SlideShare a Scribd company logo

Infecting the Embedded Supply Chain

Priyanka Aash
Priyanka Aash

With a surge in the production of internet of things (IoT) devices, embedded development tools are becoming commonplace and the software they run on is often trusted to run in escalated modes. However, some of the embedded development tools on the market contain serious vulnerabilities that put users at risk. In this talk we discuss the various attack vectors that these embedded development tools expose users to, and why users should not blindly trust their tools. This talk will detail a variety reverse engineering, fuzzing, exploit development and protocol analysis techniques that we used to analyze and exploit the security of a common embedded debugger.

Technology
1 of 81
Download to read offline
Somerset Recon Infecting the Embedded Supply Chain Zach Miller Alex Kissinger
Somerset Recon Introduction - Who We Are Zach: ● Reverse Engineering, Pen Testing ● Twitter: @bit_twidd1er Alex: ● Barista that occasionally does security things @ Somerset Recon ● Cappuccinos, Hardware Hacking, Reverse Engineering
Somerset Recon Introduction - Somerset Recon ● @SomersetRecon ● https://somersetrecon.com/contact
Somerset Recon Previous Research - Electronic Safe Lock Analysis ● Discovered vulnerabilities in the mobile application and wire protocol of the SecuRam Prologic B01 Bluetooth electronic safe lock ● Capture and decode PIN numbers transmitted wirelessly ● Brute force PIN numbers over the wire
Somerset Recon Previous Research - Hello Barbie ● Security analysis on the Mattel Hello Barbie doll ● Identified several vulnerabilities affecting the device and associated web and mobile technologies
Somerset Recon These are all embedded devices
Somerset Recon Where are embedded devices? Embedded General Purpose???
Somerset Recon Industries Develop Embedded Devices ● Automotive ● Industrial ● Medical ● Communications ● Digital Consumer ● Etc.
Somerset Recon What do these embedded devices have in common???
Somerset Recon They all utilize embedded debuggers for their development
Somerset Recon Our Targets
Somerset Recon Our Targets
Somerset Recon Segger J-Link Debug Probe ● JTAG/SWD/SWO/etc. ● In Circuit Emulator (ICE) ● In Circuit System Programmer (ICSP) ● Supports ARM/ARM Cortex, RISC-V, RX targets ● USB and Ethernet ● Cross platform toolchain ● “Ultrafast” download/upload to flash ● Unlimited software breakpoints “SEGGER J-Links are the most widely used line of debug probes available today”- www.segger.com
Somerset Recon Segger Software ● J-Link Software Package ● J-Link GDB Server RTOS Plugin SDK ● SystemView - Real-time Analysis and Visualization ● Ozone Graphical Debugger ● J-Scope Data Analysis and Visualization Tool ● Much more... We focused on the J-Link Software Package
Somerset Recon J-Link Software “All-in-one debugging solution” ● J-Link Commander (Command line tool) ● J-Link GDB Server ● J-Link Remote Server ● J-Mem Memory Viewer ● J-Flash ● Much more...
Somerset Recon Segger J-Link Setup
Somerset Recon Segger J-Link - Attack Surface Hardware Debug Probes ○ Firmware Software Packages that Interact with Debug probes ○ USB Driver ○ Lots of user-mode applications ○ Full-blown IDE
Somerset Recon Hardware
Somerset Recon Segger J-Link - Hardware ● How it works ● Extracting firmware ● Feature diffs between devices ● Security mechanisms ○ Is it open?
Somerset Recon Segger J-Link - Hardware J-Link EDU V9.3
Somerset Recon Segger J-Link - Hardware
Somerset Recon Segger J-Link - Hardware
Somerset Recon Segger J-Link - Hardware
Somerset Recon Segger J-Link - Hardware ● Tag-Connect™?
Somerset Recon Segger J-Link - Debugging a J-Link with a J-Link ● Security and Flash bits set in flash ● Refuses to connect and erase ● Other ways around this?
Somerset Recon Segger J-Link - Debugging a J-Link with a J-Link ● J-Link Mini EDU MCU Reference Manual ● Chips are cool
Somerset Recon J-Link Desktop Software
Somerset Recon Vulnerability Research - Reverse Engineering ● A lot of cross-compiled code ● Some interesting custom string-manipulation stuff (more on this later) ● A lot of uses of dangerous functions ● Mostly basic applications, nothing that complicated going on
Somerset Recon Vulnerability Research - Reverse Engineering Analysis of binary protections: ● DEP/NX enabled ● ASLR enabled ● PIE is not enabled ● No stack canaries in *nix binaries, stack canaries present in Windows ● SafeSEH used in Windows binaries ● No Symbols
Somerset Recon Vulnerability Research - Fuzzing Set up fuzzers to test various input vectors ○ Files ○ Network interfaces ○ Command line args Used peach to do generational fuzzing ○ A lot of structured, text-based formats ○ A lot of interesting code paths that needed magic numbers to reach
Somerset Recon Vulnerability Research - Fuzzing ● Tens of thousands of crashes ○ Core files everywhere ● Lots of exploitable crashes ● ...but also tons of duplicate crashes ● We had issues keeping J-Link devices attached to VMs
Somerset Recon Vulnerability Research - Fuzzing Issues keeping J-Link attached to VM: ● After a crash the J-Link devices enter a bad state and are disconnected from the fuzzing VM ● We created a crash monitor to trigger on any crash while fuzzing ○ Have the monitor run a script to check if J-Link had fallen off the VM ○ If so, use libvirt to reattach the J-Link if needed
Somerset Recon Local Exploits
Somerset Recon CVE-2018-9094 - Format String Vulnerability ● J-Flash tool ● Found interesting custom printf style functions implemented in J-Link
