Your SlideShare is downloading. ×
0
I t z i k K o t l e r | A p r i l 2 0 11 Let Me Stuxnet You Itzik Kotler CTO, Security ArtAll rights reserved to Security ...
I t z i k K o t l e r | A p r i l 2 0 11                         www.security-                                            ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                             www.security-                                        ...
I t z i k K o t l e r | A p r i l 2 0 11                             www.security-                                        ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                                   www.security-                                  ...
I t z i k K o t l e r | A p r i l 2 0 11                        www.security-                                             ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                                       www.security-                              ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                                    www.security-                                 ...
I t z i k K o t l e r | A p r i l 2 0 11                        www.security-                                             ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                            www.security-                                         ...
I t z i k K o t l e r | A p r i l 2 0 11                         www.security-                                            ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                             www.security-                                        ...
I t z i k K o t l e r | A p r i l 2 0 11                 www.security-                                                    ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                                www.security-                                     ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                                      www.security-                               ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                     www.security-                                                ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
I t z i k K o t l e r | A p r i l 2 0 11                            www.security-                                         ...
I t z i k K o t l e r | A p r i l 2 0 11               www.security-                                                      ...
Upcoming SlideShare
Loading in...5
×

HES2011 - Itzik Kolter - Let me Stuxnet You

1,941

Published on

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
1,941
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
129
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "HES2011 - Itzik Kolter - Let me Stuxnet You"

