NETWORK  INSECURITY:  SIMPLE  HACKS  OF  ARM  CORTEX-­‐M  DEVICES  

Jonny  Doin  CEO,  GridVortex  

Agenda  •  IoT: Embedded + Internet (?)!•  What it means to be connected to The Internet!•  Embedded == Resource Scarcity (?)!•  Design Hazards!•  Exploits!•  Famous Hacks on Things!•  Compromising the Network!•  Design for hacking!

IoT: Embedded + Internet  

What is being called the Internet of Things is a new domain of a very old activity: Design of Embedded Systems, but with a twist: connection to the Internet.!!These systems must cope with a set of new requirements that were not imposed on earlier Embedded Systems.!

IoT: Embedded + Internet (2)  

Traditionally, Embedded Systems were designed for specific-purpose networks, such as Industrial control networks.!!Such networks typically have well defined traffic and command sets:!•  Profibus, DeviceNet, Modbus, ...!

The Internet  Robustness principle underlying the TCP protocol:!!

“TCP implementations will follow a general principle of robustness: be conservative in what you do, be liberal in what you accept from others.”!"― Jon Postel, RFC 793 (1981)!

!In many respects, this ethics is what allows us to drive cars in 2-way highways.!!

hFp://www.usc.edu/webcast/archive/events/postel/postel.jpg  

The Internet (2)  The Internet was once called:!!The Information Superhighway!!That is great.!

hFp://anmblog.typepad.com/.a/6a00d8341c565553ef0168ea4ed606970c-­‐500wi  

The Internet (3)  For an Embedded System, it is more like this:!!

hFp://www.urbanrealm.com/images/news/newspic_2558.jpg  

What it means ...!The Internet is the most toxic environment ever designed in the history of computing.!!It can be compared to driving in a 2-way high-speed highway with no traffic laws packed with psycopath drivers.! hFp://thumbs.dreamsame.com/x/crazy-­‐

driver-­‐2144023.jpg  

What it means ... (2)  

Among the new communication protocols and functionality, connected Embedded Systems must cope with:!!

•  Malformed Packets!•  Corrupted payload!•  High packet rates (flooding)!•  Attacks!

What it means ...(3)  

INTERNET REALITY:!

!YOU WILL!

BE HACKED!

hFp://stat.ks.kidsklik.com/staacs/files/2012/10/13496768121110667387.jpg  

Embedded == Resource Scarcity!

hFp://cdn.hieix.com/photos/6561/MYTHBUSTERS5_031_event_main.jpg  

In Embedded Systems, it is far too common to see design simplification due to Constrained Resources. !!

MYTH!!System Safety cannot be implemented

in small Embedded Devices!  

Embedded == Resource Scarcity (2)!

hFp://i.livescience.com/images/i/000/034/425/original/boxjelly.jpg?1355348969  

Take a very limited-resource organism: the Box Jellyfish. !!It has no brain. However, it has:!•  EYES, !•  JET PROPULSION, !•  CHEMICAL WEAPONS!

!

Embedded == Resource Scarcity (3)!If Safety and Security are treated as NFRs, it is likely that it will not be implemented.!!Safety must be a Functional Requirement very early in the Design. Even the most simple of circuits can be designed with Failsafe Design behavior.!

Embedded == Resource Scarcity (4)!Even moderately small 8bit MCUs can have:!•  " Cryptographic Hash Functions!•  " Full Pointer safety verification!•  " Failsafe Design!•  " Full I/O Interface Integrity!

!For an ARM Cortex-M, there is NO EXCUSE. A SHA-256 block on an ARM@100MHz takes less than 25us.!

Design Hazards  

The designer of Internet-connected systems must design for such hazards, taking into account that the system will be hacked and implementing failsafe behaviors, from design inception.!

Design Hazards (2)  

INTERNET FAILSAFE DESIGN

REALITY:!!