Somerset Recon CVE-2018-9094 - Custom String Formatting Accepts limited subset of format specifiers ● Accepts basic specifiers: %d, %x, %p, %u, … ● Doesn’t accept the %n family of specifiers ● Accepts precision arguments: .number
Somerset Recon CVE-2018-9094 - Format String Vulnerability JFlashSPI_CL.exe -open xAAAA%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X% X%X%X%X%X%X%X%s
Somerset Recon CVE-2018-9094 - Impact ● Lack of %n format specifiers reduces severity of this vulnerability ● Potentially could be leveraged as part of an exploit chain as a primitive to read arbitrary memory
Somerset Recon CVE-2018-9095 - Discovery ● J-Link Commander tool ● Found via fuzzing and made up most of our exploitable crashes (>99%) ● Traditional stack buffer overflow ● Reads each line of a file into 512 byte stack buffer
Somerset Recon CVE-2018-9095 - Triage $ gdb -c core GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1 ... [New LWP 1928] Core was generated by `JLink_Linux_V630b_i386/JLinkExe -CommandFile payload'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0xb7613456 in ?? () gdb-peda$ bt #0 0xb7613456 in ?? () #1 0x41414141 in ?? () ... Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Somerset Recon CVE-2018-9095 - Exploitation Steps to exploitation: 1. Control over return address 2. Get the address of Libc 3. Use that to get the address of system() 4. Call system() with arguments 5. Bob’s your uncle.
Somerset Recon CVE-2018-9095 - Triage 1. Control over return address ● Used GDB Peda to calculate offset ● Other cool tools (radare2, pwntools, patter_create.rb) out there can utilize cyclic patterns (De Bruijn sequence) to calculate offsets
Somerset Recon CVE-2018-9095 - Triage ● ROP gadgets ○ ROPGadget Tool ■ Grep like a madman ○ Ropper ■ Z3 ○ Manually Searching/Custom Tools ○ Bad bytes are bad
Somerset Recon CVE-2018-9095 - Triage 2. Get the address of Libc ● Used pwntools to dump all got.plt symbols ● Search through ROP gadgets for uses ● ROP gymnastics to dereference it >>> for x in elf.plt: ... print x ... lseek malloc clock_gettime dlsym memset strcat __libc_start_main printf fgets //Chain pseudo 0x804ae7c: esi = **libc 0x0804ae79: eax = esi, esi = **libc 0x0804d0b3: eax += *eax 0x8048e87: eax -= esi
Somerset Recon 3. Use that to get the address of system() ● The system() function was not called in text, used to the “__libc_start_main” symbol instead ● GDB to calculate the offsets ● Lack of gadgets at this point ○ ROP gymnastics to get the proper value in EAX CVE-2018-9095 - Triage //Chain pseudo 0x0804b193: eax += 0x5b000000, esi = 0x5b000000-off_to_sys 0x8048e87: eax -= esi
Somerset Recon 4. Call system() ● Wanted it to be reliable and reproducible for CVE ● DEP/NX is annoying ● What string argument do we pass to system()? CVE-2018-9095 - Triage //Chain pseudo 0x08049841: push esi; call eax;
Somerset Recon 4. Call system() with arguments $ strings JLinkExe | grep "sh$" fflush SWOFlush .gnu.hash That’ll work... CVE-2018-9095 - Triage
Somerset Recon CVE-2018-9095 - PoC ● Craft malicious J-Link command files that can be sent to victim ● Local code execution ● 32-bit JLinkExe binary ● i386 and amd64 Linux systems ● ROP ○ ASLR bypass ○ Ret2libc ○ Reverse shell is doable, but requires ROPing in Libc
Somerset Recon CVE-2018-9095 - Use Case
Somerset Recon CVE-2018-9097 - Settings File Overflow Very similar to previous exploit JLinkExe executable reads a “SettingsFile” ● Reads in settings file and passes to libjlinkarm.so.6.30.2 to update settings ● libjlinkarm.so.6.30.2 has a buffer overrun in BSS segment ● Used the overflow to overwrite a function pointer in BSS segment
Somerset Recon Remote Exploits
Somerset Recon CVE-2018-9096 - Discovery ● JLinkRemoteServer tool ● Opens up a bunch of ports: $ sudo netstat -tulpn | grep JLinkRemote tcp 0 0 0.0.0.0:24 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19080 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 0.0.0.0:19020 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19021 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19030 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 31417/./JLinkRemote
Somerset Recon CVE-2018-9096 - Discovery ● JLinkRemoteServer tool ● Opens up a bunch of ports: $ sudo netstat -tulpn | grep JLinkRemote tcp 0 0 0.0.0.0:24 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19080 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 0.0.0.0:19020 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19021 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19030 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 31417/./JLinkRemote Telnet?
Somerset Recon CVE-2018-9096 - Discovery ● Reverse engineering revealed it was actually a built-in Telnet server: ● Allows Telnet connections which provide similar functionality to the Tunnel server
Somerset Recon CVE-2018-9096 - Discovery Fuzzing of the Telnet server revealed an interesting crash: JLinkRemoteServ[31402]: segfault at 41414141 ip 41414141...
Somerset Recon CVE-2018-9096 - Triage Additional RE and triage revealed the following about this vulnerability: ● Stack buffer overflow ● Crashes are not consistent due to race condition ● Limited amount of space to work with (48 byte maximum ROP chain length) ● ASLR + DEP/NX but no PIE ● Additional user-controlled data were found in program memory
