Although security is quite well-understood on higher-end embedded systems like routers and mobile phones, microcontroller security is still stuck in the dark ages of computing. The security of most contemporary connected microcontroller-based devices is on par with the security models of early networked MS-DOS systems from the 80’s. This talk presents an overview of microcontroller system security and the peculiarities of microcontroller targets to show how these can be exploited. Happy hunting!
Practical real-time operating system security for the massesMilosch Meriac
Although real-time operating systems are ubiquitous in the industry, OS-level security features are silently absent in most microcontroller systems. As a result, securing these systems against active attackers becomes impractical due to the missing foundations.
We believe security does not need to cost an ARM and a leg in memory resources or device performance. Operating systems for MMU-less low-end microcontrollers should be on par with established security models. High end embedded systems security does not need to be exclusive to Cortex-A/x86 Linux systems.
uVisor is available under Apache License on Github : https://github.com/ARMmbed/uvisor
We will show how spatial isolation of process memories using the ARM v7M Memory Protection Unit (MPU) works - and how it effects interprocess-communication, memory management, thread synchronisation and internal protection of key-material.
We will then introduce temporal isolation for guaranteed operation and device safety even under local attack. To make our point we integrated an advanced security foundation into the vendor-independent RTOS abstraction layer CMSIS-RTOS. Our example implementation - the ARMmbed uVisor for CMSIS-RTOS - is available under the Apache License.
Slide deck for talk at IETF#92 (Dallas, March 2015) at the IETF Light-Weight Implementation Guidance (lwig) working group about the performance of cryptographic algorithms on ARM processors.
Resilient IoT Security: The end of flat security modelsMilosch Meriac
Compartmentalizing code and data on low-end MMU-less microcontrollers using the ARM memory protection unit as available on present ARM Cortex-M3 and ARM Cortex-M4 devices.
More information and source code is available at https://github.com/ARMmbed/uvisor . This slideset was presented in November at ARM TechCon 2015.
Practical real-time operating system security for the massesMilosch Meriac
Although real-time operating systems are ubiquitous in the industry, OS-level security features are silently absent in most microcontroller systems. As a result, securing these systems against active attackers becomes impractical due to the missing foundations.
We believe security does not need to cost an ARM and a leg in memory resources or device performance. Operating systems for MMU-less low-end microcontrollers should be on par with established security models. High end embedded systems security does not need to be exclusive to Cortex-A/x86 Linux systems.
uVisor is available under Apache License on Github : https://github.com/ARMmbed/uvisor
We will show how spatial isolation of process memories using the ARM v7M Memory Protection Unit (MPU) works - and how it effects interprocess-communication, memory management, thread synchronisation and internal protection of key-material.
We will then introduce temporal isolation for guaranteed operation and device safety even under local attack. To make our point we integrated an advanced security foundation into the vendor-independent RTOS abstraction layer CMSIS-RTOS. Our example implementation - the ARMmbed uVisor for CMSIS-RTOS - is available under the Apache License.
Slide deck for talk at IETF#92 (Dallas, March 2015) at the IETF Light-Weight Implementation Guidance (lwig) working group about the performance of cryptographic algorithms on ARM processors.
Resilient IoT Security: The end of flat security modelsMilosch Meriac
Compartmentalizing code and data on low-end MMU-less microcontrollers using the ARM memory protection unit as available on present ARM Cortex-M3 and ARM Cortex-M4 devices.
More information and source code is available at https://github.com/ARMmbed/uvisor . This slideset was presented in November at ARM TechCon 2015.
BKK16-200 Designing Security into low cost IO T SystemsLinaro
….Trust and security are essential for the Internet of Things (IoT) to scale. As your product becomes successful, attraction will be high for it to be hacked and, as a consumer, you'll suffer with consequences if security is not baked into the system, at every level. With IoT, we now need to enable an appropriate level of security for low cost IoT designs done by people with little or no security expertise. In this presentation, you will learn how ARM, Linaro and the ARM partnership are securing these low cost IoT endpoints by providing device security, lifecycle security and communication security, without the need for in-depth security experts…
LAS16-203: Platform security architecture for embedded devicesLinaro
LAS16-203: Platform security architecture for embedded devices
Speakers: Mark Hambleton
Date: September 27, 2016
★ Session Description ★
Heads up on what ARM are doing with the new ARMv8-M architecture from a software perspective.
