Infecting The Embedded Supply Chain

Video thumbnail (Frame 0) Video thumbnail (Frame 4219) Video thumbnail (Frame 5074) Video thumbnail (Frame 7984) Video thumbnail (Frame 9391) Video thumbnail (Frame 10425) Video thumbnail (Frame 11301) Video thumbnail (Frame 11955) Video thumbnail (Frame 12595) Video thumbnail (Frame 15072) Video thumbnail (Frame 16507) Video thumbnail (Frame 17263) Video thumbnail (Frame 17987) Video thumbnail (Frame 18451) Video thumbnail (Frame 19012) Video thumbnail (Frame 19780) Video thumbnail (Frame 20942) Video thumbnail (Frame 23201) Video thumbnail (Frame 24257) Video thumbnail (Frame 26881) Video thumbnail (Frame 27451) Video thumbnail (Frame 28076) Video thumbnail (Frame 28728) Video thumbnail (Frame 30262)
Video in TIB AV-Portal: Infecting The Embedded Supply Chain

Formal Metadata

Title
Infecting The Embedded Supply Chain
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
With a surge in the production of internet of things (IoT) devices, embedded development tools are becoming commonplace and the software they run on is often trusted to run in escalated modes. However, some of the embedded development tools on the market contain serious vulnerabilities that put users at risk. In this talk we discuss the various attack vectors that these embedded development tools expose users to, and why users should not blindly trust their tools. This talk will detail a variety reverse engineering, fuzzing, exploit development and protocol analysis techniques that we used to analyze and exploit the security of a common embedded debugger.
Mobile app Code State of matter Multiplication sign Combinational logic Online help Mathematical analysis Information technology consulting Computer Product (business) Chain Hacker (term) Computer hardware Videoconferencing Software testing Reverse engineering Information security Vulnerability (computing) Personal identification number Forcing (mathematics) Software developer Projective plane Bit Exploit (computer security) Web application Telecommunication Chain Website Software testing Information security Communications protocol Reverse engineering
Web service Mobile app Mobile Web Projective plane Mathematical analysis Data conversion Information security Vulnerability (computing)
Server (computing) Reduced instruction set computing Digital electronics Open source Local area network Debugger Real-time operating system Mathematical analysis Modulare Programmierung Client (computing) Sega Enterprises Ltd. Element (mathematics) Emulator Chain Read-only memory Semiconductor memory Computer programming Software Visualization (computer graphics) Computer hardware Software suite File viewer System programming Plug-in (computing) Software development kit Mobile Web Arm View (database) Cross-platform Server (computing) Flash memory Debugger Mathematical analysis Data analysis Instance (computer science) Digital electronics Software development kit Emulator Programmer (hardware) Software Visualization (computer graphics) Chain Computing platform File viewer Physical system
Surface Addition Asynchronous Transfer Mode Suite (music) Surface Device driver Device driver Cartesian coordinate system Product (business) Chain Software Term (mathematics) Different (Kate Ryan album) Computer hardware Intrusion detection system Software Chain Computer hardware Software suite Firmware Firmware
Point (geometry) Arm Key (cryptography) Open source Open set Differenz <Mathematik> Revision control Type theory Chain Mechanism design Different (Kate Ryan album) Computer hardware Chain Computer hardware Information security Firmware Information security
Personal identification number Chain Execution unit Email Computer hardware Chain Flash memory Bit Information Curvature Information security
Arm Key (cryptography) Flash memory Field (computer science) Bit Content (media) Entire function Chain Software Software Chain Formal verification Hill differential equation Backdoor (computing) Pairwise comparison Information security Vulnerability (computing)
Point (geometry) Computer file Length Code Stack (abstract data type) Number Revision control Chain Crash (computing) Tablet computer Different (Kate Ryan album) String (computer science) output Computer-assisted translation Reverse engineering Vulnerability (computing) Physical system Vulnerability (computing) Electric generator Interface (computing) Computer file Binary code Computer network Bit Funktionalanalysis Cartesian coordinate system Mathematics Software Vector space Order (biology) Buffer solution Interface (computing) output Operating system Window Reverse engineering
Subset Read-only memory File format Function (mathematics) Format-String-Schwachstelle String (computer science) File format Exploit (computer security) Bit Funktionalanalysis Exploit (computer security) Vulnerability (computing)
Scripting language Area System call Parsing Computer file Code Multiplication sign Parameter (computer programming) Control flow System call Software bug Sequence Medical imaging Chain Pointer (computer programming) Integrated development environment Buffer overflow Address space Vulnerability (computing) Computer worm Physical system Address space
Software bug Email Proxy server Computer file Code Software developer Multiplication sign Computer file Binary code Code Binary file 32-bit Chain Personal digital assistant System programming Gastropod shell Gastropod shell Local ring Reverse engineering Proxy server Firmware Recursive descent parser Library (computing) Physical system