Somerset Recon CVE-2018-9096 - Exploitation ● Traditional techniques used to set up the call to system() ○ NX was bypassed using ROP chain ○ ROP chain bypassed ASLR using GOT dereference of libc function call ■ ROP chain then calculates address of system() based on offset from base of libc ● Main issue was getting arbitrary user-controlled strings as argument to system()
Somerset Recon CVE-2018-9096 - Exploitation ● User-controlled strings were consistently found in one of either two static locations that were 72 bytes apart from each other ○ We were unable to predict which location will store the user-controlled string ● How do we consistently setup the argument to system() to run our command?
Somerset Recon CVE-2018-9096 - SPACE SLEDS
Somerset Recon CVE-2018-9096 - SPACE SLEDS ● Inspired by NOP sled techniques used to increase the reliability of exploits ● Concept: Prepend spaces to the user-controlled command string in order to create some overlap between the two command strings ● Use the address of the overlapping command strings as the argument to system()
Somerset Recon CVE-2018-9096 - Demo
Somerset Recon CVE-2018-9093 - Tunnel Server Backdoor ● JLinkRemoteServer tool ● “[P]rovides a tunneling mode which allows remote connections to a J-Link/J-Trace from any computer, even from outside the local network.”
Somerset Recon CVE-2018-9093 - Tunnel Server Backdoor “I wonder if there are any weaknesses with their auth?”
Somerset Recon CVE-2018-9093 - Tunnel Server Backdoor ● Registers all detected J-Link device serial number with Segger server ● Segger server accepts connections and proxies traffic back to registered devices based off of serial numbers ● Uses hardcoded magic numbers and no authentication ● J-Link device -> proxy server: Magic number = 0x11223344 ● Debugging client -> proxy server: Magic number = 0x55667788
Somerset Recon CVE-2018-9093 - Serial Number Analysis ● But brute forcing all of the serial numbers would be too hard...right? ● Serial numbers are 9 decimal digits - 10 billion possibilities ○ Assuming 10 serial numbers/second it would take >31 years to try all possible S/Ns ● Is there some way to shrink the space? ○ How are Segger serial numbers assigned? ○ Where do the serial numbers begin? ● How can we find J-Link serial numbers?
Somerset Recon CVE-2018-9093 - Serial Number Analysis Google “Segger J-Link” images:
Somerset Recon CVE-2018-9093 - Serial Number Analysis Phone a friend and ask for their serial numbers?
Somerset Recon CVE-2018-9093 - Serial Number Analysis ● From search results combined with devices we own we were able to find about about 30 J-Link serial numbers ● From those results several patterns emerged
Somerset Recon CVE-2018-9093 - Serial Number Analysis ● 86: Model ● 10: Version ● 00743: Incremented per device
Somerset Recon CVE-2018-9093 - Serial Number Analysis Serial Number Analysis Results: ● Good coverage of serial number space is possible with ~100,000 serial numbers ○ Reduces time to brute force from over 31 years to less than 3 hours
Somerset Recon CVE-2018-9093 - Impact ● Demo
Somerset Recon CVE-2018-9093 - Impact Once connected to a J-Link Device one can: ● Flash new firmware to a device ● Read existing firmware ● … ( ͡~ ͜ʖ ͡°)
Somerset Recon Disclosure
Somerset Recon Disclosure April 4, 2018 - Disclosed vulnerabilities to Segger April 5, 2018 - Segger responds acknowledging vulnerabilities April 9, 2018 - Segger releases patches for most of the vulnerabilities April 10, 2018 - Founder & CTO responds thanking us
Somerset Recon Summary of Vulnerabilities ● Vulnerabilities in J-Link tunnel server opens backdoor to attached J-Links and can compromise the state of your devices and your network ● Vulnerabilities in the JLinkRemoteServer allow an attacker to gain full remote code execution ● No authentication for JLinkRemoteServer or JLinkGDBServer which allows downloading and flashing of embedded devices ● Traffic is not encrypted to JLinkRemoteServer or tunnel server ● Vulnerabilities in file parsing allow an attacker who distributes malicious J-Link files (command files or settings files) to gain execution on the machine that parses those files
Somerset Recon Conclusions ● Developers should always use the PIE flag to make memory corruption more difficult ● Several unknown vulnerabilities were discovered that affect the J-Link Debugger family and its associated software ● Given that these devices play a critical role in the embedded supply chain, additional security protection should be implemented to protect the users and consumers ● Segger’s response was encouraging ○ No cease and desist ○ Quickly patched many of the vulnerabilities ● Don’t trust any remote debugging server
Somerset Recon BUT WAIT THERE’S MORE! ● Revisiting J-Link hardware via firmware flashing process ● Crafting firmware malware
Somerset Recon J-Link Updating Process ● J-Link Commander will ask you if you’d like to update your connected J-Link Debug Probe ○ We figured out how the update process works ● We reversed the USB protocol
Somerset Recon J-Link Updating Process ● Firmware is checked on the device before flashing, but not very well ○ Hint: It uses dates ○ Can this be bad? ● Firmware is not signed and can be modified How could this be bad?
Somerset Recon Malware Consider a piece of malware that gets circulated via email, etc.: ● Runs silently ● Flashes any J-Link connected to the computer ● Exits cleanly
Somerset Recon Malware - DEMO ● Demo
Somerset Recon Questions? We will be posting slides, source code, and additional info: ● Slides and POCs: https://github.com/Somerset-Recon ● Blog post: https://www.somersetrecon.com/blog Contact: ● @SomersetRecon ● https://www.somersetrecon.com/contact