YOU CAN’T!

hFp://cdn.toonvectors.com/images/35/22680/toonvectors-­‐22680-­‐140.jpg  

Design Hazards (3)  

If you don’t know how to hack into your system, it’s just because you don’t know it well enough.!!The Designer must be the Hacker Maximus of his/her own system.!!

hFp://chmatrix.com/wp-­‐content/uploads/2013/11/alice-­‐in-­‐matrix.jpg  

Exploits  

Every design has weaknesses.!•  Structural!•  Architectural!•  Design Flaws!•  Core Logic!•  Communications!

Exploits: Structural  

The most common structural exploit from a communications channel is a buffer overflow exploit.!!It happens when a text stream overflows a buffer boundary.!

Exploits: Structural (2)  

For systems written in C, buffer overflows can happen on garden variety input/output functions:!!

gets()!scanf()!sprintf()!

!!

Exploits: Structural (3)  char *gets(char *s); !!int scanf(const char * restrict format, ...); !!int sprintf(char * restrict s, !

! !const char * restrict format, ...); !!In all these functions, the buffer size (char*)[] is not known to the function, so it can be exceeded.!

Exploits: Architectural (1)  

Buffer overflow exploits can be used to gain control of a system, especially when the buffer is allocated on the Stack. !!Such an overflow is also called Buffer Overrun, and can place carefully crafted garbage at the stack, making the processor “return to” a crafted address. !

Exploits: Architectural (2)  

ARM architecture RET2ZP exploit:!Return to Zero-Protection.!

Evolved from the well known ret2libc x86 exploit.!A buffer overflow allows a precisely placed return address that causes a jump to a known address in the libc codebase. !

Exploits: Architectural (3)  

RET2ZP: Return Oriented Programming!Works in ARMv7 (Cortex-A and Cortex-M) even when the stack is marked XN (Execute Never).!The return address points to a libc function that creates more buffer space to, e.g., inject system() commands.!Published at Defcon18 by Zuk Avraham (Samsung)!

Exploits: Design Flaws (1)  Injection Attacks:!Poorly designed command interfaces, unused terminal ports, otap protocols, App store injection:!

open console at streaming devices!command execution interfaces!open debug ports and backdoors!fake otap downloads!rogue Apps !

Exploits: System (1)  Many Linux systems are busybox with open u-boot builds.!!Linux-based UART hacks!•  Locate the UART serial lines in the PCB!•  U-boot access via UART!•  root the system!

Exploits: System (2)  Linux USB hacks !•  physically access USB interface!•  usb vcp: U-boot access -> root!

•  usb filesystem: boot file mods -> root!•  U-boot scripts: -> root!

Exploits: System (3)  SD-card and eMMC!•  SPI lines interception!•  direct access to filesystem!•  boot script mods!•  root the system!

!

Exploits: Communications (1)  Webserver attacks!•  url buffer overflow !•  command execution!•  system() access!•  root with remote console !

Famous Hacks on Things  At Defcon22, the GTVHacker (now exploitee.rs) presented a smashing demonstration of 20 famous Things mercilessly hacked in 45 minutes.!!All of them were Linux-based devices.!

Compromising the Network!Assume that your network will be compromised.!

Have a failsafe and intelligent behavior that copes with that.!

Distributed intelligence can lead to safer connected systems.!

Designing for Hacking!

A system that has been hacked loses its internal integrity.!

System compromise detection mechanisms can be implemented in hardware and low-level.!

Designing for Hacking (2)!

Deeply Embedded Systems Designers, either Bare-Metal or not, must have full control over ALL CODE in the system. !

Black Boxes can mean bad surprises.!

Designing for Hacking (3)  Er,  

Houston,  ...    Full Control means!!

FAST RESPONSE!

ON!FAILURES!

hFp://i.space.com/images/i/000/020/852/original/apollo-­‐13-­‐service-­‐module.jpg?1345740866  

Final  Thoughts  Good  Embedded  Engineering  has  no  shortcuts.    You  must  design  for  Network  Insecurity,  Compromised  Commands,  and  HW  failure.    Always  design  as  if    people’s  lives  depend  on  you.