Area Arm Parsing Computer file Code Mountain pass Exploit (computer security) Set (mathematics) Funktionalanalysis Function (mathematics) Pointer (computer programming) Latent heat Pointer (computer programming) Different (Kate Ryan album) Function (mathematics) Chain Software suite Flag Vulnerability (computing) Library (computing) Buffer overflow
Server (computing) Consistency Maxima and minima Stack (abstract data type) Number Software bug Chain Crash (computing) Read-only memory String (computer science) Telnet Spacetime Address space Physical system Condition number Vulnerability (computing) Software bug Weight Parameter (computer programming) Bit Funktionalanalysis Limit (category theory) Statistics Exploit (computer security) Similarity (geometry) Uniform resource locator Pointer (computer programming) Software Pi Telnet Crash (computing) String (computer science) Function (mathematics) Order (biology) Chain Condition number Remote procedure call Physical system Buffer overflow Reverse engineering Spacetime Library (computing) Computer worm Data buffer Address space
Consistency Multiplication sign Exploit (computer security) Usability Parameter (computer programming) Knot Parameter (computer programming) System call Shareware Uniform resource locator String (computer science) String (computer science) Spacetime Spacetime Computer worm Physical system Address space
Point (geometry) Server (computing) Serial port Proxy server Dependent and independent variables Numerical digit Computer-generated imagery Range (statistics) Mathematical analysis Client (computing) Number Neuroinformatik Medical imaging Chain Googol Local ring Sanitary sewer Vulnerability (computing) Authentication Serial port File format Server (computing) Decimal Debugger Code Client (computing) Bit Funktionalanalysis Cartesian coordinate system Connected space Type theory Number Software Chain Case modding Backdoor (computing) Spacetime Asynchronous Transfer Mode
Serial port Serial port Length Digitizing Uniqueness quantification Mathematical analysis Bit Mathematical analysis Number Revision control Number Chain Chain Pattern language Endliche Modelltheorie
Email Serial port Server (computing) Serial port Multiplication sign Mathematical analysis Cartesian coordinate system Number Connected space Number Chain Chain Quicksort Firmware Spacetime Personal area network
Server (computing) Dependent and independent variables Software developer Debugger Multiplication sign Set (mathematics) Perspective (visual) Revision control Chain Malware Read-only memory Software Computer hardware Videoconferencing Software suite Flag Process (computing) Information security Firmware Authentication Dependent and independent variables Patch (Unix) Server (computing) Grand Unified Theory Exploit (computer security) Process (computing) Malware Software Pi Chain Information security Communications protocol Window Flag
so we have two more first time speakers coming up here we're gonna give them the only piece of Def Con merch the each and every one of you out here could earn but you have to earn it not only do we give them shots they get the shot the noob shot glass that's our present to them for coming and giving a talk at Def Con so help me welcome Zack and Alex to their first talk infecting the embedded supply chain I was telling them on the walk over here I haven't read your abstract but just from the title I saw that and I'm like yeah we need to do better at that because I work on an embedded device and yeah they're poking holes where we've got holes all right help me welcome Zack and Alex look can you guys hear us hello everybody this is infecting the embedded supply chain so disclaimer we thought we had a 45 minute slot but we actually have 20 minutes so we're gonna try our best to condense everything within that 20 minutes so we have a couple of videos which we'll try to do we'll try to get to everything but if we don't make it everything will post everything to our website Somerset recon comm and what a proof-of-concept code on github as well so you guys can check that out I'm Zack like I said I work at Somerset recon I do a combination of web application pen testing and reverse engineering I specialize in vulnerability research and exploit development I'm Alex I'm a barista that occasionally does security things at Somerset recon I enjoy making cappuccinos hardware hacking and reverse engineering just a little bit about Somerset recon we are a security consultancy based out of San Diego we specialize in web applications mobile applications and embedded device security and you can find out more about us at Somerset recon calm in art we're cool so aside from our day-to-day work we also like to do some cool side projects one of which was an electronic state safe lock that we looked at that allowed you to either enter in a pin manually to unlock a safe or you know over Bluetooth on your favorite mobile device we found some vulnerabilities there including being able to dig deep code pins wirelessly over-the-air and replay them and also we reversed the wire protocol and created a brute force device for that we also did work on the
hollow Barbie which is an IOT doll that kids can talk to and have a full conversation with we looked at all the web services and reverse the mobile application and pretty much just figured out how that all worked and it found some vulnerabilities and made a white paper which is online as well so these are all embedded devices and that's primarily where we focus on on our side research and so when we decided to do this research we wanted to do something slightly different but touched on it still so we tried to look at what all