  1. 1. I t z i k K o t l e r | A p r i l 2 0 11 Let Me Stuxnet You Itzik Kotler CTO, Security ArtAll rights reserved to Security Art Ltd. 2002 - 2010 www.security- art.com
  2. 2. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Goodbye World! • S t u x n e t a n d C y b e r Wa r f a r e a r e e x p l o i t i n g the (it’s complicated) relationship between Software and Hardware to cause damage and sabotage! • To d a y i t ’ s a c o u n t r y t h a t s e e k s t o d e s t r o y another nation and tomorrow it’s a comm erci al comp a n y th at see ks to m ake a rival company go out of business. An act of I n d u s t r i a l C y b e r Wa r f a r e .All rights reserved to Security Art Ltd. 2002 - 2011
  3. 3. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Can Software Damage Hardware? Yes! • Software controls hardware, and it can m a ke it p e r f orm d a m ag in g op er a tio n • Software can damage another software that runs or operates an hardware • Software controls hardware, and it can m a ke it p e r f orm op er ati on th a t w ill b e damaging to another hardwareAll rights reserved to Security Art Ltd. 2002 - 2011
  4. 4. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Industrial Cyber Warfare Attack? • C y b e r Wa r f a r e i s n o t l i m i t e d t o , o r d e s i g n e d exclusively for nations or critical infrastructures • A successfully delivered Industrial Cyber Wa r f a r e a t t a c k c a u s e s f i n a n c i a l l o s s , o p e r a t i o n l o ss , o r b o t h t o t h e at t a c ke d company! • I n d u s t r i a l C y b e r Wa r f a r e i s L o g i c B o m b s , Pe r m a n e n t D e n i a l - o f- S e r v i c e , A P T a n d m o r eAll rights reserved to Security Art Ltd. 2002 - 2011
  5. 5. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Meet Permanent Denial-of-Service • P e r m a n e n t D e n i a l - o f- S e r v i c e i s a n a t t a c k that damages hardware so badly that it requires replacement or reinstallation of hardware. • The damage potential is on a grand scale, almost anything and everything is controlled by software that can be m o d if ie d or atta c ke dAll rights reserved to Security Art Ltd. 2002 - 2011
  6. 6. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Industrial Cyber Warfare: Why & Who? • Industrial Espionage – Rival Companies – Fo re i g n C o u n t r i e s • Te r r o r i s m – Pol i ti ca l/ S oci al Ag e nd a – Re v e n g e • Blackmailing – Gree d , Power an d etc .All rights reserved to Security Art Ltd. 2002 - 2011
  7. 7. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Permanent Denial-of-Service 101 • Phlashing: – Overwriting the firmware of the component and make it useless (i.e. “B r i c ke d ” ) • Overclocking: – Increasing the working frequency of the component and make it unstable and overheatAll rights reserved to Security Art Ltd. 2002 - 2011
  8. 8. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Permanent Denial-of-Service (Cont.) • Overvolting: – Increasing the input voltage of the component and “zap” it or cause it to overheat • Overusing: – Re p et i t i v e l y us i n g a m e c ha n i ca l f e a t u re o f t he com ponent and cause it to wea r quickerAll rights reserved to Security Art Ltd. 2002 - 2011
  9. 9. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Permanent Denial-of-Service (Cont.) • Power Cycling – Re p e t i t i v e l y t u rn o n a n d o f f t h e p o w e r supply to the component and cause it to wear qu icker (due to temperature f le c tio n an d s p ike s )All rights reserved to Security Art Ltd. 2002 - 2011
  10. 10. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Local Attacks Does anyone smell smoke?All rights reserved to Security Art Ltd. 2002 - 2011
  11. 11. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Computer Fans • Not a target, per se. • Disabling or slowing down the fan RPM speed can result in increased temperature • Lengthy exposure to high temperature (due to lack of cooling) can lead to Electromigration that in turn will cause a P e r m a n e n t D e n i a l - o f- S e r v i c eAll rights reserved to Security Art Ltd. 2002 - 2011
  12. 12. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com CPU • Overheating due to Stressing • Overheating due to Overclocking • Overheating due to Overvolting • Overheating due to (always on) P0 @ APM/ACAPI • Bricking due to Phlashing (via Microcode Flashing)All rights reserved to Security Art Ltd. 2002 - 2011
  13. 13. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com CPU: Infinite Loop x86 Assembly Code: jm p Description: Infinite loop that jump to selfAll rights reserved to Security Art Ltd. 2002 - 2011
  14. 14. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com CPU: Microcode Flashing • Not your typical firmware update • Microcode goes into the processor, providing a slightly higher level or more complex commands based on the processors basic ("hard-wired") commands • Microprogramming can be used to abuse or to damage the microprogram within the processorAll rights reserved to Security Art Ltd. 2002 - 2011
  15. 15. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com RAM • Overheating due to Overclocking • Overheating due to Overvolting • Burnout due to OvervoltingAll rights reserved to Security Art Ltd. 2002 - 2011
  16. 16. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com GPU (Graphics Processing Unit) • Overheating due to Overclocking • Overheating due to Overvolting • Bricking due to Phlashing – U t i l i t i e s ( e . g . n v f l a s h , N i B i To r , e t c . )All rights reserved to Security Art Ltd. 2002 - 2011
  17. 17. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Hard disk drive • Tr a d i t i o n a l ( i . e . M e c h a n i c a l ) – O v e rh e a t i n g d u e t o E xc e s s i v e Wr i t e & Re a d – We a r i n g o u t d u e t o E x c e s s i v e H e a d Pa r k i n g – Bricking due to Phlashing • Solid-state drive – We a r i n g o u t d u e t o E x c e s s i v e W r i t eAll rights reserved to Security Art Ltd. 2002 - 2011
  18. 18. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Hard Drive: Pseudo Format Attack Comma nd: while true; do Description: Infinite loop of read and write requests to diskAll rights reserved to Security Art Ltd. 2002 - 2011
