ICA VILLAGE - Hacking firmware where you least expect it: in your tools

Video thumbnail (Frame 0) Video thumbnail (Frame 796) Video thumbnail (Frame 2138) Video thumbnail (Frame 5909) Video thumbnail (Frame 7383) Video thumbnail (Frame 8584) Video thumbnail (Frame 10129) Video thumbnail (Frame 16711) Video thumbnail (Frame 17966) Video thumbnail (Frame 18934) Video thumbnail (Frame 19796) Video thumbnail (Frame 23178) Video thumbnail (Frame 25149) Video thumbnail (Frame 27583) Video thumbnail (Frame 28397) Video thumbnail (Frame 30133) Video thumbnail (Frame 31491) Video thumbnail (Frame 32787) Video thumbnail (Frame 33710) Video thumbnail (Frame 36393) Video thumbnail (Frame 37572) Video thumbnail (Frame 38810) Video thumbnail (Frame 41053) Video thumbnail (Frame 43835) Video thumbnail (Frame 52928)
Video in TIB AV-Portal: ICA VILLAGE - Hacking firmware where you least expect it: in your tools

Formal Metadata

ICA VILLAGE - Hacking firmware where you least expect it: in your tools
Alternative Title
Disassembly and Hacking of Firmware Where You Least Expect
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Process (computing) Plastikkarte Information security Information security Physical system
Expert system Bit Water vapor Mereology Product (business) Wave packet Product (business) Power (physics) Process (computing) Term (mathematics) Atomic number Social class Information security Information security Social class Physical system Control system
Functional (mathematics) Multiplication sign Calculation Function (mathematics) Coprocessor Power (physics) Neuroinformatik Chain Mechanism design Bit rate Spherical cap Term (mathematics) Atomic number Different (Kate Ryan album) Analogy Operator (mathematics) Drill commands Electronic visual display Cuboid Representation (politics) Physical system Control system Touchscreen Sampling (statistics) Bit Flow separation Drill commands Analog-to-digital converter Calculation output Right angle Complex system Quicksort Cycle (graph theory) Reading (process)
Pulse (signal processing) Drill commands Telecommunication Drill commands Data transmission Power (physics) Control system
Personal identification number Digital electronics Microcontroller Line (geometry) Power (physics) Power (physics) Neuroinformatik Software Drill commands Computer hardware output Physical system Reverse engineering
Digital electronics Code Multiplication sign Programmable read-only memory Flash memory Random access 1 (number) Microcontroller Disk read-and-write head Mereology Computer programming Software bug Revision control Programmer (hardware) Hooking Read-only memory Term (mathematics) Semiconductor memory Programmable read-only memory Computer hardware Energy level System programming Firmware Vulnerability (computing) Default (computer science) Block (periodic table) Flash memory Internet service provider Bit EPROM Software Auditory masking Personal digital assistant Drill commands Factory (trading post) Calculation Read-only memory Right angle Cycle (graph theory) Quicksort EEPROM Physical system Window
Personal identification number Programmer (hardware) Voltmeter
Point (geometry) Trail Code Multiplication sign Range (statistics) 1 (number) Sheaf (mathematics) Similarity (geometry) Real-time operating system Formal language Neuroinformatik Writing Disassembler Assembly language Code Core dump Bit Software Personal digital assistant Drill commands Infinite conjugacy class property Website Right angle Quicksort Freeware EEPROM Session Initiation Protocol Reverse engineering Address space
Personal identification number Goodness of fit Malware Demo (music) Multiplication sign Hash function Demo (music) Bit Musical ensemble Firmware
Scripting language Pairwise comparison Intel Greatest element Computer file Code State of matter Repetition Demo (music) Expected value Type theory Hash function Hash function Drill commands Hard disk drive Right angle output Firmware Dean number
Process (computing) Roundness (object) Drill commands Hash function Demo (music) Right angle
Electronic mailing list Neuroinformatik Connected space Malware Software Drill commands Hypermedia Computer hardware System programming Data conversion Firmware Physical system Firmware
Goodness of fit Graphical user interface Purchasing Drill commands Right angle Continuous function Wärmestrahlung Neuroinformatik
Laptop System programming Wärmestrahlung Metropolitan area network Firmware
Point (geometry) Trail Mobile app Information Constructor (object-oriented programming) Data storage device Mereology Bookmark (World Wide Web) Packet Loss Concealment Connected space Peripheral Angle Drill commands Moment <Mathematik> Point cloud Right angle Physical system Control system Physical system
Service (economics) Multiplication sign Maskenprogrammierung Mereology Neuroinformatik Mathematics Read-only memory Different (Kate Ryan album) Internetworking Term (mathematics) Software Firmware Information security Position operator Physical system Vulnerability (computing) Rule of inference Computer program Denial-of-service attack Extreme programming Instance (computer science) Message passing Internetworking Software Drill commands Personal digital assistant Permanent Thumbnail Right angle Quicksort Information security Firmware