★ Resources ★
Etherpad: pad.linaro.org/p/las16-203
Presentations & Videos: http://connect.linaro.org/resource/las16/las16-203/
★ Event Details ★
Linaro Connect Las Vegas 2016 – #LAS16
September 26-30, 2016
http://www.linaro.org
http://connect.linaro.org
ARMv7-M MPU (Memory Protection Unit) XN exampleLouie Lu
In ARMv7-M, it support PMSAv7 (Protected Memory System Architecture), MPU support in ARMv7-M is optional, and for example, Cortex-M4 MPU can only set 8 region to protect, this increase the difficulty to used in program.
This slide will explain how ARM Cortex-M MPU XN (eXecute Never) can do, and provide a memory attack demo to demo how can XN function in Cortex-M4.
A tour of F9 microkernel and BitSec hypervisorLouie Lu
A brief tour about F9 microkernel and BitSec hypervisor
This slide won't covering all aspect about them, but to focus on some point in these two kernel.
F9 microkernel repo: https://github.com/f9micro/f9-kernel
Impress template from: http://technology.chtsai.org/impress/
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Amazon Web Services
In this session, learn how to create a complete Gateway-based IoT framework – from the edge to the cloud and back. By using an IoT Gateway as a central data collection, processing, and communication hub, you can create IoT connectivity without having to replace legacy hardware. We show you how to use an Intel NUC gateway and Arduino 101 sensor hub to gather environmental data, and step you through establishing a data pipeline to AWS IoT. We use AWS Lambda to create a rules engine for your data, and then send a control signal back down the Intel Gateway. Bring your laptop and your AWS account for this workshop.
It has been estimated that the global earnings of Cyber Criminals will equal or exceed the GDP of the UK sometime in the 2022/23 window. If this was the capability of a country they would be joining the G8! Clearly, we are losing the Cyber War hands down, and the time has long passed when we might ignore the threat scenarios surrounding us.
In this lecture we examine global networks from home and office through the ‘last mile,’ and on to national and international networks to identify the key vulnerabilities and points of potential ingress. We identify the cyber risks as escalating as we approach the periphery of all forms of network. For the most part, the core/carrier networks are virtually unassailable physically as they are dominated by terrestrial and undersea optical fibre cables.
Throughout the ‘carrier’ network levels the difficulty of physical interception, encryption, routing, and path diversity employed renders them secure in the extreme. Attackers, therefore, tend to focus on the exploitation of people, devices, services, home, and office appliances, and latterly, a poorly engineered IoT.
In reality, we are expanding the attack surface of the planet exponentially without due caution or care in the most exposed sectors and locations. And so, we explore potential tech and operational solutions for the future.
NOTE: This lecture is one of a series that has examined technology design and deployment, devices and the IoT, people fallibility, deviousness, internal and external threats.
In class; RED and BLUE Team Exercises have also been conducted in support of the complete Cyber Security Package to date.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
What happens on your Mac, stays on Apple’s iCloud?!SecuRing
“$ sudo ls ~/Desktop: Operation not permitted”. Apple’s Transparency, Consent, and Control (TCC) framework limits access to private information like documents, a camera, a microphone, emails, and more in order to preserve your privacy. Since authorisation is required to grant such access, the mechanism key design priority was clear user consent.
At Black Hat USA 2021, I co-presented considerable research on abusing the TCC mechanisms, however, this time, we won’t be directly exploiting the TCC. Given that iCloud has tons of macOS users’ secrets, why keep attacking the TCC? The default configuration makes Mac synchronize a lot of data. Don’t you have your iMessages/Photos/Calendars/Reminders/Notes accessible from iCloud? That’s good because you take care of your privacy… but most users don’t. :)
The brand-new research on abusing Apple’s iCloud to gain access to users’ sensitive data will be shared during the presentation. All that from a malicious applications’ perspective without any additional permissions.