Recommended

DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 

Recommended

DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 
Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Cristofaro Mune
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside WinnypFFRI, Inc.
 
amrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdfamrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdfamrapalibuildersreviews
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolzAlexey Sintsov
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Armadillos - or how to bypass code readout protection on microcontrollers
Armadillos - or how to bypass code readout protection on microcontrollersArmadillos - or how to bypass code readout protection on microcontrollers
Armadillos - or how to bypass code readout protection on microcontrollersAndrew Tierney
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Riscure
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Stm32 f4 first touch
Stm32 f4 first touchStm32 f4 first touch
Stm32 f4 first touchBenux Wei
 
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDevLearn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDevJian-Hong Pan
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Golinuxlab_conf
 
หน่วยเรียนที่ 1
หน่วยเรียนที่ 1หน่วยเรียนที่ 1
หน่วยเรียนที่ 1kaiwasan
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
Jtag presentation
Jtag presentationJtag presentation
Jtag presentationklinetik
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityFelipe Prado
 

More Related Content

What's hot

Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Cristofaro Mune
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolzAlexey Sintsov
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Armadillos - or how to bypass code readout protection on microcontrollers
Armadillos - or how to bypass code readout protection on microcontrollersArmadillos - or how to bypass code readout protection on microcontrollers
Armadillos - or how to bypass code readout protection on microcontrollersAndrew Tierney
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Riscure
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Stm32 f4 first touch
Stm32 f4 first touchStm32 f4 first touch
Stm32 f4 first touchBenux Wei
 
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDevLearn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDevJian-Hong Pan
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Golinuxlab_conf
 
หน่วยเรียนที่ 1
หน่วยเรียนที่ 1หน่วยเรียนที่ 1
หน่วยเรียนที่ 1kaiwasan
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
Jtag presentation
Jtag presentationJtag presentation
Jtag presentationklinetik
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 

What's hot (20)

Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017Escalating Privileges in Linux using Fault Injection - FDTC 2017
Escalating Privileges in Linux using Fault Injection - FDTC 2017
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
amrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdfamrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdf
 