Email Group action Information overload Code View (database) 1 (number) Perspective (visual) Computer programming Neuroinformatik Programmer (hardware) Mathematics Sign (mathematics) Different (Kate Ryan album) Hash function Information security Vulnerability (computing) Thumbnail Physical system Control system Personal identification number Email Fatou-Menge Data storage device Instance (computer science) Process (computing) Hash function Drill commands Permanent Thumbnail Right angle Quicksort Whiteboard Information security Firmware Point (geometry) Server (computing) Game controller Conformal map Firewall (computing) Patch (Unix) Online help Mathematical analysis Rule of inference Power (physics) Goodness of fit Latent heat Read-only memory Intrusion detection system Software Firmware Rule of inference Projective plane Computer program Mathematical analysis Antivirus software Software Integrated development environment Infinite conjugacy class property Video game
hi i'm on teh security architect fox card solutions we do industrial control system security stuff and this is what i
think my job is like yeah and you job like this okay
and this is what my mom thinks my job is like this is what other people think
this is what I wish my job was like this
is what my job is is really like so do some security research look into attacks do some training plant classes lots of conference talks new product and look at industry requirements and industrial
control systems alright we're bits meet Adams where things happen so let's get started we're gonna talk about things in light of anybody here working industrial control systems oh yeah we got a handful anybody heard the term industrial control systems before how few more beautiful well now you're an expert it does for control systems it's the part of security that really matters is where bits meet atoms things move this is electricity and manufacturing is your water and your you know your power this is where your iPhones come from and
we're gonna take a look at some tools so since I am thinking of things in terms of industrial control systems let's get the mic industrial control systems if you're going to look at this as an industrial control system why what are the mechanics involved it's like well it looks for some button pushes does some calculations and it displays something on the screen that's its IO right industrial control reading things thinking about things and doing things fine enough as an industrial control system what does this thing do do what it opens the box what else industrial control system what makes holes yeah but think about the operation bits atoms movement what's it doing this alright so this is a miniature industrial control systems is monitoring the rate of the spin right that's one of the things that actually controlling with the pulse width modulation output what else is it doing input what kind of input yeah so there's a variable resistor here in this trigger and it's reading that value it's reading analog value making some calculations to grow the role system do we see anything else light so we have a light on the front it gets time to look no power all right we got light on the front what about on the sides here yeah I said so that here's a display this is a voltage display so it's measuring voltage it's also measuring temperature of this battery system and it's managing temperature MOSFETs inside so as far as as a very small representation of an industrial control system this is it it's taken as measuring different kinds of inputs it's controlling different kinds of outputs alright so which of these two systems do you think is more powerful thoughts comments yes now which one do you think is more powerful so a little bit of fun but actually the drill is a more powerful
control system so this cap excusing physically also look the calculator clocks are 86 megahertz in the drill it's 8 megahertz besides that the processor in the calculator takes several clock instruction takes several clock cycles to do an instruction so seven 1914-15 this is just sort of a random sampling of instructions this drill basically does every operation in one instruction cycle so computationally it's a lot more powerful than the calculator as well besides its attentional functionality of sort of dedicated pulse width modulation channels and and its ability to read analog input so if you start looking at you know the actual power of the system the thrill is a lot more complex system and a lot more one than I expected right this is it's a battery-powered drill right it expects a computer in the
middle of there so if you were going to attack a control system let's say this one in particular you might look to see what's inside of it first this is a pretty standard drill it has a let's see we got a PC board and some power connectors and a motor or transmission
if we look at the we look at the circuit board and we look up these MOSFETs by the way that controls the power to the motor that makes the drill run they're rated at 202 amps continuous and if you do anything with electronics that's a fair amount of power they will also support 800 amps pulse so yeah that's pretty impressive might also need a
little help reverse engineering the the system as a whole if you're going to look at software because the hardware provides input and it's depends upon the the way the drill is set up and the way the circuit board is set up so you take
a look around I found at 80 mega 32 pin and when I first saw this 32 pin microcontroller I'm like you know they make like eight pin lines and why in the world are they putting this thing in here but if you go through and trace out all of those circuits basically almost all of them almost all the pins are in use it's running front LEDs and power LEDs and two MOSFETs MOSFET temperature battery temperature voltage trigger comm enable pins so it's using a lot more the capability than you expected even than the simple device it's using a lot of computational resources all right now