these projects had in common and we
thought why not look at their you know the tools used to program and debug them so this is our target we've focused on
the Sega Jail Inc which is a pretty popular device on both the hardware and the software used to control it the Sega of jail ink debug probe communicates with a bedded device that you're targeting and trying to program like a mobile device for instance over our JTAG swd etc it's an in circuit emulator and in circuits your system programmer so I could program chips it primarily supports arm and arm cortex chips but also supports some others like Rena sauce it communicates with a host computer over USB and Ethernet which is kind of interesting has cross-platform toolchain and some other cool features and the secretary links are the most widely used of debug probes available today which is a quote from them that's kind of cool other than hardware they create a ton of software including like the software package that's used to control the J links themselves they also have a gdb server our toss plug-in source of element kit a couple of real-time analysis visualization tools and a graphical debugger we primarily focused on the software suite used to control these Dre linked devices and this package just includes a ton of tools including jail and commander which is like your typical command-line tool that you would use with most debuggers a gdb server a remote server which allows a client to connect to AJ link commander session within the local network a memory viewer and a flashing tool that just flash so typical setup looks like
this you have a host PC that has a software suite installed and you're communicating to this j-link device over USB and Ethernet and then you connect it to your embedded target over JTAG or swd
so in terms of attack surface I mean there's a lot I mean this company makes a lot of different products the hardware debug probes themselves were interested in firmware and you know how that works and also can you infect the debug probe itself or can the debug probe infect the end device that you're trying to target and then in addition to that there's a lot of software attack surface as well there is a USB driver that's included with this device as well as a host of different these remote applications that are run and in addition to that which is also a pretty interesting thing they have a custom IDE that's also used to develop applications for the J link so hardware
yeah so we're interested in how the hardware works extracting firmware how easy is it to do that how does the firmware work the feature differences between each of the devices because Segar makes a ton of different types of J links at different price points of course and we're wondering like are there Hardware differences or is it just firmware and with these devices what are the security mechanism that are on it is the vice open can I flash an open-source version of firmware or can I modify firmware and flash the debug probe so this is a typical j-link edu it's kind of like the cheapest consumer and Jaylyn key can get if we focus here and open GIMP you could see
that it is also an armed device so the in the tool that's used to debug and program arm embedded devices is also an arm embedded device which is yeah that's that's pretty nice then we started
looking for you know debug ports and found a tag connect which is kind of like it's kind of like a JTAG header but a proprietary connector that has pogo pins so we had one of those lying around and we were asking well can we do it do we have anything that can program or debug this device and we're like why not
try debugging at J linked with a J link so it turns out that the security and flash bits are set so that's good the flash bit basically means that you can't reprogram the device unless you erase flash what you can't do because a security bit is set which basically says you can't debug this chip so it refuses to connect and erase we're looking for other ways around this so we needed to go deeper so we took a look at some of
the other J link debug probes and the J link mini edu has an interesting feature in its arm chip which is called the backdoor key access which is an opt-in feature that basically if you provide the chip with the proper key it will like willingly disable the security bit and then you can kind of do whatever you want with the device which is pretty cool so then we began really looking at
some of the desktop software that was distributed with the segregate link for security vulnerabilities we started out
just doing some high-level reverse engineering we noticed that they distributed their software to both Linux and Windows systems in reverse engineering this we determined that they were using cross compiled code so that eliminated some redundant work we're the only one of the operating system versions really needed to be reverse engineered to determine the functionality and vulnerable portions of the code we also noticed that they were using some custom string manipulation code which was somewhat interesting and we'll talk a little bit about that more later we also noticed that they used a lot of dangerous functions they use string copy string cat and a lot of other things that don't check the length of the destination buffer from the point of binary protections Segur opted in to most binary protections however they did leave out both p IE and stack Canaries and their linux executables so once we had that we began setting up some fuzzers in order to test the different input vector see if we could find any vulnerabilities that we could begin to exploit so we tested all input vectors of these applications seem to accept we tested files both network interfaces and command-line arguments that they accepted since on our reversing reveal but there were some really interesting code paths that were somewhat deep and required magic numbers and different things to reach we decided to use a generational fussing approach that we use peach for that we fuzz then