Testing CAN network with help of CANToolz
Testing CAN network with help of CANToolzTesting CAN network with help of CANToolz
Testing CAN network with help of CANToolz
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Armadillos - or how to bypass code readout protection on microcontrollers
Armadillos - or how to bypass code readout protection on microcontrollersArmadillos - or how to bypass code readout protection on microcontrollers
Armadillos - or how to bypass code readout protection on microcontrollers
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
 
Stm32 f4 first touch
Stm32 f4 first touchStm32 f4 first touch
Stm32 f4 first touch
 
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDevLearn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
Learn How to Develop Embedded System for ARM @ 2014.12.22 JuluOSDev
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devices
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
หน่วยเรียนที่ 1
หน่วยเรียนที่ 1หน่วยเรียนที่ 1
หน่วยเรียนที่ 1
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in Perl
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needs
 
Jtag presentation
Jtag presentationJtag presentation
Jtag presentation
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 

Similar to Infecting the Embedded Supply Chain

Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityFelipe Prado
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)Knoldus Inc.
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Jvm profiling under the hood
Jvm profiling under the hoodJvm profiling under the hood
Jvm profiling under the hoodRichardWarburton
 
Rodrigo Almeida - Microkernel development from project to implementation
Rodrigo Almeida - Microkernel development from project to implementationRodrigo Almeida - Microkernel development from project to implementation
Rodrigo Almeida - Microkernel development from project to implementationFelipe Prado
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Opersys inc.
 
GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010regehr
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
Anand_Agrawal_CV.pdf
Anand_Agrawal_CV.pdfAnand_Agrawal_CV.pdf
Anand_Agrawal_CV.pdfAnand Agrawal
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...Felipe Prado
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 

Similar to Infecting the Embedded Supply Chain (20)

Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning security
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Jvm profiling under the hood
Jvm profiling under the hoodJvm profiling under the hood
Jvm profiling under the hood
 
Rodrigo Almeida - Microkernel development from project to implementation
Rodrigo Almeida - Microkernel development from project to implementationRodrigo Almeida - Microkernel development from project to implementation
Rodrigo Almeida - Microkernel development from project to implementation
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
 
GCC Summit 2010
GCC Summit 2010GCC Summit 2010
GCC Summit 2010
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Anand_Agrawal_CV.pdf
Anand_Agrawal_CV.pdfAnand_Agrawal_CV.pdf
Anand_Agrawal_CV.pdf
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Linux on System z debugging with Valgrind
Linux on System z debugging with ValgrindLinux on System z debugging with Valgrind
Linux on System z debugging with Valgrind
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Infecting the Embedded Supply Chain