for our little review before we calculator parts part of a review before we continue oh all right audience participation what's RAM random access memory beautiful you read right you turn it off it goes away what is ROM read-only memory all right so let's talk about early wrong all right early ROM is masked wrong and it's manufactured that with a factory so you say hey I want a bunch of roms that have this program on here and you pay them my hundred thousand dollars and they'll set up the mask and they will make those chips with that program and they will send them to you right you have to buy a big lot to make this profitable and now you have I don't know ten thousand of these chips program just the way you want them what do you do with those chips if there was a bug in your software not bad put them in a landfill telemon don't tell anybody you or my head of marketing yeah yeah oh yeah or I like to say throw them in the ocean because you can only write to them once they're made at the factory and now you have to call the factory again say hey for another hundred thousand can you send me up another mask and I may know these so that we decided that that didn't work very well and we come up with things like prom so what's a prom stand for so this is programmable read-only memory so you get these chips are typically let's say one-time programmable you get the chip you can put your piece of code on it and then you can put it in your device if that chip has vulnerabilities or problems in the software what do you do with that chip yes you throw in the landfill but you only have the one because the next chip you get off the shelf you can program and put it in your device right so that works a lot quicker and easier and it's more cost effective so manufacturers like that but you go on to the next level Ypres what's Ebron yeah so this is a raisable programmable read-only memory and typically they were UV erasable so if you look here this has a little window in it a UV light will erase it set it all back to ones and you can change some of those two zeros and end up with a program now if there is something wrong with this chip what can we do with it yeah you pull it out you can shine some light on it and reprogram it put it back in you don't even have to throw anything away but you didn't have to pull it out and program at and so he promotes a EEPROM electrically erasable programmable read-only memory so now you can program this thing in the circuit you don't have to pull it out you don't have to shine UV light on it you know like you're curing your nails or something and if you have a problem you can fix it in the device so that's quite a bit easier now you think as a manufacturer that's great we screwed something up we need to update something we're all good we we can program it back in place all right now I'm depending on you all what it's flash stand for what y'all are quiet grit flash no flash doesn't stand for anything it's a marketing term so flashes is basically a version of a EEPROM tends to be larger you write it in larger blocks it has it will sustain fewer write cycles before it gets destroyed but but it's basically a marketing term and that's how we end up that's the short version how we end up with devices that you can program sort of by default it saves you money it saves you time right so that's a review
for the particular microcontroller in this drill we see it has some EEPROM which is designed to be written in smaller blocks and more time more time samarium some flash and in system programming we don't have to take it out and clip some clip on it and hook some programmer up to it it's much easier to set up you probably buy your hardware you get it shipped to you and then back at your plant you can blow on the latest firmware when you get the device much easier that allows for the updates that you may have changed or made to your firmware your software and in some cases maybe account for some minor manufacturing difficulties you might be able to adjust for them maybe in firmware so we take it apart and we're
looking at how to manipulate it and it would be great if we could find an SPI port typically six pins and what do we see here six pins and a matter of fact half the work is already done for us because there is a reset our clock and our 3.3 volts that point to something else so three over six pins are already labeled we only have to figure out the other three and we're in well yeah we need a couple we need me Moe and Moe me but if you turn the circuit board
over now you have Moe me and me moe and ground so they label the other three for you that's great that's awesome uh you need a programmer
I was in a hurry I built one out of a teensy I had laying around and put a 3d printed case and got some free software you know but if you want to buy them
they're available in all your favorite sources across on the these are great you know three dollars 36 cents ship to your door on the slow boat so I pulled