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
Security is an imperative for any successful IoT deployment. AWS and Intel will showcase their collaboration on IoT security at the edge based on Intel® Zero-Touch Device Onboarding. In this session you will learn how to ensure secure connection back from the edge to AWS cloud, accelerate deployment time for provisioning, and scale solution remotely for customization and management across thousands of devices and end points.
Session sponsored by Intel
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
An introductory overview of cybersecurity covering technical and non-technical aspects of cybersecurity.
We define what is cybersecurity, we talk about risks and impacts of a cybersecurity breach and present means to avoid it both in term of regulations (Common criteria, FIPS, ...). We continue with technology and some cryptography and we finish by some fact numbers.
Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing.
This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives. While the attack was discovered before its ultimate goal was achieved, that is, disruption of the physical process, TRITON is a wakeup call regarding the need to urgently improve ICS cybersecurity.
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...GeekPwn Keen
Youtube: https://www.youtube.com/watch?v=SDg5FzTvyPM
Since the malware come out,there is a fight between malware and AV. So more and more methods based on machine learning apply to detect malware. We will share how to detect polymorphic malware based on CNN,then we will introduce a method use generative adversarial network to generate adversarial malware examples to bypass machine learning based detection models.
Zhuang Zhang, Bo Shi, Hangfeng Dong, from Tencent Yunding Lab(Tweet@YDLab9)
BKK16-200 Designing Security into low cost IO T SystemsLinaro
….Trust and security are essential for the Internet of Things (IoT) to scale. As your product becomes successful, attraction will be high for it to be hacked and, as a consumer, you'll suffer with consequences if security is not baked into the system, at every level. With IoT, we now need to enable an appropriate level of security for low cost IoT designs done by people with little or no security expertise. In this presentation, you will learn how ARM, Linaro and the ARM partnership are securing these low cost IoT endpoints by providing device security, lifecycle security and communication security, without the need for in-depth security experts…
LAS16-203: Platform security architecture for embedded devicesLinaro
LAS16-203: Platform security architecture for embedded devices
Speakers: Mark Hambleton
Date: September 27, 2016
★ Session Description ★
Heads up on what ARM are doing with the new ARMv8-M architecture from a software perspective.
★ Resources ★
Etherpad: pad.linaro.org/p/las16-203
Presentations & Videos: http://connect.linaro.org/resource/las16/las16-203/
★ Event Details ★
Linaro Connect Las Vegas 2016 – #LAS16
September 26-30, 2016
http://www.linaro.org
http://connect.linaro.org
ARMv7-M MPU (Memory Protection Unit) XN exampleLouie Lu
In ARMv7-M, it support PMSAv7 (Protected Memory System Architecture), MPU support in ARMv7-M is optional, and for example, Cortex-M4 MPU can only set 8 region to protect, this increase the difficulty to used in program.
This slide will explain how ARM Cortex-M MPU XN (eXecute Never) can do, and provide a memory attack demo to demo how can XN function in Cortex-M4.
A tour of F9 microkernel and BitSec hypervisorLouie Lu
A brief tour about F9 microkernel and BitSec hypervisor
This slide won't covering all aspect about them, but to focus on some point in these two kernel.
F9 microkernel repo: https://github.com/f9micro/f9-kernel
Impress template from: http://technology.chtsai.org/impress/
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Amazon Web Services
In this session, learn how to create a complete Gateway-based IoT framework – from the edge to the cloud and back. By using an IoT Gateway as a central data collection, processing, and communication hub, you can create IoT connectivity without having to replace legacy hardware. We show you how to use an Intel NUC gateway and Arduino 101 sensor hub to gather environmental data, and step you through establishing a data pipeline to AWS IoT. We use AWS Lambda to create a rules engine for your data, and then send a control signal back down the Intel Gateway. Bring your laptop and your AWS account for this workshop.
It has been estimated that the global earnings of Cyber Criminals will equal or exceed the GDP of the UK sometime in the 2022/23 window. If this was the capability of a country they would be joining the G8! Clearly, we are losing the Cyber War hands down, and the time has long passed when we might ignore the threat scenarios surrounding us.