  • 1. Somerset Recon Infecting the Embedded Supply Chain Zach Miller Alex Kissinger
  • 2. Somerset Recon Introduction - Who We Are Zach: ● Reverse Engineering, Pen Testing ● Twitter: @bit_twidd1er Alex: ● Barista that occasionally does security things @ Somerset Recon ● Cappuccinos, Hardware Hacking, Reverse Engineering
  • 3. Somerset Recon Introduction - Somerset Recon ● @SomersetRecon ● https://somersetrecon.com/contact
  • 4. Somerset Recon Previous Research - Electronic Safe Lock Analysis ● Discovered vulnerabilities in the mobile application and wire protocol of the SecuRam Prologic B01 Bluetooth electronic safe lock ● Capture and decode PIN numbers transmitted wirelessly ● Brute force PIN numbers over the wire
  • 5. Somerset Recon Previous Research - Hello Barbie ● Security analysis on the Mattel Hello Barbie doll ● Identified several vulnerabilities affecting the device and associated web and mobile technologies
  • 6. Somerset Recon These are all embedded devices
  • 7. Somerset Recon Where are embedded devices? Embedded General Purpose???
  • 8. Somerset Recon Industries Develop Embedded Devices ● Automotive ● Industrial ● Medical ● Communications ● Digital Consumer ● Etc.
  • 9. Somerset Recon What do these embedded devices have in common???
  • 10. Somerset Recon They all utilize embedded debuggers for their development
  • 13. Somerset Recon Segger J-Link Debug Probe ● JTAG/SWD/SWO/etc. ● In Circuit Emulator (ICE) ● In Circuit System Programmer (ICSP) ● Supports ARM/ARM Cortex, RISC-V, RX targets ● USB and Ethernet ● Cross platform toolchain ● “Ultrafast” download/upload to flash ● Unlimited software breakpoints “SEGGER J-Links are the most widely used line of debug probes available today”- www.segger.com
  • 14. Somerset Recon Segger Software ● J-Link Software Package ● J-Link GDB Server RTOS Plugin SDK ● SystemView - Real-time Analysis and Visualization ● Ozone Graphical Debugger ● J-Scope Data Analysis and Visualization Tool ● Much more... We focused on the J-Link Software Package
  • 15. Somerset Recon J-Link Software “All-in-one debugging solution” ● J-Link Commander (Command line tool) ● J-Link GDB Server ● J-Link Remote Server ● J-Mem Memory Viewer ● J-Flash ● Much more...
  • 17. Somerset Recon Segger J-Link - Attack Surface Hardware Debug Probes ○ Firmware Software Packages that Interact with Debug probes ○ USB Driver ○ Lots of user-mode applications ○ Full-blown IDE
  • 19. Somerset Recon Segger J-Link - Hardware ● How it works ● Extracting firmware ● Feature diffs between devices ● Security mechanisms ○ Is it open?
  • 20. Somerset Recon Segger J-Link - Hardware J-Link EDU V9.3
  • 24. Somerset Recon Segger J-Link - Hardware ● Tag-Connect™?
  • 25. Somerset Recon Segger J-Link - Debugging a J-Link with a J-Link ● Security and Flash bits set in flash ● Refuses to connect and erase ● Other ways around this?
  • 26. Somerset Recon Segger J-Link - Debugging a J-Link with a J-Link ● J-Link Mini EDU MCU Reference Manual ● Chips are cool
  • 28. Somerset Recon Vulnerability Research - Reverse Engineering ● A lot of cross-compiled code ● Some interesting custom string-manipulation stuff (more on this later) ● A lot of uses of dangerous functions ● Mostly basic applications, nothing that complicated going on
  • 29. Somerset Recon Vulnerability Research - Reverse Engineering Analysis of binary protections: ● DEP/NX enabled ● ASLR enabled ● PIE is not enabled ● No stack canaries in *nix binaries, stack canaries present in Windows ● SafeSEH used in Windows binaries ● No Symbols
  • 30. Somerset Recon Vulnerability Research - Fuzzing Set up fuzzers to test various input vectors ○ Files ○ Network interfaces ○ Command line args Used peach to do generational fuzzing ○ A lot of structured, text-based formats ○ A lot of interesting code paths that needed magic numbers to reach
  • 31. Somerset Recon Vulnerability Research - Fuzzing ● Tens of thousands of crashes ○ Core files everywhere ● Lots of exploitable crashes ● ...but also tons of duplicate crashes ● We had issues keeping J-Link devices attached to VMs
  • 32. Somerset Recon Vulnerability Research - Fuzzing Issues keeping J-Link attached to VM: ● After a crash the J-Link devices enter a bad state and are disconnected from the fuzzing VM ● We created a crash monitor to trigger on any crash while fuzzing ○ Have the monitor run a script to check if J-Link had fallen off the VM ○ If so, use libvirt to reattach the J-Link if needed
  • 34. Somerset Recon CVE-2018-9094 - Format String Vulnerability ● J-Flash tool ● Found interesting custom printf style functions implemented in J-Link
  • 35. Somerset Recon CVE-2018-9094 - Custom String Formatting Accepts limited subset of format specifiers ● Accepts basic specifiers: %d, %x, %p, %u, … ● Doesn’t accept the %n family of specifiers ● Accepts precision arguments: .number
  • 36. Somerset Recon CVE-2018-9094 - Format String Vulnerability JFlashSPI_CL.exe -open xAAAA%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X%X% X%X%X%X%X%X%X%s
  • 37. Somerset Recon CVE-2018-9094 - Impact ● Lack of %n format specifiers reduces severity of this vulnerability ● Potentially could be leveraged as part of an exploit chain as a primitive to read arbitrary memory