the software off of this device and did a little reverse engineering maybe a little disassembly right so you had to put assembly code all one's in zero it's hard to figure out but you're gonna disassemble it somehow to make it a little easier there are a couple of free ones you know a br objdump that's kind of cool I read about this cool Andrea VR but it was kind of from a sketchy site from Russia and I didn't really want to install it on my computer so I talked to my buddy and I said can you install the software and rerun this Fatherhood and he was like yeah I'm like sweet paranoid for that stuff and other commercial software but now you end up with just sort of you know this side ride there's similar language instruction so it still may not mean a lot and work through it quite a bit to try to figure out what these registers and what the instructions meant and what they did this is just a brief section of it so made a few comments as I went along I thought one of the interests one of the reasons I just pulled this tiny section of code was this right here is setting up to write to the e EEPROM and this is the e EEPROM right so this drill has the capability of of changing the the EEPROM right it can write things it can keep track of things I was it asked my friend I was working with at the time what do you think this thing is writing what's it keeping up with he says oh I know I know it's looking for warranty day plus one maybe maybe it is looking for I don't know usage time or or something the devil but there's no real time clock I check the it doesn't get updated that way I think it's doing calibration for the for the trigger right the they could be have slightly different ranges and so forth so Oh at this point we are going to have
a little bit of a live demo I need a volunteer who would come up here and give me a hand welcome sir do you have good health insurance alright let's just go okay so if you would hang on will at least take a drill bit out for you how about that [Music] okay can you hold this for me excellent thanks or so right you buy them you build them whatever welcome to this wait just a little bit we're going to the only thing I did is I pulled this pins to the outside just to make this go a little quicker and easier up turn 3 times it'll work yeah you've done this before haven't you we could tell alright so it takes you
know a liner to have code to do this but since I can't type and talk especially in front of people we've got a couple of scripts I am going to run hash comparison so what this is doing is it's pulling the existing firmware off the device writing it to my hard drive and then I'm comparing it to my known good file and if you look at the bottom you see it say it says files match so the firmware on this device hash matches my expectations I believe this is a good device I will be happy to use it I also wrote some other code for this device and now we're here pudding on some other code on this device and we will check the hash if we receive the device in this state we're reading the the the firmware off we're reading the hash on comparing it to our known good and it says those files differ they'd be nice if you said it was malware but it says those files differ oh you said you notice anything strange that's that's a spacious right there let me tell you yeah yeah okay
yeah so what is this I thought I heard
the comment up front this is called it has a name is called a Larson scanner it's named for this guy Glenn Larson TV producer and writer he created various shows as you see Buck Rogers in the 25th century what are the last two night writer and what's the last one right
right so he's responsible for for this but what it really means is this is the start of a I write this is where bad AI comes from okay now you have another chore to do if you will pass me it is now your job to take this microphone and hold it against the end of the straw all right microphone drill you got that no I hold the drill you hold it yeah that's good oh you are good all right now like you know keep it all right so pay attention hold it now you ready there we go [Applause] and another round of applause for my evil helper thank you very much all
right yeah Darth Vader's theme of course what else do you play all right oh no I don't have my Darth Vader theme t-shirt on ah but
let's talk about let's talk about why I do something silly like this all right pretty impractical attack this industrial control system is air-gapped there's no network connection no financial consequences you know it's it's an example of firmware in unexpected places what I really want people in industrial control systems to take away is this drill is a computer running software and if the drill is a computer running software there are a lot of pieces in your important plant that are computers running software that you need to think about securing right drills probably not top on your list but some of the other pieces of hardware in your device media converters that you don't think of as computers running malware could be I mean you could do
interdiction right any good Intelligence Agency can delay your package for a little while and add your little special gift but you know not really any
financial consequences but the first one I bought looked like this right my budgets kind of small I buy cheap stuff off eBay the first one I got was broken but the computer still worked but I noticed you can't maybe you can see it that these big MOSFETs somebody lit the magic smoke out right they've been overheated they've been destroyed this is actually a thermal sensor right even with that in place it's looking for overheating somebody cracked these accidentally so you might have some financial consequences you can blow up the drill a couple hundred bucks
