HES2011 - Itzik Kolter - Let me Stuxnet You

I t z i k K o t l e r | A p r i l 2 0 11

Let Me Stuxnet You

Itzik Kotler
CTO, Security Art

All rights reserved to Security Art Ltd. 2002 - 2010 www.security-
art.com

I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com

Goodbye World!
•
S t u x n e t a n d C y b e r Wa r f a r e a r e e x p l o i t i n g
the (it’s complicated) relationship between
Software and Hardware to cause damage
and sabotage!
•
To d a y i t ’ s a c o u n t r y t h a t s e e k s t o d e s t r o y
another nation and tomorrow it’s a
comm erci al comp a n y th at see ks to m ake a
rival company go out of business. An act of
I n d u s t r i a l C y b e r Wa r f a r e .

All rights reserved to Security Art Ltd. 2002 - 2011

art.com

Can Software Damage Hardware? Yes!
•
Software controls hardware, and it can
m a ke it p e r f orm d a m ag in g op er a tio n
•
Software can damage another software
that runs or operates an hardware
•
Software controls hardware, and it can
m a ke it p e r f orm op er ati on th a t w ill b e
damaging to another hardware


art.com

Industrial Cyber Warfare Attack?
•
C y b e r Wa r f a r e i s n o t l i m i t e d t o , o r d e s i g n e d
exclusively for nations or critical
infrastructures
•
A successfully delivered Industrial Cyber
Wa r f a r e a t t a c k c a u s e s f i n a n c i a l l o s s ,
o p e r a t i o n l o ss , o r b o t h t o t h e at t a c ke d
company!
•
I n d u s t r i a l C y b e r Wa r f a r e i s L o g i c B o m b s ,
Pe r m a n e n t D e n i a l - o f- S e r v i c e , A P T a n d m o r e


art.com

Meet Permanent Denial-of-Service
•
P e r m a n e n t D e n i a l - o f- S e r v i c e i s a n a t t a c k
that damages hardware so badly that it
requires replacement or reinstallation of
hardware.
•
The damage potential is on a grand scale,
almost anything and everything is
controlled by software that can be
m o d if ie d or atta c ke d


art.com

Industrial Cyber Warfare: Why & Who?
•
Industrial Espionage
–
Rival Companies
–
Fo re i g n C o u n t r i e s
•
Te r r o r i s m
–
Pol i ti ca l/ S oci al Ag e nd a
–
Re v e n g e
•
Blackmailing
–
Gree d , Power an d etc .


art.com

Permanent Denial-of-Service 101
•
Phlashing:
–
Overwriting the firmware of the
component and make it useless (i.e.
“B r i c ke d ” )
•
Overclocking:
–
Increasing the working frequency of the
component and make it unstable and
overheat


art.com

Permanent Denial-of-Service (Cont.)
• Overvolting:
– Increasing the input voltage of the component
and “zap” it or cause it to overheat
• Overusing:
– Re p et i t i v e l y us i n g a m e c ha n i ca l f e a t u re o f t he
com ponent and cause it to wea r quicker


art.com

Permanent Denial-of-Service (Cont.)
•
Power Cycling
–
Re p e t i t i v e l y t u rn o n a n d o f f t h e p o w e r
supply to the component and cause it
to wear qu icker (due to temperature
f le c tio n an d s p ike s )


art.com

Local Attacks
Does anyone smell smoke?


art.com

Computer Fans
•
Not a target, per se.
•
Disabling or slowing down the fan RPM
speed can result in increased temperature
•
Lengthy exposure to high temperature (due
to lack of cooling) can lead to
Electromigration that in turn will cause a
P e r m a n e n t D e n i a l - o f- S e r v i c e


art.com

CPU
•
Overheating due to Stressing
•
Overheating due to Overclocking
•
Overheating due to Overvolting
•
Overheating due to (always on) P0 @
APM/ACAPI
•
Bricking due to Phlashing (via Microcode
Flashing)


art.com

CPU: Infinite Loop
x86 Assembly Code:

jm
p
Description:

Infinite loop that jump to self


art.com

CPU: Microcode Flashing
•
Not your typical firmware update
•
Microcode goes into the processor,
providing a slightly higher level or more
complex commands based on the
processor's basic ("hard-wired") commands
•
Microprogramming can be used to abuse or
to damage the microprogram within the
processor


art.com

RAM
•
•
•
Burnout due to Overvolting


art.com

GPU (Graphics Processing Unit)
•
•
•
Bricking due to Phlashing
–
U t i l i t i e s ( e . g . n v f l a s h , N i B i To r , e t c . )


art.com

Hard disk drive
•
Tr a d i t i o n a l ( i . e . M e c h a n i c a l )
–
O v e rh e a t i n g d u e t o E xc e s s i v e Wr i t e &
Re a d
–
We a r i n g o u t d u e t o E x c e s s i v e H e a d
Pa r k i n g
–
•
Solid-state drive
–
We a r i n g o u t d u e t o E x c e s s i v e W r i t e


art.com

Hard Drive: Pseudo Format Attack
Comma
nd:
while true; do

Description:

Infinite loop of read and write requests to disk


art.com

Hard Drive: Spindown Attack
Commands:

hdparm

Description:

Sets disk


art.com

BIOS: Bricking/Firmware Flashing
•


art.com

Rouge BIOS Firmware as Platform
•
Allow s au tom ation of:
–
O v e rc l o c k i n g o f C P U , RA M a n d e t c .
–
O v e r v o l t i n g o f C P U , RA M a n d e t c .
–
Pow er C yc lin g (o f th e w h ole Sy ste m )
•
C a n i n c l u d e a “ S e l f- d e s t r u c t ” f u n c t i o n


art.com

CD-ROM/DVD-ROM
•
We a r i n g o u t d u e t o O v e r u s i n g t h e d r i v e
tray
•


art.com

CD-ROM: Mechanical Part Attack
Co
de:
while true; do eject; eject –t; done

Description
:
Infinite loop that opens and closes the CD-ROM tray


art.com

Memory Wear
• Flash memory has a finite number of program-
erase cycles (aka. P/E cycles).
• Most commercially available Flash products are
guaranteed to withstand around 100,000 P/E
cycles, before the wear begins to deteriorate
the integrity of the storage
• Popular products that are based on, or using
F l a s h m e m o r y: U S B D i s k O n K e y s , S o l i d - s t a t e
D r i v e s , T h i n C l i e n t s a n d Ro u t e r s a n d m o re .


art.com

Flash: Memory Wear Attack
Co
de
:
d
d

Descripti
on:

Infinite loop that excessively writes pseudo-random to a flash
memory


art.com

NIC (Network Interface Card)
•


art.com

NIC: TCP Offload Engine
• TC P O f f l o a d E n g i n e o r T O E i s a t e c h n o l o g y u s e d
in network interface cards (NIC) to offload
p r o c e s s i n g o f t h e e n t i r e TC P / I P s t a c k t o t h e
n e t w o r k c o n t r o l l e r.
• TOE is primarily used with high-speed network
interfaces, such as gigabit Ethernet and 10
Gigabit Ethernet
• TOE is implemented in hardware so patches
must be applied to the TOE firmware


art.com

CRT Monitor:
•
There are problems at scan rates which
exceed the monitor's specifications (low or
high). Some monitors can blow if given a
too low scan rate or an absent or
corrupted signal input.


art.com

XFree86 Screen Configuration:
HorizSync 2 8 . 0 - 7 8 . 0 # Wa r n i n g : T h i s m ay f r y
very old Monitors
HorizSync 2 8 . 0 - 9 6 . 0 # Wa r n i n g : T h i s m ay f r y o l d
Monitors

( t a k e n f r o m a r e a l l i f e , X Fr e e 8 6 C o n f i g f i l e )


art.com

Floppy Drive:
•
We a r i n g o u t d u e t o E x c e s s i v e H e a d
Ro t a t i o n
–
On some floppy drives there are no
validity checking on sector/track
values, and so the floppy head might
get hit repetitively against the stopper
(See: NYB Virus)


art.com

Legacy: Motorola 6800 & 6809
• Motorola 6800 was a 8-bit microprocessor and
was part of M6800 Microcomputer System
• The Motorola 6800 and 6809 can damage the
computer's bus lines by the instruction 'HCF'
( H a l t , t h e n C a t c h Fi r e ) .
• HCF successively toggles each of the bus lines,
but it does it so fast that it can damage them.
It was intended for manufacturer testing.


art.com

Summary
• C o m p u t e r Fa n s
• CPU
• GPU
• RAM
• Hard Drives
• BIOS
• CD-ROM/DVD-ROM
• External Storage (e.g. Disk On Key)
• Network Cards
• CRT Mo ni to r ( Lega c y)
• Floppy Disk (Legacy)
• Non-x86 Chip


art.com

Remote Attacks
The long arm of the Permanent Denial-of-Service


art.com

Firmware Updates via Web
•
Network-attached Storage (NAS) Appliances
•
N e t w o r k A p p l i a n c e s ( e . g . W i - Fi A c c e s s
Poin t s)
•
DSL/ADSL Cable Modems
•
C om pu ter Per ip h e r als (e . g. K VM )
•
Vo i c e O v e r I P ( Vo I P ) P h o n e s
•
And more …


art.com

Open Questions
•
How this affects Cloud and Virtualized
System?


art.com

Countermeasures?
•
Hardware:
–
O v e r- c l o c k i n g P r o t e c t i o n
–
O v e r- v o l t a g e P r o t e c t i o n
–
O v e r- t e m p e r a t u r e P r o t e c t i o n
•
Software:
–
D i g i t a l l y s i g n e d Fi r m w a r e B i n a r i e s &
Updates


art.com

Thanks!

Questions are guaranteed in life; Answers
mailto: itzik.kotler@security-art.com
aren't.


HES2011 - Itzik Kolter - Let me Stuxnet You

Recommended

Recommended

More Related Content

Similar to HES2011 - Itzik Kolter - Let me Stuxnet You

Similar to HES2011 - Itzik Kolter - Let me Stuxnet You (20)

More from Hackito Ergo Sum

More from Hackito Ergo Sum (13)

Recently uploaded

Recently uploaded (20)

HES2011 - Itzik Kolter - Let me Stuxnet You