got tons of crashes and began looking
into actually exploiting them so the
first thing is the custom string formatting we noticed in looking into this some interesting usages such as shown here where if it were a standard string formatting function it would be a format string vulnerability so we begin looking into that a little bit more so the custom string formatting that they implemented used most of the basic format specifiers such as % s % & % D etc um but it did not accept the % end that's typically used in format string vulnerabilities so with that we were able to do some of the format string exploits we were able to do arbitrary reads as shown here however due to the fact that it lacked the % end specifier that's used to write bits we were not able to turn this into an arbitrary write also found in the Jalen commander
tool what we talked about earlier it's a command-line tool there is a feature called command file which basically you can feed jaylen commander a script to kind of set up your environment before you start debugging your device and this the file parsing code had a vulnerability which was a traditional stack buffer overflow and so an image you can see that we kind of just feed a bunch of A's into a payload and then we pass it into j-link exe and it just seg faults so if you triage that in gdb you
can see that it it tries to return to address 41 41 41 41 so we went a little bit further with it and we were able to create a POC with like five basic steps which is take over the return address get the address of Lib C use that pointer to get the address a system and call system with arguments and you got code execution we won't be able to go over the POC because of time but
ultimately we got code execution it works on the 32-bit j-link exe binary on I 386 and AMD 64 Linux systems and it's a Rob with a SLR bypass return to Lipsy and we're first shell is very doable but requires dropping and Lib C a lot but the general idea is with this attack
that an attacker can create a malicious command file and dummy firmware and send an e email with this as an attachment to a developer at a targeted company its developer developers are typically pressed for time so they'll probably run this with Jaylin commander and it would pop a shell and return back to the attacker
we also found in the same binary found a another file parsing vulnerability in the settings file flag which is very similar to command file but it's in a completely different area it's in a library called a J link arm des Eaux and that's where a lot of like the arm specific code is in for like a the J link software suite and this is in particulars that buffer overrun in the BSS segment so you can use this to kind of override function pointers in the BSS segment we also got our C which is cool
so after that we started looking at
in really interestingly named executable called j-link remote server so once we saw this we kind of perked up a little bit and began trying to look at the functionality of this executable so running a basic net set we noticed that it was listening on a number of ports and particularly of interest to us was it looked like it was listening as a telnet server so we wanted to figure out if this was actually having a telnet server embedded in the executable or what was going on there so a little bit of reverse engineering revealed that they actually had embedded a telnet server within their executable so it allows users within the network to connect to this j-link server and do remote debugging so we began fuzzing
this and noticed a really interesting crash where we had overwritten the instruction pointer with aaaa which is always good we did a little bit of reverse engineering and triage on this and picked up a couple things it was a stack buffer overflow that we were able to trigger remotely we're not able to get the crashes to be consistent due to race conditions within the executable we had a fairly limited amount of stack space to work with if we were going to build a Rob chain we were limited to 48 bytes and again we had a SLR and NX enabled on this executable but P ie was not enabled so we used typical exploitation techniques we used Rob to bypass the NX and then with a rock chain we did a dereference of the got in order to leak the address of Lib C from there we could calculate the offset of system and then do a return to live to see the main issue that we ran into here was we wanted to send arbitrary attacker controlled payload to system and we had trouble kind of getting the user controlled strings to consistently be passed in the system so we've realized that user controlled data was being stored in one of two locations in the executable and due to a race condition we couldn't determine if it were going to be in one location or the other so we tried to figure out if there was some way we could make it more consistent and we came up with the following so we
call this space sleds where we were