well lipos aren't exactly stable occasionally they catch who knows what you might know what this is yeah yeah yeah galaxy yes I like this one they're at a conference that somebody laptop is on fire and everybody stand I'll go to look at that man that's bad if you're in the hobby of doing our see stuff you generally charge lipos either in a fireproof bag or with something with cinder blocks around it right you know you know so maybe if you could catch it on fire there might be
some consequences but it's it's largely
impractical I did come across these things in my research though research five minutes on Google research these days things to Bosh to buy these do Bosch devices one of them is called BT exact and BT angle exact who knows what the BT stands for Bluetooth all right well there goes part of our air gap and if you will look at the highlighted text about the screwdrivers are locked when they are delivered and can be unlocked only by the access point exactly connect so you can't even use it till you connect it the system can talk to and take commands from external devices like a PLC which might be an important part of your control system so this device is is is going to communicate to your control system by the way why would you want to communicate with devices like wrenches and drills and maybe one day yeah oh yeah sometimes to know where they are what if you're making very high tolerance stuff like vehicle suspensions on big trucks like a plant next to where I live does or or turbine engines on a jet aircraft excuse me yeah precision torque right you'll have a torque requirement you need to make sure every nut is appropriately tightened and you might be checking battery life in rpm and usage so so there are some some valid reasons to want to communicate with these tools
and I also saw this available at your favorite home construction store I guess what this device comes with all right its own cell phone app because you need an app I'm lost here where you can monitor the RPM set the torques and it says it will keep track of the last place it saw the device for you battery charge and where do you think it stores this information in the cloud in the cloud so now maybe you have some connection between your device whatever
you know and we've seen the novel of service attacks blocking out parts of the internet from tons and tons of small devices if you're in an industrial control system the network network latency in messaging is very important right you might have a maybe a five millisecond latency requirement because you are controlling a very large dangerous piece of equipment and if you can't monitor it feedback change its position see where it is every five milliseconds things can go wrong and if you're looking for a denial of service on your network he looks at the drill first yeah not even me right so but it can come and it's not again it really isn't the drill the drill is the extreme example right the drill is the fun part but it could be from a lot of different
devices that that that you don't expect its firmware and computers in places that you don't expect and finally you have a chance to listen to my favorite rant what is the difference between firmware and software yes sir in the back nothing you win a prize thank you I have a prize I'll have to look for a prize basically nothing at one time for most considerations call it nothing at one time we might have said an important consideration was that firmware for instance you couldn't change it all right we looked at you know the original roms like mask roms and one-time programmable you really couldn't change those and so that might make a significant difference sort of perform for firmware in terms of security but but but even think about that for a second let's say you have software on a device and it's software that you cannot change and you discover a vulnerability right best case you will always have that vulnerability you can't fix it who believe software's perfect you guys are way smarter than you look so I have I have a couple of um I have people that
work in my company a programming team and I can come up to them and I say hey I've got two projects for you to work on I have the software project and I have this firmware project and what I need is you all to divide yourself out because I need all the perfect programmers over here on the firmware side and I want everybody else here on the software side so after I have this talk who ends up on this side nobody or yeah you the liars either way its software it has as many vulnerabilities or problem as anything else so that that's my rant never say firmware again at least from a security perspective there there there really is not a significant difference there it's software it has a vulnerabilities it can be a written that can damage things people sometimes say oh firmware what must be perfect can't change it we're done we're gonna go someplace else no no and it's sort of lit to my rule of thumb I think I think this audience probably knows it but industrial control systems not as as much those folks working there is that look if it plugs in or if it has batteries and you bought it in the last five years it's a computer alright there's nothing that you could buy that plugs an or has batteries that isn't a computer I was surprised seeing you know this is a battery and a switch right not a a more powerful computer oh sorry this is this is yours thank you very much for helping me yeah well or if not you give to the guy who needs to the prize in the back all right so it's a computer it's a computer