  19. 19. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Hard Drive: Spindown Attack Commands: hdparm Description: Sets diskAll rights reserved to Security Art Ltd. 2002 - 2011
  20. 20. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com BIOS: Bricking/Firmware Flashing • Bricking due to PhlashingAll rights reserved to Security Art Ltd. 2002 - 2011
  21. 21. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Rouge BIOS Firmware as Platform • Allow s au tom ation of: – O v e rc l o c k i n g o f C P U , RA M a n d e t c . – O v e r v o l t i n g o f C P U , RA M a n d e t c . – Pow er C yc lin g (o f th e w h ole Sy ste m ) • C a n i n c l u d e a “ S e l f- d e s t r u c t ” f u n c t i o nAll rights reserved to Security Art Ltd. 2002 - 2011
  22. 22. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com CD-ROM/DVD-ROM • We a r i n g o u t d u e t o O v e r u s i n g t h e d r i v e tray • Bricking due to PhlashingAll rights reserved to Security Art Ltd. 2002 - 2011
  23. 23. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com CD-ROM: Mechanical Part Attack Co de: while true; do eject; eject –t; done Description : Infinite loop that opens and closes the CD-ROM trayAll rights reserved to Security Art Ltd. 2002 - 2011
  24. 24. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Memory Wear • Flash memory has a finite number of program- erase cycles (aka. P/E cycles). • Most commercially available Flash products are guaranteed to withstand around 100,000 P/E cycles, before the wear begins to deteriorate the integrity of the storage • Popular products that are based on, or using F l a s h m e m o r y: U S B D i s k O n K e y s , S o l i d - s t a t e D r i v e s , T h i n C l i e n t s a n d Ro u t e r s a n d m o re .All rights reserved to Security Art Ltd. 2002 - 2011
  25. 25. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Flash: Memory Wear Attack Co de : d d Descripti on: Infinite loop that excessively writes pseudo-random to a flash memoryAll rights reserved to Security Art Ltd. 2002 - 2011
  26. 26. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com NIC (Network Interface Card) • Bricking due to PhlashingAll rights reserved to Security Art Ltd. 2002 - 2011
  27. 27. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com NIC: TCP Offload Engine • TC P O f f l o a d E n g i n e o r T O E i s a t e c h n o l o g y u s e d in network interface cards (NIC) to offload p r o c e s s i n g o f t h e e n t i r e TC P / I P s t a c k t o t h e n e t w o r k c o n t r o l l e r. • TOE is primarily used with high-speed network interfaces, such as gigabit Ethernet and 10 Gigabit Ethernet • TOE is implemented in hardware so patches must be applied to the TOE firmwareAll rights reserved to Security Art Ltd. 2002 - 2011
  28. 28. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com CRT Monitor: • There are problems at scan rates which exceed the monitors specifications (low or high). Some monitors can blow if given a too low scan rate or an absent or corrupted signal input.All rights reserved to Security Art Ltd. 2002 - 2011
  29. 29. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com XFree86 Screen Configuration: HorizSync 2 8 . 0 - 7 8 . 0 # Wa r n i n g : T h i s m ay f r y very old Monitors HorizSync 2 8 . 0 - 9 6 . 0 # Wa r n i n g : T h i s m ay f r y o l d Monitors ( t a k e n f r o m a r e a l l i f e , X Fr e e 8 6 C o n f i g f i l e )All rights reserved to Security Art Ltd. 2002 - 2011
  30. 30. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Floppy Drive: • We a r i n g o u t d u e t o E x c e s s i v e H e a d Ro t a t i o n – On some floppy drives there are no validity checking on sector/track values, and so the floppy head might get hit repetitively against the stopper (See: NYB Virus)All rights reserved to Security Art Ltd. 2002 - 2011
  31. 31. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Legacy: Motorola 6800 & 6809 • Motorola 6800 was a 8-bit microprocessor and was part of M6800 Microcomputer System • The Motorola 6800 and 6809 can damage the computers bus lines by the instruction HCF ( H a l t , t h e n C a t c h Fi r e ) . • HCF successively toggles each of the bus lines, but it does it so fast that it can damage them. It was intended for manufacturer testing.All rights reserved to Security Art Ltd. 2002 - 2011
  32. 32. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Summary • C o m p u t e r Fa n s • CPU • GPU • RAM • Hard Drives • BIOS • CD-ROM/DVD-ROM • External Storage (e.g. Disk On Key) • Network Cards • CRT Mo ni to r ( Lega c y) • Floppy Disk (Legacy) • Non-x86 ChipAll rights reserved to Security Art Ltd. 2002 - 2011
  33. 33. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Remote Attacks The long arm of the Permanent Denial-of-ServiceAll rights reserved to Security Art Ltd. 2002 - 2011
  34. 34. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Firmware Updates via Web • Network-attached Storage (NAS) Appliances • N e t w o r k A p p l i a n c e s ( e . g . W i - Fi A c c e s s Poin t s) • DSL/ADSL Cable Modems • C om pu ter Per ip h e r als (e . g. K VM ) • Vo i c e O v e r I P ( Vo I P ) P h o n e s • And more …All rights reserved to Security Art Ltd. 2002 - 2011
  35. 35. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Open Questions • How this affects Cloud and Virtualized System?All rights reserved to Security Art Ltd. 2002 - 2011
  36. 36. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Countermeasures? • Hardware: – O v e r- c l o c k i n g P r o t e c t i o n – O v e r- v o l t a g e P r o t e c t i o n – O v e r- t e m p e r a t u r e P r o t e c t i o n • Software: – D i g i t a l l y s i g n e d Fi r m w a r e B i n a r i e s & UpdatesAll rights reserved to Security Art Ltd. 2002 - 2011
  37. 37. I t z i k K o t l e r | A p r i l 2 0 11 www.security- art.com Thanks! Questions are guaranteed in life; Answers mailto: itzik.kotler@security-art.com arent.All rights reserved to Security Art Ltd. 2002 - 2011
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×