1. I t z i k K o t l e r | A p r i l 2 0 11
Let Me Stuxnet You
Itzik Kotler
CTO, Security Art
All rights reserved to Security Art Ltd. 2002 - 2010 www.security-
art.com
2. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Goodbye World!
•
S t u x n e t a n d C y b e r Wa r f a r e a r e e x p l o i t i n g
the (it’s complicated) relationship between
Software and Hardware to cause damage
and sabotage!
•
To d a y i t ’ s a c o u n t r y t h a t s e e k s t o d e s t r o y
another nation and tomorrow it’s a
comm erci al comp a n y th at see ks to m ake a
rival company go out of business. An act of
I n d u s t r i a l C y b e r Wa r f a r e .
All rights reserved to Security Art Ltd. 2002 - 2011
3. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Can Software Damage Hardware? Yes!
•
Software controls hardware, and it can
m a ke it p e r f orm d a m ag in g op er a tio n
•
Software can damage another software
that runs or operates an hardware
•
Software controls hardware, and it can
m a ke it p e r f orm op er ati on th a t w ill b e
damaging to another hardware
All rights reserved to Security Art Ltd. 2002 - 2011
4. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Industrial Cyber Warfare Attack?
•
C y b e r Wa r f a r e i s n o t l i m i t e d t o , o r d e s i g n e d
exclusively for nations or critical
infrastructures
•
A successfully delivered Industrial Cyber
Wa r f a r e a t t a c k c a u s e s f i n a n c i a l l o s s ,
o p e r a t i o n l o ss , o r b o t h t o t h e at t a c ke d
company!
•
I n d u s t r i a l C y b e r Wa r f a r e i s L o g i c B o m b s ,
Pe r m a n e n t D e n i a l - o f- S e r v i c e , A P T a n d m o r e
All rights reserved to Security Art Ltd. 2002 - 2011
5. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Meet Permanent Denial-of-Service
•
P e r m a n e n t D e n i a l - o f- S e r v i c e i s a n a t t a c k
that damages hardware so badly that it
requires replacement or reinstallation of
hardware.
•
The damage potential is on a grand scale,
almost anything and everything is
controlled by software that can be
m o d if ie d or atta c ke d
All rights reserved to Security Art Ltd. 2002 - 2011
6. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Industrial Cyber Warfare: Why & Who?
•
Industrial Espionage
–
Rival Companies
–
Fo re i g n C o u n t r i e s
•
Te r r o r i s m
–
Pol i ti ca l/ S oci al Ag e nd a
–
Re v e n g e
•
Blackmailing
–
Gree d , Power an d etc .
All rights reserved to Security Art Ltd. 2002 - 2011
7. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Permanent Denial-of-Service 101
•
Phlashing:
–
Overwriting the firmware of the
component and make it useless (i.e.
“B r i c ke d ” )
•
Overclocking:
–
Increasing the working frequency of the
component and make it unstable and
overheat
All rights reserved to Security Art Ltd. 2002 - 2011
8. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Permanent Denial-of-Service (Cont.)
• Overvolting:
– Increasing the input voltage of the component
and “zap” it or cause it to overheat
• Overusing:
– Re p et i t i v e l y us i n g a m e c ha n i ca l f e a t u re o f t he
com ponent and cause it to wea r quicker
All rights reserved to Security Art Ltd. 2002 - 2011
9. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Permanent Denial-of-Service (Cont.)
•
Power Cycling
–
Re p e t i t i v e l y t u rn o n a n d o f f t h e p o w e r
supply to the component and cause it
to wear qu icker (due to temperature
f le c tio n an d s p ike s )
All rights reserved to Security Art Ltd. 2002 - 2011
10. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Local Attacks
Does anyone smell smoke?
All rights reserved to Security Art Ltd. 2002 - 2011
11. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Computer Fans
•
Not a target, per se.