and finally my analysis after tearing down this tool is that it had very nice copper heatsinks copper conducts better than aluminum I thought they were very fine it has thermal sensors for the battery it's looking for overload and overload on the MOSFETs that's a good thing the PC board has a nice conformal coating that's a plastic kind of overspray that protects the board from harsh environment so particularly in industrial control systems those computers don't live in server rooms they get bolted to things that shake and have dust and sand and are too hot and so something like you know this can avoid things like salt spray and dust and help protect it I thought that was good I thought it was good that they didn't in some instances you can change a fuse in the device and make the firmware right only how much protection is that notice I said right only what does it mean if I get this thing and I want to know if it's been modified somehow I can't read it right so one of the things that we did was we pull the firmware off to check that it was okay how long would it right if how long would it take me to do this mmm you know if I took it to the bathroom with me in a plant ten minutes five 10 something like that take the screws out that takes as long as it takes put the screws back in so by not making the firmware right only we can validate verify that this piece of software running this important control system is still valid I think that's a very good thing to be able to do that we also have a group of people that helped do patches and look up patches for industrial control systems and I went to them and I'm like would you check for me has there been any new firmware release for this drill and that's kind of what they do for a living and they're like nope can't find any okay some things don't have patches I'm not gonna fall people for not delivering patches I don't see anything incredibly wrong necessarily with it but if I did have an ask for for this manufacturer it would be to publish the hash for the firmware that they've installed now I'm taking my good firmware because I've have a couple of these drills and that's why it came with and I assumed it they match that it was the right one but to really be sure I'd like to see a signed hash from the manufacturer so that would be the the one thing that they could really do better maybe execute signed only code that would probably work but the the processing power and storage in this chip is pretty small so that might be too much of an ask but they'd at least publish the hash and I also like that they make these headers easily available somewhat easily available you know I would almost like to see them on the outside because I'm more interested in being able to verify that my device is right remember we said somebody might capture it along the way somebody might take it to the restroom not not this device in particular it's alright there's a computer in this thing right and their computers in these cameras and there's there's computers all over the place and an industrial plant that might mean the difference between life and death I want to make sure that they are be able to check that they are okay so if you make programming headers easily available and often they are pretty easy available this one doesn't even have this one didn't have pins on it and that's fairly easy a lot of them already have pins available JTAG ports because they have to program them when they come out alright we have a couple more minutes I want to tell you one more thing this is mostly for my industrial control system audience of which there are a few is that well access for both how do we protect these things from a security point of view what we talked about being able to validate the firmware now let me suggest this is a computer running software so ignoring the specifics of the specifics of this device tell me generically how do you protect a computer running software what tools do you have excuse me signing if you can sign the code right maybe good sign code on it might not have enough processing power right what else can we do antivirus right I can I might ask my vendor to provide antivirus they might not be able to support it but I can at least ask alright who runs antivirus on this at least one right I do except this is my burner right so you can run AV on these devices so if you can run AV run it and if you're buying you know ten thousand whatever devices it is for your plant at least ask the manufacturer if you can run AV on it they may not be able to provide it but maybe what else do we do to protect control dark to protect computers running software protect the network right if this this thing isn't connected the other ones are right we use firewall firewalls and firewall rules and right and ids is to protect the network anything else patches right that too so we're gonna check to see if there are any known vulnerabilities and we're gonna patch these devices so the final takeaways our drills are fun no wait a minute are that everything is a computer running software and even if that's what you're faced with no matter how bizarre they look you have tools to help protect them if you can't do exactly what you want if you can't run AV on here you want to be creative and do something else like run firewall rules in your wireless or so forth you you have to be a little more thoughtful about how to protect it but you have the opportunity to do that be creative with that thank you very much I'm not oh wait a minute
I took the charger apart to anybody any idea what this is another microcontroller all right well I'm Monta
thank you all very much catch me online somewhere I'm here the recipe