In this lecture we examine global networks from home and office through the ‘last mile,’ and on to national and international networks to identify the key vulnerabilities and points of potential ingress. We identify the cyber risks as escalating as we approach the periphery of all forms of network. For the most part, the core/carrier networks are virtually unassailable physically as they are dominated by terrestrial and undersea optical fibre cables.
Throughout the ‘carrier’ network levels the difficulty of physical interception, encryption, routing, and path diversity employed renders them secure in the extreme. Attackers, therefore, tend to focus on the exploitation of people, devices, services, home, and office appliances, and latterly, a poorly engineered IoT.
In reality, we are expanding the attack surface of the planet exponentially without due caution or care in the most exposed sectors and locations. And so, we explore potential tech and operational solutions for the future.
NOTE: This lecture is one of a series that has examined technology design and deployment, devices and the IoT, people fallibility, deviousness, internal and external threats.
In class; RED and BLUE Team Exercises have also been conducted in support of the complete Cyber Security Package to date.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
What happens on your Mac, stays on Apple’s iCloud?!SecuRing
“$ sudo ls ~/Desktop: Operation not permitted”. Apple’s Transparency, Consent, and Control (TCC) framework limits access to private information like documents, a camera, a microphone, emails, and more in order to preserve your privacy. Since authorisation is required to grant such access, the mechanism key design priority was clear user consent.
At Black Hat USA 2021, I co-presented considerable research on abusing the TCC mechanisms, however, this time, we won’t be directly exploiting the TCC. Given that iCloud has tons of macOS users’ secrets, why keep attacking the TCC? The default configuration makes Mac synchronize a lot of data. Don’t you have your iMessages/Photos/Calendars/Reminders/Notes accessible from iCloud? That’s good because you take care of your privacy… but most users don’t. :)
The brand-new research on abusing Apple’s iCloud to gain access to users’ sensitive data will be shared during the presentation. All that from a malicious applications’ perspective without any additional permissions.
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
Security is an imperative for any successful IoT deployment. AWS and Intel will showcase their collaboration on IoT security at the edge based on Intel® Zero-Touch Device Onboarding. In this session you will learn how to ensure secure connection back from the edge to AWS cloud, accelerate deployment time for provisioning, and scale solution remotely for customization and management across thousands of devices and end points.
Session sponsored by Intel
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
An introductory overview of cybersecurity covering technical and non-technical aspects of cybersecurity.
We define what is cybersecurity, we talk about risks and impacts of a cybersecurity breach and present means to avoid it both in term of regulations (Common criteria, FIPS, ...). We continue with technology and some cryptography and we finish by some fact numbers.
Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing.
This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...Priyanka Aash
In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives. While the attack was discovered before its ultimate goal was achieved, that is, disruption of the physical process, TRITON is a wakeup call regarding the need to urgently improve ICS cybersecurity.
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...GeekPwn Keen
Youtube: https://www.youtube.com/watch?v=SDg5FzTvyPM
Since the malware come out,there is a fight between malware and AV. So more and more methods based on machine learning apply to detect malware. We will share how to detect polymorphic malware based on CNN,then we will introduce a method use generative adversarial network to generate adversarial malware examples to bypass machine learning based detection models.
Zhuang Zhang, Bo Shi, Hangfeng Dong, from Tencent Yunding Lab(Tweet@YDLab9)
5. Security
+ Time
= Comedy
D E V I C E L I F E T I M E
w
A T T A C K S S C A L E W E L L
U
Y O U C A N ’ T S T O P I T
!
6. It’s insane fun to be
a security troll.
B E E N T H E R E , D O N E T H A T !
7. M y f a v o u r i t e : “ H e a r t o f D a r k n e s s - e x p l o r i n g t h e u n c h a r t e d
b a c k w a t e r s o f H I D i C L A S S T M s e c u r i t y ”
8. If we believe that
security requires a sound
architecture from the start, we
must stop trolling the result,
and start trolling the architecture.
B E A G O O D C I T I Z E N !