inspired by the not sled techniques in which knots are prepended to a shellcode payload and it improves exploit consistency so here we prepend spaces to the user controlled command string and we hope that that would improve the consistency of our exploit so what we did here is since the two locations where we were seeing the attacker controlled payload string were 72 bytes apart we prepended 72 spaces to our string and that created an overlap where we could point our argument to system so we have a demo where if we have enough time at the end of this we'll be able to show and then additionally in looking
into the j-link remote server we found some other really interesting functionality so we turn this the tunnel server back door and Segur has this as a documented feature within their application and they said it just provides a tunneling mode from a remote computer into that your network and allows remote debugging even when they're not in within the in the local network correct so our first thought at that point was I wonder what type of authentication they're using if there's any weaknesses there or anything that we could exploit so as you can kind of see here they use magic numbers and your device serial number to authenticate your device so that was a pretty pretty scary thing so when you run j-link remote server with your j link device attached it sends a magic number and registers your j link debugger with the server and then it allows client connections to specify the serial number of the device that they hope to connect sale so we looked at the serial numbers and realized that there were one built or ten billion possibilities which would make brute-forcing all of the connected serial numbers a bit infeasible so we wondered is this actually something that would be a potential attack is there some way that an attacker could shrink the space of serial numbers that they would attempt to brute-force so we were looking into is there some format that segar uses for there is there like some smaller range or number that they start at that we could use to shrink the space so we googled beggar jailing and it
found tons of images that people had posted online that included their device serial number we called some people that
we know that also had segregated lengths and asked their device serial number and in the end we got about 30 jailing serial numbers that we were able to analyze and started to notice a few patterns that emerge so the first two
digits of the serial numbers were correlated with the model of device whether you had AJ link pro or a.j link mini after that two digit for the version where if Segur would release a slightly updated version that would increment and then finally the last five digits or a device unique number that's incremented so doing a little bit of analysis on the numbers that we had we
were able to shrink the serial number space and still achieve what we think would be very good coverage with only a hundred thousand serial numbers and assuming about ten serial numbers per second could be brute forced which is about the link that we saw the connections taking with the when it was done properly via the J link application it would take the time from 31 years to brute-force the space to about three hours the impact here really is once you
make a connection via this server you can do all sorts of things you can flash new firmware you could read existing or read the existing firmware or make any sort of malicious modifications to the connected devices so we disclose here
and we're really pleased with the response they responded right away and that's within a week and it was very even received a thank-you from the founder and CTO of the company so in conclusion we just really realized that there was a these devices are oftentimes lacking and a lot of the protections in security that we would hope from a device piece of the supply chain it was lacking the P ie flag which would have made our exploit exploitation much more difficult as well as having lacking the security features that are just architectural architectural and no authentication in the remote server or anything like that but wait there's more okay before we run out of time we
revisited the J link hardware but instead from instead of from the perspective of trying to manipulate the firmware with a hardware debugging device from the OTA process we realized that if you download a newer version of the J link software suite jaelyn commander will ask you if you want to update your Jaylin debug probe and so we started from the network perspective and found that there were there was no firmware blobs being transferred over the network and we thought that was kind of interesting so we eventually figured out where firmware was being stored and how the update process worked and we reverse the USB protocol to be able to flash the J link devices and it turns out that the J link device when it's being flashed over USB it does do a firmware check but it's not very good and it uses dates to check whether our firmware is valid so this could be a bad thing also firmware is not signed and can be modified so in the end we don't have time for the video but we to illustrate it we created a piece of malware that runs on Windows it runs silently in the background and just any J link device set is connected via USB it immediately flashes in completely bricks by flashing firmware that's set like way far in the future and you can't fix your device unless you have like hardwired debugging privileges and that's cool [Applause]
Feedback