sdio a new peripheral attack vector
play

SDIO: a new peripheral attack vector Research Project 2 Thom Does - PowerPoint PPT Presentation

Jun 20, 2023 •212 likes •474 views

SDIO: a new peripheral attack vector Research Project 2 Thom Does Dana Geist thom.does@os3.nl dana.geist@os3.nl Introduction Secure Digital Input Output (SDIO) Adds I/O functions to SD PDAs, tablets, laptops SDIO

  1. SDIO: a new peripheral attack vector Research Project 2 Thom Does Dana Geist thom.does@os3.nl dana.geist@os3.nl

  2. Introduction ● Secure Digital Input Output (SDIO) ○ Adds I/O functions to SD ○ PDAs, tablets, laptops ● SDIO presents similarities with USB ● BadUSB attack (2014) ○ Inject keystrokes ○ Rogue DHCP ● Seemingly no protections to prevent BadUSB-like attacks 2

  3. Research Question Could SDIO be used as a new attack vector on SDIO-aware hosts? 3

  4. State of art ● No previous research on SDIO as an attack vector ● SD/SDIO specifications ○ Only simplified version available without license ● SD card hack (2013) ○ Several microSD cards were tested ○ Reversed engineered firmware ○ Developed novel applications for microcontroller 4

  5. Attack path: WLAN SDIO card Step 1 5

  6. Attack path: WLAN SDIO card Step 1 6

  7. Attack path: WLAN SDIO card Step 1 7

  8. Attack path: WLAN SDIO card Step 2 8

  9. Attack path: WLAN SDIO card Step 3 9

  10. SDIO Stack 10

  11. Physical Layer: SPI vs. SD SPI SD Wide variety of Used by SD cards and applications readers Well-known “open” License required protocol Simple (one data line) More complex (commands, data lines) Supported natively by Special purpose MCUs or many MCUs bitbanging Fallback protocol for SD Default for SD 11

  12. SDIO Layer ● Maintained by SD association ● Documentation requires licensing ● Defines SDIO commands ○ Formats ○ Initialization ○ Transfer modes ● Master-Slave based protocol ○ The card reader is the Master ○ The SDIO card is the slave 12

  13. Business Logic Layer ● Multiple manufacturers ● Standardized and manufacturer specific interfaces ○ Firmware ○ Drivers ● Each interface is an attack surface ○ WLAN, bluetooth, GPS ● Manipulate higher-level applications ○ DHCP-client, command injection, navigation system 13

  14. SDIO Model 14

  15. SDIO Model: Host’s drivers 15

  16. How can the host system be exploited? 16

  17. How can the host system be exploited? 17

  18. How can the host system be exploited? 18

  19. Build SDIO device from scratch (SPI) If host supports SPI ● Use low cost microcontrollers to implement protocol ● Build low cost sniffers to ease the development ● Use open source software to analyze the protocol ● Not all hosts support SPI 19

  20. Build SDIO device from scratch (SD) If host supports SD only ● Most microcontrollers do not natively support the protocol ● Using commodity hardware for bitbanging could be cumbersome ● No open source protocol analyzers tools ● Complex solutions like FPGA + IP core software ○ Expensive ○ Steep learning curve ○ Requires business logic programming 20

  21. Modify existing firmware ● Get the firmware ● Find hooking points ● Rewrite specific functions ● Two main options: ○ Firmware embedded in SD card ○ Firmware loaded to device by the driver 21

  22. SDIO-based vs. USB-based attacks SDIO attack BadUSB Hosts Laptops, tablets, PDAs Desktops, laptops, printers, routers Devices Limited vendors and applications Many vendors and applications Stealthiness Embedded in port Protruding from port Ease of No “off-the-shelf” products USB Armory, Rubber Ducky, known exploitation vulnerable firmware 22

  23. Discussion ● Licensing required by SD Association ● Attack feasible but: ○ Time consuming ○ Expensive ○ Not possible to create general purpose malicious firmware ● Likelihood ○ Affects SDIO aware hosts only ○ Kernel module needs to be loaded ● Impact: ○ Wide range of attacks possible ● Mitigation: vendors should sign or encrypt their firmware 23

  24. Conclusions ● SDIO cards are supported by various types of hosts ○ Laptops, phones, tablets, PDAs ● SDIO is an attack vector ○ No protections found ● Firmware might be modified, or developed from scratch ○ SD is more effective than SPI ● Currently, SDIO-based attacks seem less likely than USB-based attacks ○ Ease of exploitation ○ Number of vendors / products supporting SDIO ○ Kernel module needs to be loaded 24

