**DANGER**

FPGA VULNERABILITIES

Anthony Karnowski

WHAT IS AN FPGA????• A field-programmable gate array (FPGA) is

an integrated circuit designed to be configured by a customer or a designer after manufacturing—hence "field-programmable". The FPGA configuration is generally specified using a hardware description language (HDL), similar to that used for an application-specific integrated circuit.

• The ability to update the functionality after shipping, partial re-configuration of a portion of the design and the low non-recurring engineering costs relative to an Application specific integrated circuit design offer advantages for many applications. Basically the time in production for using this type of controller is much shorter.

WHY USE FPGA’S?

• FPGA’s are widely used in all of the following industries and applications

WHAT ARE SOME OF THE APPLICATIONS OF FPGA’S ?

• Aerospace and Defense • Avionics/DO-

254• MILCOM• Missles &

Munitions• Secure

Solutions• Space

• Audio • Connectivity

Solutions• Portable

Electronics• Radio

• Automotive • High

Resultion Video

• Image Processing

• Vehicle Networking and Connectivity

• Automotive Infotainment

• Broadcast • Real-Time

Video Engine• EdgeQAM• Encoders• Displays• Switches and

Routers• Consumer

Electronics • Digital

Displays• Digital

Cameras• Multi-

function Printers

• Portable Electronics

• Set-top Boxes

• Data Center • Servers• Security• Routers• Switches• Gateways• Load

Balancing

• High Performance Computing • Servers• Super

Computers• SIGINT Systems• High-end

RADARS• High-end Beam

Forming Systems

• Data Mining Systems

• Industrial • Industrial

Imaging• Industrial

Networking• Motor Control

• Medical • Ultrasound• CT Scanner• MRI• X-ray• PET• Surgical

Systems

• Security • Industrial

Imaging• Secure

Solutions• Image

Processing• Video & Image

Processing • High

Resolution Video

• Video Over IP Gateway

• Digital Displays• Industrial

Imaging• Wired

Communications • Optical

Transport Networks

• Network Processing

• Connectivity Interfaces

• Wireless Communications • Baseband• Connectivity

Interfaces• Mobile

Backhaul• Radio

• The FPGA industry is a 2.75 billion dollar a year industry. – Considering the low cost of FPGA’s,

and the fact that there are in so many devices, we will just say ALOT!!

• We will be looking at a specific FGPA later. – 50,000 of these units are produced

a year and have been for the last 5 years.

– These FPGA’s are specifically used in large format LED signage.

HOW MANY FPGA’S ARE OUT IN THE WILD ?

• FPGA’s are physically vulnerable.–FPGA’s can be easily flashed by Jtag connection. –Flash protocols are some time vendor specific, we are not going to in depth.

• FPGA’s often have vulnerable services.–FPGA’s operating systems often offer backdoor services for re-flashing.

HOW ARE FPGA’S VULNERABLE?

Company Product Processor

ENEA Embedded Technology OSE PowerPC® 405

eSOL Co., Ltd PrKernel (µITRON4.0) PowerPC 405 / MicroBlaze™

Express Logic ThreadX® PowerPC 405, 440 / MicroBlaze

Green Hills Software Integrity® PowerPC 405, 440

LynuxWorks BlueCat Linux PowerPC 405, 440

LynuxWorks LynuxOS PowerPC 405

Mentor Graphics ESD Nucleus Plus PowerPC 405, 440 / Microblaze

Micriµm µC/OS-II PowerPC 405 / MicroBlaze

MiSPO NORTi/ulTRON PowerPC 405 / MicroBlaze

MontaVista Software MontaVista Linux PowerPC 405, 440

PetaLogix uClinux and Petalinux 2.6 MicroBlaze

QNX Neutrino® PowerPC 405

Wind River Systems VxWorks® PowerPC 405, 440

Wind River Systems Wind River GPP Linux PowerPC 405, 440

Timesys LinuxLink PowerPC 405, 440

WHAT ARE SOME COMMON OPERATING SYSTEMS?

• FPGA’s are made by the manufacturer to be “field programmable.” – This means that usually the device can be flashed by physically

connecting to the device. – Some third party operating systems allow for a flash to be reset to

defaults by way of a system service. • A great example would be of both would be a wireless router.

– Most wireless routers have a reset button to reset the router to defaults.

– Most routers also have a web-based management system that allows the same.

– Most routers even have a configuration page to load firmware. – And most routers are using some sort of FPGA controller

• Consider that most of these third party operating systems are based on open source technologies or are freely available to users. It is pretty easy to get an understanding of vulnerabilities in a device. I would suspect that some of the students in this course have loaded third party firmware on a router at some point. When dealing with another FPGA, the ideas are no different.

LETS REVIEW A BIT OF THAT…

LET’S GET INTO SPECIFICS

External Storage in form of USB.

External Storage in form of Compact Flash.

External Storage in form of SD Card.

FPGA Controller

RJ-45 andJTAG

Connection

• We know that the FPGA controller has external storage devices.

• We can guess what operating system it is running based on the chip.

• We know that the FPGA controller has a JTAG connection.

• We know that the FPGA has uses some network protocol and may offer services.

• We should be able to have some fun with this controller.

• We don’t have access to the device to Flash via the JTAG. –The controller is under lock and Key.

• After a couple of scans we found that our device has many services running.–FTP–HTTP for configuration–Telnet –SSH

FOOT-PRINTING OUR DEVICE.

• We have guessed the root username and password for this device.

• We connected via telnet and can run any of the following commands from the existing Linux kernel.

• We have at least one storage device available to us.

• If this device is on a network with other computers, we will be able to mount an attack from the device.

• We will use wget to download the necessary packages.

• We will store them to external storage.

• We will use make and install to build source packages.

• We will attack the network.

• We will use FTP to send data collected off network.

As this kernel is Linux based, we may be able to install and run a full installation of Metasploit.

As this is a full Linux kernel, a worm or virus could also be ran via root privileges.

• The first thing we do is create a separate user for the software package to use.

• We edit the software to only have access to needed services.

• The next thing we do is add a stronger password for the root user.

• We always try to present the end customer with a closed network separate from their network.

• If we install on the network we deny the controller access to the Internet.

SECURING THE DEVICE.

• Yes. • Other devices have some of the same

services installed and running for diagnostics and communications.

• FPGA’s are used in a wide variety of networking equipment.

• We must maintain the security of FPGA’s to maintain our networks.

• Please be weary.

THIS IS ONE DEVICE, SHOULD I BE WEARY?

• ECEs spot FPGA security weakness; Finding may lead to new chip ID– http://www.ece.vt.edu/news/ar08/weakfpga.ht

ml• US Military Chips "Compromised”– http://www.technologyreview.com/view/428029

/us-military-chips-compromised/• Study looks into Xilinx FPGAs' vulnerability– http://forum.eetindia.co.in/view_comments.jspa

?entry_id=8836&from=RSS• Backdoor Found (Maybe) in Chinese-Made Military

Silicon Chips– http://www.schneier.com/blog/archives/2012/05

/backdoor_found.html

FURTHER READING.