•
Disabling or slowing down the fan RPM
speed can result in increased temperature
•
Lengthy exposure to high temperature (due
to lack of cooling) can lead to
Electromigration that in turn will cause a
P e r m a n e n t D e n i a l - o f- S e r v i c e
All rights reserved to Security Art Ltd. 2002 - 2011
12. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
CPU
•
Overheating due to Stressing
•
Overheating due to Overclocking
•
Overheating due to Overvolting
•
Overheating due to (always on) P0 @
APM/ACAPI
•
Bricking due to Phlashing (via Microcode
Flashing)
All rights reserved to Security Art Ltd. 2002 - 2011
13. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
CPU: Infinite Loop
x86 Assembly Code:
jm
p
Description:
Infinite loop that jump to self
All rights reserved to Security Art Ltd. 2002 - 2011
14. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
CPU: Microcode Flashing
•
Not your typical firmware update
•
Microcode goes into the processor,
providing a slightly higher level or more
complex commands based on the
processor's basic ("hard-wired") commands
•
Microprogramming can be used to abuse or
to damage the microprogram within the
processor
All rights reserved to Security Art Ltd. 2002 - 2011
15. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
RAM
•
Overheating due to Overclocking
•
Overheating due to Overvolting
•
Burnout due to Overvolting
All rights reserved to Security Art Ltd. 2002 - 2011
16. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
GPU (Graphics Processing Unit)
•
Overheating due to Overclocking
•
Overheating due to Overvolting
•
Bricking due to Phlashing
–
U t i l i t i e s ( e . g . n v f l a s h , N i B i To r , e t c . )
All rights reserved to Security Art Ltd. 2002 - 2011
17. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Hard disk drive
•
Tr a d i t i o n a l ( i . e . M e c h a n i c a l )
–
O v e rh e a t i n g d u e t o E xc e s s i v e Wr i t e &
Re a d
–
We a r i n g o u t d u e t o E x c e s s i v e H e a d
Pa r k i n g
–
Bricking due to Phlashing
•
Solid-state drive
–
We a r i n g o u t d u e t o E x c e s s i v e W r i t e
All rights reserved to Security Art Ltd. 2002 - 2011
18. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Hard Drive: Pseudo Format Attack
Comma
nd:
while true; do
Description:
Infinite loop of read and write requests to disk
All rights reserved to Security Art Ltd. 2002 - 2011
19. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Hard Drive: Spindown Attack
Commands:
hdparm
Description:
Sets disk
All rights reserved to Security Art Ltd. 2002 - 2011
20. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
BIOS: Bricking/Firmware Flashing
•
Bricking due to Phlashing
All rights reserved to Security Art Ltd. 2002 - 2011
21. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Rouge BIOS Firmware as Platform
•
Allow s au tom ation of:
–
O v e rc l o c k i n g o f C P U , RA M a n d e t c .
–
O v e r v o l t i n g o f C P U , RA M a n d e t c .
–
Pow er C yc lin g (o f th e w h ole Sy ste m )
•
C a n i n c l u d e a “ S e l f- d e s t r u c t ” f u n c t i o n
All rights reserved to Security Art Ltd. 2002 - 2011
22. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
CD-ROM/DVD-ROM
•
We a r i n g o u t d u e t o O v e r u s i n g t h e d r i v e
tray
•
Bricking due to Phlashing
All rights reserved to Security Art Ltd. 2002 - 2011
23. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
CD-ROM: Mechanical Part Attack
Co
de:
while true; do eject; eject –t; done
Description
:
Infinite loop that opens and closes the CD-ROM tray
All rights reserved to Security Art Ltd. 2002 - 2011
24. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Memory Wear
• Flash memory has a finite number of program-
erase cycles (aka. P/E cycles).
• Most commercially available Flash products are
guaranteed to withstand around 100,000 P/E
cycles, before the wear begins to deteriorate
the integrity of the storage
• Popular products that are based on, or using
F l a s h m e m o r y: U S B D i s k O n K e y s , S o l i d - s t a t e
D r i v e s , T h i n C l i e n t s a n d Ro u t e r s a n d m o re .
