an auxiliary port on the back of the phone, to load in and run their Secure Boot override protocol within five seconds.
"The attack’s principle is clever," says Jean-Max Dutertre, a hardware security researcher at École Nationale Supérieure des Mines de Saint-Étienne in France. "Finding a way to bypass timing and spatial resolution issues is always highly effective."
The system can currently deliver the pulse from 3 millimeters away from the phone, so while the hack doesn't require physical contact, it does need proximity. Still, an attacker could cause the crucial fault by, say, waving their hand over the device while holding a tiny electromagnetic pulse generator, a subtler action than opening up the phone and sticking a wire into it.
“With any hardware attack you need to be physically present, so that’s already a huge barrier,” says Jasper van Woudenberg, the chief technology officer of Riscure North America, a firm that tests hardware and software security. “But this is a nice proof of concept to show that if you don’t take care of these attacks, they could actually happen.”

Who's Down with EMP

What makes the attack so challenging is, in part, the Broadcom multicore 1Ghz ARM processor it targets. Modern processors pack transistors in densely and have high clock speeds, making it difficult to discharge EM pulses quickly and accurately enough to impact one specific process on a chip without collateral damage.

But by thinking of the interconnected components in a device (like the processor, flash memory, and RAM) as a network of computers in and of themselves, researchers can create fault injection strategies that are more like network hacking, attacking a system's weakest point to compromise the real target, in this case the powerful processor.
“We wanted to look at the second-order effects of an electro-magnetic pulse, as it affects not just a single machine but a complex network of interdependent components,” Cui says. “So that allows us to sidestep the traditional electro-magnetic fault injection limitations, and use electromagnetic pulses to predictably change the way computers compute.”

As electro-magnetic fault injection hacking becomes more robust, it will in turn become more important to protect components from physical, non-invasive hacks.

Some ultra secure devices already include such defenses, because further refinement would put not only IoT devices at risk but also full-service computers. "This kind of attack could be devastating because it is relatively easy to perform," Dutertre says.

And while Cui and Housley's research exists strictly as a proof of concept, they caution that other groups may have capabilities that far exceed academia's.
“We don’t think we’re the farthest along in this research,” Cui says. “We’ve been doing this on our off time as a side project. If somebody wanted to put significant resource into this, they would certainly be ahead of us."

Wired

You Might Also Read:

New IoT Chips See, Think & Act Autonomously:

 

« Ten Years Since The Outbreak Web War One
Three Ways To Prepare Your Business For GDPR »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

Join our experts as they give the insights you need to power your Security Information and Event Management (SIEM).

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Fastpath Solutions

Fastpath Solutions

Fastpath deliver software solutions that enable you to take control of your security, compliance and risk management initiatives.

Fortress Group

Fortress Group

Fortress is specialized in confidential and discrete recruitment solutions and temporary staffing in the field of security and risk management.

Thinklogical

Thinklogical

Thinklogical manufactures secure, KVM, video, audio, and computer peripheral signal switching solutions for defence C4ISR applications.

Suprema

Suprema

Suprema is a leading global provider of access control and biometrics solutions.

AllegisCyber Capital

AllegisCyber Capital

AllegisCyber is an investment company with a focus on seed and early stage investing in cybersecurity and its applications in emerging technology markets.

Virtru

Virtru

Virtru's Data Protection platform protects and controls sensitive information regardless of where it's been created, stored or shared.

Redborder

Redborder

Redborder is an Open Source network visibility, data analytics, and cybersecurity Big Data solution that is scalable up to the needs of enterprise networks and service providers.

PeckShield

PeckShield

PeckShield is a blockchain security company which aims to elevate the security, privacy, and usability of entire blockchain ecosystem by offering top-notch, industry-leading services and products.

Safe Systems

Safe Systems

Safe Systems provide compliance centric IT services for community banks and credit unions, ensuring that they are kept up to date on current technologies, security risks, and regulatory changes.

Analog Devices Inc (ADI)

Analog Devices Inc (ADI)

Analog Devices is uniquely positioned to deliver security at the edge, where the data is born, because our sensor solutions convert the physical, analog world into the digital world.

Path Forward IT

Path Forward IT

Path Forward IT has been troubleshooting, architecting, migrating, protecting, and securing IT environments for businesses across the USA since 2002.

Anametric

Anametric

Anametric is developing new technologies and devices for chip scale quantum photonics, with a focus on cybersecurity.

Darktrace

Darktrace

Darktrace is a global leader in cybersecurity AI, delivering complete AI-powered solutions in its mission to free the world of cyber disruption.

Trojan Horse Security

Trojan Horse Security

Trojan Horse Security are specialists in corporate security. Our services include: Comprehensive Cyber Security Analysis, Penetration Testing, Network Security and Security Audits.

Supra ITS

Supra ITS

Supra ITS is a leading full-service technology partner offering IT Consulting, Cloud Services, 24x7 Managed IT & Cybersecurity Services, and IT Project Support.

Cybecs Security Solutions

Cybecs Security Solutions

Cybecs was founded to address rapid technological advancement, changing business models, global privacy regulations, and increasing cyber threats for global organizations.