S H O W T H E M H O W T O D O I T R I G H T
C R E A T E B E S T - P R A C T I C E I o T S O L U T I O N S R U N N I N G O N U N T R U S T E D C L O U D S Y S T E M S
A N D E X E R C I S E E N D - T O - E N D E N C R Y P T I O N
10. The ugly truth™ is that
makers must find all flaws –
attackers only have to find one.
B R E A K I N G A S Y S T E M I S E A S Y .
F I X I N G A S Y S T E M I S H A R D .
12. “It ain’t what you don’t know
that gets you into trouble. It’s
what you know for sure that
just ain’t.”
M A R K T W A I N
13. Flat memory
models
N O S E P A R A T I O N
E S C A L A T I O N
F
V E R I F I C A T I O N
#
L E A K A G E
H
14. § Hypervisor with hardware-enforced security sandboxes
using MPU virtualization – no MMU needed.
§ Targeting ARM Cortex-M3/M4 microcontrollers
§ Apache Licensed github project in development –
integrated with ARM mbed and Keil RTX, (also Apache-
licensed)
§ Mutually distrustful security model:
§ Principle of Least Privilege
§ Boxes are protected against each other and drivers
§ Enforces API entry points across boxes
§ Box-API functionality can be restricted to specific
boxes: “Box caller ID”
§ Per-box access control lists (ACL)
§ Restrict access to selected peripherals like Flash to avoid
malware persistence
§ Remote Procedure Call API (RPC) for secure box-
box calls
Example: uVisor for microcontrollers
15. Resources
matter
P U B L I C K E Y C R Y P T O
9
S H O R T C U T S
l
C O M M U N I C A T I O N
V
17. Random,
or not?
T I M E I S N O T R A N D O M
v
P R N G v s . T R N G
P R N G R E Q U I R E M E N T S
X
r a n d ( ) i s n o t r a n d o m
18. C O D E F R O M A D A T A B A S E A P P L I C A T I O N U S E D
B Y T H E G E R M A N G O V E R N M E N T
F O R S E C U R I T Y A U D I T M A N A G E M E N T
3 0 C 3 T a l k
19. Storage,
seriously?
O U T O F M E M O R Y
U
D A T A S E C U R E , T O O ?
extracted
indirectly
stepping through existing code
F
S I D E C H A N N E L S
H
r a n d ( ) i s n o t r a n d o m
R e a d p r o t e c t i o n b y p a s s
20. Case Study: Secure Firmware Update
Exposed box with
communication stack
GAP
GATT
AP
BLE LL
Bluetooth
Communicatio
n Stack
Flash interface box protected by MPU access control –
without own communication stack
CustomApplicationCode
Opaque Block
, Messages delivered independently of communication stacks
Firmware
update blocks
FW005
Firmware Update Image
Secure Storage,
Firmware Update Blocks
Re-flash Untrusted
Application Upon Completion
Opaque
Secured and trusted
device process
Decrypt
and verify
using
DTLS
§ Flash access is exclusive to the firmware update
core service.
§ Using the MPU for blocking access to the flash
controller to everybody but the firmware
update service.
§ Malware is forced to use APIs to attempt writing
to flash
§ Public Key signatures of the device owner or manufacturer
are required for API to accept an update.
§ Firmware is downloaded piece by piece into secure
storage. The system reboots after initial verification into a
boot loader for copying the new firmware into its actual
position in internal flash.
§ The internal firmware is activated after final verification.
§ Crypto watchdog box enforces remote updates
even for infected devices as only the server can
re-trigger the watchdog with its cryptographic
secret.
23. 180°C PTC heater from AliExpress: $4… taped to a ceramic plate
with Kapton tape ...
… and a superglued
screw-cap: $5
24. … and a superglued
screw-cap: $5
Decapping chips with
cheap, non-toxic
DiMethyl SulfOxide:
PRICELESS!
25. Keep on trollin’
Keep on breakin’
One fine day you’ll gonna be the one
To make us understand
Oh yeah
THANKS!
S O N G B Y T H E S P E N C E R
D A V I S G R O U P