  • 38. Somerset Recon CVE-2018-9095 - Discovery ● J-Link Commander tool ● Found via fuzzing and made up most of our exploitable crashes (>99%) ● Traditional stack buffer overflow ● Reads each line of a file into 512 byte stack buffer
  • 39. Somerset Recon CVE-2018-9095 - Triage $ gdb -c core GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1 ... [New LWP 1928] Core was generated by `JLink_Linux_V630b_i386/JLinkExe -CommandFile payload'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0xb7613456 in ?? () gdb-peda$ bt #0 0xb7613456 in ?? () #1 0x41414141 in ?? () ... Backtrace stopped: previous frame inner to this frame (corrupt stack?)
  • 40. Somerset Recon CVE-2018-9095 - Exploitation Steps to exploitation: 1. Control over return address 2. Get the address of Libc 3. Use that to get the address of system() 4. Call system() with arguments 5. Bob’s your uncle.
  • 41. Somerset Recon CVE-2018-9095 - Triage 1. Control over return address ● Used GDB Peda to calculate offset ● Other cool tools (radare2, pwntools, patter_create.rb) out there can utilize cyclic patterns (De Bruijn sequence) to calculate offsets
  • 42. Somerset Recon CVE-2018-9095 - Triage ● ROP gadgets ○ ROPGadget Tool ■ Grep like a madman ○ Ropper ■ Z3 ○ Manually Searching/Custom Tools ○ Bad bytes are bad
  • 43. Somerset Recon CVE-2018-9095 - Triage 2. Get the address of Libc ● Used pwntools to dump all got.plt symbols ● Search through ROP gadgets for uses ● ROP gymnastics to dereference it >>> for x in elf.plt: ... print x ... lseek malloc clock_gettime dlsym memset strcat __libc_start_main printf fgets //Chain pseudo 0x804ae7c: esi = **libc 0x0804ae79: eax = esi, esi = **libc 0x0804d0b3: eax += *eax 0x8048e87: eax -= esi
  • 44. Somerset Recon 3. Use that to get the address of system() ● The system() function was not called in text, used to the “__libc_start_main” symbol instead ● GDB to calculate the offsets ● Lack of gadgets at this point ○ ROP gymnastics to get the proper value in EAX CVE-2018-9095 - Triage //Chain pseudo 0x0804b193: eax += 0x5b000000, esi = 0x5b000000-off_to_sys 0x8048e87: eax -= esi
  • 45. Somerset Recon 4. Call system() ● Wanted it to be reliable and reproducible for CVE ● DEP/NX is annoying ● What string argument do we pass to system()? CVE-2018-9095 - Triage //Chain pseudo 0x08049841: push esi; call eax;
  • 46. Somerset Recon 4. Call system() with arguments $ strings JLinkExe | grep "sh$" fflush SWOFlush .gnu.hash That’ll work... CVE-2018-9095 - Triage
  • 47. Somerset Recon CVE-2018-9095 - PoC ● Craft malicious J-Link command files that can be sent to victim ● Local code execution ● 32-bit JLinkExe binary ● i386 and amd64 Linux systems ● ROP ○ ASLR bypass ○ Ret2libc ○ Reverse shell is doable, but requires ROPing in Libc
  • 49. Somerset Recon CVE-2018-9097 - Settings File Overflow Very similar to previous exploit JLinkExe executable reads a “SettingsFile” ● Reads in settings file and passes to libjlinkarm.so.6.30.2 to update settings ● libjlinkarm.so.6.30.2 has a buffer overrun in BSS segment ● Used the overflow to overwrite a function pointer in BSS segment
  • 51. Somerset Recon CVE-2018-9096 - Discovery ● JLinkRemoteServer tool ● Opens up a bunch of ports: $ sudo netstat -tulpn | grep JLinkRemote tcp 0 0 0.0.0.0:24 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19080 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 0.0.0.0:19020 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19021 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19030 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 31417/./JLinkRemote
  • 52. Somerset Recon CVE-2018-9096 - Discovery ● JLinkRemoteServer tool ● Opens up a bunch of ports: $ sudo netstat -tulpn | grep JLinkRemote tcp 0 0 0.0.0.0:24 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19080 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 0.0.0.0:19020 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19021 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 127.0.0.1:19030 0.0.0.0:* LISTEN 31417/./JLinkRemote tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 31417/./JLinkRemote Telnet?
  • 53. Somerset Recon CVE-2018-9096 - Discovery ● Reverse engineering revealed it was actually a built-in Telnet server: ● Allows Telnet connections which provide similar functionality to the Tunnel server
  • 54. Somerset Recon CVE-2018-9096 - Discovery Fuzzing of the Telnet server revealed an interesting crash: JLinkRemoteServ[31402]: segfault at 41414141 ip 41414141...
  • 55. Somerset Recon CVE-2018-9096 - Triage Additional RE and triage revealed the following about this vulnerability: ● Stack buffer overflow ● Crashes are not consistent due to race condition ● Limited amount of space to work with (48 byte maximum ROP chain length) ● ASLR + DEP/NX but no PIE ● Additional user-controlled data were found in program memory
  • 56. Somerset Recon CVE-2018-9096 - Exploitation ● Traditional techniques used to set up the call to system() ○ NX was bypassed using ROP chain ○ ROP chain bypassed ASLR using GOT dereference of libc function call ■ ROP chain then calculates address of system() based on offset from base of libc ● Main issue was getting arbitrary user-controlled strings as argument to system()
