3. Summary
• Show why embedded security
doesn’t exist
• Attack vectors (real world and
theoretical)
• Mitigations
• Tools used for identification of
issues in a product
4. Embedded Security
• The security features built into a
device or circuit
– i.e. Juke Box Remote controls, router circuit
board, TV’s, mobile phones
• AKA Hardware Hacking
5. Risk
Risk = Threat x Exploitability x Cost
• Threat: how likely the attack occurs based on its
frequency in the “real” world
• Exploitability: how likely is it that it will work
• Cost: How much it’s going to hurt when it gets popped
• The amount of security invested into an embedded
device is directly influenced by risk
• The lack of these attacks being exploited in the wild,
and the skills required to exploit them, keep the risk
level appearing low
6. Attackers Perspective
• Theft-of-service – getting something for free
• IP Theft – cloning and idea and remaking it
(China)
• Information disclosure – find the secrets hidden
on a device
• Spoofing – horizontal privilege escalation
• DoS – causing un-servicable issues means loss
of revenue
7. Attack Surface
• Cases and enclosures – to prevent
attackers from accessing internals
• Circuit board
• Firmware
8. External Interfaces Attacks
• JTAG, USB, interfaces, Bluetooth, WIFI, RF*
• Accessing debug/diag operation modes
• Cut traces able to be repaired
• Fuzzing the interface to deobfuscate the
protocol
• Sensitive information disclosure (encryption,
server side info)
• EMI emissions leak info
9. Mitigations
• Diag/debug modes should be disabled
at the circuit level
• JTAG should be removed ideally from
production else disabled
• Protect against malformed
communication
• EMI shielding
• Tamper protections
10. Mitigations: Tamper Protections
• Tamper Resistant: difficult to access components
– One-way screws, steel case, epoxy on Ics
• Tamper Evident: If access happens, it is easily
identifiable
– Sealed cases, glues, tapes
• Tamper Detection: the hardware knows when it’s been
tainted
– Pressure switches, temperature sensors, puncture detection
• Tamper Response: the hardware reacts when tainted
(like detection but with a counter-measure)
– Flash memory, self destruct with explosive charge
11. Circuit Board Attacks
• Reverse engineer components and gather information
– PCB hooking – access traces and test points
• Probe boards
• Delid chips
• Access memory: EEPROMS, RAM
• Simple and Differential Power Analysis
• EMI attacks
• Clock/Timing attacks – muck with the clock to cause issues
• Epoxy removal – dremel or chemical based
• Use an X-ray to determine location of components
12. Mitigations
• Remove ID’s from Ics (“black topping”)
• Hide vias and test points when possible
• Epoxy critical areas
• Implement probe detection on unused pins
• Add digital watermarks that uniquely ID
your product
• Noise generators to defend against power
analysis
13. Cryptographic Attacks
• No matter what algorithm or key size
you use, a static key must be stored
somewhere on the device. Find it
• Algorithm mis-implementations are
exploitable
• Custom crypto means custom pwning
• Side-channel attacks (power analysis,
etc)
14. Firmware Attacks
• Extracting the firmware is the first
step to exploitation
• Reversing the firmware usually
means death
• Bad programming flaws cause
exploitation
15. Mitigations
• Be a good programmer :)
• Limit attack vectors - remove
unnecessary components
• Protect firmware from being easily
extracted
17. Insane Tools
• Scanning electron microscope
• Voltage contrast microscopy
• Focused Ion Beam (FIB)
18. Attack In Practice
• Passive Recon – learn about the device, manuals, data sheets
• Active Recon – perform the initial inspection.
– Can you see ICs? Components? Tamper protections?
• Risk Assessment – determine threats, risky areas, loot to
focus your time on.
– Make sure your end goal is either an exploit or more information (skip time wasters)
• Collect necessary tools for attack
• Probe and interface: Connect to serial interfaces, hook vias or
test points, use a probe board
• Extract and reverse firmware or sensitive information
19. Defense In Practice
• Make breaking into the device cost
more than the value of the result
• Built in vs Bolt On later (same old story)
• Test your own security (at least the
basics)
• When in doubt, epoxy (but know that if
you do this, you are dead to me)