All rights reserved to Security Art Ltd. 2002 - 2011
25. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Flash: Memory Wear Attack
Co
de
:
d
d
Descripti
on:
Infinite loop that excessively writes pseudo-random to a flash
memory
All rights reserved to Security Art Ltd. 2002 - 2011
26. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
NIC (Network Interface Card)
•
Bricking due to Phlashing
All rights reserved to Security Art Ltd. 2002 - 2011
27. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
NIC: TCP Offload Engine
• TC P O f f l o a d E n g i n e o r T O E i s a t e c h n o l o g y u s e d
in network interface cards (NIC) to offload
p r o c e s s i n g o f t h e e n t i r e TC P / I P s t a c k t o t h e
n e t w o r k c o n t r o l l e r.
• TOE is primarily used with high-speed network
interfaces, such as gigabit Ethernet and 10
Gigabit Ethernet
• TOE is implemented in hardware so patches
must be applied to the TOE firmware
All rights reserved to Security Art Ltd. 2002 - 2011
28. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
CRT Monitor:
•
There are problems at scan rates which
exceed the monitor's specifications (low or
high). Some monitors can blow if given a
too low scan rate or an absent or
corrupted signal input.
All rights reserved to Security Art Ltd. 2002 - 2011
29. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
XFree86 Screen Configuration:
HorizSync 2 8 . 0 - 7 8 . 0 # Wa r n i n g : T h i s m ay f r y
very old Monitors
HorizSync 2 8 . 0 - 9 6 . 0 # Wa r n i n g : T h i s m ay f r y o l d
Monitors
( t a k e n f r o m a r e a l l i f e , X Fr e e 8 6 C o n f i g f i l e )
All rights reserved to Security Art Ltd. 2002 - 2011
30. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Floppy Drive:
•
We a r i n g o u t d u e t o E x c e s s i v e H e a d
Ro t a t i o n
–
On some floppy drives there are no
validity checking on sector/track
values, and so the floppy head might
get hit repetitively against the stopper
(See: NYB Virus)
All rights reserved to Security Art Ltd. 2002 - 2011
31. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Legacy: Motorola 6800 & 6809
• Motorola 6800 was a 8-bit microprocessor and
was part of M6800 Microcomputer System
• The Motorola 6800 and 6809 can damage the
computer's bus lines by the instruction 'HCF'
( H a l t , t h e n C a t c h Fi r e ) .
• HCF successively toggles each of the bus lines,
but it does it so fast that it can damage them.
It was intended for manufacturer testing.
All rights reserved to Security Art Ltd. 2002 - 2011
32. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Summary
• C o m p u t e r Fa n s
• CPU
• GPU
• RAM
• Hard Drives
• BIOS
• CD-ROM/DVD-ROM
• External Storage (e.g. Disk On Key)
• Network Cards
• CRT Mo ni to r ( Lega c y)
• Floppy Disk (Legacy)
• Non-x86 Chip
All rights reserved to Security Art Ltd. 2002 - 2011
33. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Remote Attacks
The long arm of the Permanent Denial-of-Service
All rights reserved to Security Art Ltd. 2002 - 2011
34. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Firmware Updates via Web
•
Network-attached Storage (NAS) Appliances
•
N e t w o r k A p p l i a n c e s ( e . g . W i - Fi A c c e s s
Poin t s)
•
DSL/ADSL Cable Modems
•
C om pu ter Per ip h e r als (e . g. K VM )
•
Vo i c e O v e r I P ( Vo I P ) P h o n e s
•
And more …
All rights reserved to Security Art Ltd. 2002 - 2011
35. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Open Questions
•
How this affects Cloud and Virtualized
System?
All rights reserved to Security Art Ltd. 2002 - 2011
36. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Countermeasures?
•
Hardware:
–
O v e r- c l o c k i n g P r o t e c t i o n
–
O v e r- v o l t a g e P r o t e c t i o n
–
O v e r- t e m p e r a t u r e P r o t e c t i o n
•
Software:
–
D i g i t a l l y s i g n e d Fi r m w a r e B i n a r i e s &
Updates
All rights reserved to Security Art Ltd. 2002 - 2011
37. I t z i k K o t l e r | A p r i l 2 0 11 www.security-
art.com
Thanks!
Questions are guaranteed in life; Answers
mailto: itzik.kotler@security-art.com
aren't.
All rights reserved to Security Art Ltd. 2002 - 2011