  • 57. Somerset Recon CVE-2018-9096 - Exploitation ● User-controlled strings were consistently found in one of either two static locations that were 72 bytes apart from each other ○ We were unable to predict which location will store the user-controlled string ● How do we consistently setup the argument to system() to run our command?
  • 59. Somerset Recon CVE-2018-9096 - SPACE SLEDS ● Inspired by NOP sled techniques used to increase the reliability of exploits ● Concept: Prepend spaces to the user-controlled command string in order to create some overlap between the two command strings ● Use the address of the overlapping command strings as the argument to system()
  • 61. Somerset Recon CVE-2018-9093 - Tunnel Server Backdoor ● JLinkRemoteServer tool ● “[P]rovides a tunneling mode which allows remote connections to a J-Link/J-Trace from any computer, even from outside the local network.”
  • 62. Somerset Recon CVE-2018-9093 - Tunnel Server Backdoor “I wonder if there are any weaknesses with their auth?”
  • 63. Somerset Recon CVE-2018-9093 - Tunnel Server Backdoor ● Registers all detected J-Link device serial number with Segger server ● Segger server accepts connections and proxies traffic back to registered devices based off of serial numbers ● Uses hardcoded magic numbers and no authentication ● J-Link device -> proxy server: Magic number = 0x11223344 ● Debugging client -> proxy server: Magic number = 0x55667788
  • 64. Somerset Recon CVE-2018-9093 - Serial Number Analysis ● But brute forcing all of the serial numbers would be too hard...right? ● Serial numbers are 9 decimal digits - 10 billion possibilities ○ Assuming 10 serial numbers/second it would take >31 years to try all possible S/Ns ● Is there some way to shrink the space? ○ How are Segger serial numbers assigned? ○ Where do the serial numbers begin? ● How can we find J-Link serial numbers?
  • 65. Somerset Recon CVE-2018-9093 - Serial Number Analysis Google “Segger J-Link” images:
  • 66. Somerset Recon CVE-2018-9093 - Serial Number Analysis Phone a friend and ask for their serial numbers?
  • 67. Somerset Recon CVE-2018-9093 - Serial Number Analysis ● From search results combined with devices we own we were able to find about about 30 J-Link serial numbers ● From those results several patterns emerged
  • 68. Somerset Recon CVE-2018-9093 - Serial Number Analysis ● 86: Model ● 10: Version ● 00743: Incremented per device
  • 69. Somerset Recon CVE-2018-9093 - Serial Number Analysis Serial Number Analysis Results: ● Good coverage of serial number space is possible with ~100,000 serial numbers ○ Reduces time to brute force from over 31 years to less than 3 hours
  • 71. Somerset Recon CVE-2018-9093 - Impact Once connected to a J-Link Device one can: ● Flash new firmware to a device ● Read existing firmware ● … ( ͡~ ͜ʖ ͡°)
  • 73. Somerset Recon Disclosure April 4, 2018 - Disclosed vulnerabilities to Segger April 5, 2018 - Segger responds acknowledging vulnerabilities April 9, 2018 - Segger releases patches for most of the vulnerabilities April 10, 2018 - Founder & CTO responds thanking us
  • 74. Somerset Recon Summary of Vulnerabilities ● Vulnerabilities in J-Link tunnel server opens backdoor to attached J-Links and can compromise the state of your devices and your network ● Vulnerabilities in the JLinkRemoteServer allow an attacker to gain full remote code execution ● No authentication for JLinkRemoteServer or JLinkGDBServer which allows downloading and flashing of embedded devices ● Traffic is not encrypted to JLinkRemoteServer or tunnel server ● Vulnerabilities in file parsing allow an attacker who distributes malicious J-Link files (command files or settings files) to gain execution on the machine that parses those files
  • 75. Somerset Recon Conclusions ● Developers should always use the PIE flag to make memory corruption more difficult ● Several unknown vulnerabilities were discovered that affect the J-Link Debugger family and its associated software ● Given that these devices play a critical role in the embedded supply chain, additional security protection should be implemented to protect the users and consumers ● Segger’s response was encouraging ○ No cease and desist ○ Quickly patched many of the vulnerabilities ● Don’t trust any remote debugging server
  • 76. Somerset Recon BUT WAIT THERE’S MORE! ● Revisiting J-Link hardware via firmware flashing process ● Crafting firmware malware
  • 77. Somerset Recon J-Link Updating Process ● J-Link Commander will ask you if you’d like to update your connected J-Link Debug Probe ○ We figured out how the update process works ● We reversed the USB protocol
  • 78. Somerset Recon J-Link Updating Process ● Firmware is checked on the device before flashing, but not very well ○ Hint: It uses dates ○ Can this be bad? ● Firmware is not signed and can be modified How could this be bad?
  • 79. Somerset Recon Malware Consider a piece of malware that gets circulated via email, etc.: ● Runs silently ● Flashes any J-Link connected to the computer ● Exits cleanly
  • 80. Somerset Recon Malware - DEMO ● Demo
  • 81. Somerset Recon Questions? We will be posting slides, source code, and additional info: ● Slides and POCs: https://github.com/Somerset-Recon ● Blog post: https://www.somersetrecon.com/blog Contact: ● @SomersetRecon ● https://www.somersetrecon.com/contact