  25. References Research material: ● SDIO specifications ○ https://www.sdcard.org/downloads/pls/index.html ● BADUSB - On Accessories that Turn Evil by Karsten Nohl + jakob Lell ○ https://www.youtube.com/watch?v=nuruzFqMgIw ● SD card hack ○ http://hackaday.com/2013/12/29/hacking-sd-card-flash-memory-controllers/ ● A Microcontroller-based HF-RFID Reader Implementation for the SD-Slot ○ http://www.thinkmind.org/download.php?articleid=icds_2011_4_30_10048 Images: ● https://www.parallella.org/create-sdcard/ ● http://www.techrific.com.au/2005/06/wifi-sd-card-spectec-in-stock.html ● http://www.actel.com/ipdocs/iW-SDIO_Slave_demo_board_DS.pdf ● https://www.sdcard.org/developers/overview/sdio/index.html 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Constituintes maioritrios da gua do mar (S=35) Constituinte g kg -1 Caties Sdio 10.77

Constituintes maioritrios da gua do mar (S=35) Constituinte g kg -1 Caties Sdio 10.77

Constituintes maioritrios da gua do mar (S=35) Constituinte g kg -1 Caties Sdio 10.77 Magnsio 1.30 Clcio 0.412 Potssio 0.399 Estrncio 0.008 Anies Cloreto 19.34 Sulfato 2.71 Brometo 0.067 Carbono Carbono

884 views • 76 slides
Type Casting Verification: Stopping an Emerging Attack Vector Byoungyoung Lee, Chengyu Song,

Type Casting Verification: Stopping an Emerging Attack Vector Byoungyoung Lee, Chengyu Song,

Type Casting Verification: Stopping an Emerging Attack Vector Byoungyoung Lee, Chengyu Song, Taesoo Kim, and Wenke Lee Georgia Institute of Technology 1 Vulnerability Trends Microsoft vulnerability trends (2013) Use-after-free Stack

1.14k views • 68 slides
NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

NOW Handout Page 1 1 Styles of Vector Architectures Components of Vector Processor Vector

Alternative Model:Vector Processing EECS 252 Graduate Computer Vector processors have high-level operations that work on linear arrays of numbers: "vectors" Architecture SCALAR VECTOR (1 operation) (N operations) Lec 10

327 views • 10 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector ,

Vector addition: The zero vector The D -vector whose entries are all zero is the zero vector , written 0 D or just 0 v + 0 = v Vector addition: Vector addition is associative and commutative I Associativity ( x + y ) + z = x + ( y + z ) I

476 views • 36 slides
A Massive Peripheral Ossifying FibromaUncommon Presentation of a Common Lesion Himanshu

A Massive Peripheral Ossifying FibromaUncommon Presentation of a Common Lesion Himanshu

A Massive Peripheral Ossifying FibromaUncommon Presentation of a Common Lesion Himanshu Kapoor, Ritika Arora Department of Pedodontics, Subharti dental college, Meerut, U.P, India. Abstract Peripheral Ossifying Fibroma (POF) is a relatively

261 views • 5 slides
Computer Aided Detection and Measurement of Peripheral Arterial Diseases from CTA Images

Computer Aided Detection and Measurement of Peripheral Arterial Diseases from CTA Images

Computer Aided Detection and Measurement of Peripheral Arterial Diseases from CTA Images Professor Jamshid Dehmeshki Kingston University, London The University Hospital of Lausanne Outline Anatomical overview of Peripheral Arteries

497 views • 36 slides
Reinventing Yourself: How to Add New Procedures ( Peripheral, Carotid, TAVR, Structural) Tony

Reinventing Yourself: How to Add New Procedures ( Peripheral, Carotid, TAVR, Structural) Tony

Reinventing Yourself: How to Add New Procedures ( Peripheral, Carotid, TAVR, Structural) Tony Das MD, FACC Director, Peripheral Interventions Texas Health, Presbyterian Hospital Dallas, Texas Faculty Disclosure Tony Das, MD For the 12

415 views • 26 slides
Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break

Day 3 Advanced Vector Architectures Session A: Vector Instruction Execution Pipelines Break Session B: Vector Flag Processing & Vector Register Files Lunch Session C: Virtual Processor Caches Break Session D: Vector IRAM Vector

498 views • 22 slides
BMA & AUTOGRAFT HARVESTING SYSTEM AGENDA 1. Key benefits 2. Peripheral blood infiltration

BMA & AUTOGRAFT HARVESTING SYSTEM AGENDA 1. Key benefits 2. Peripheral blood infiltration

BMA & AUTOGRAFT HARVESTING SYSTEM AGENDA 1. Key benefits 2. Peripheral blood infiltration during marrow aspiration the cause of low stem cell counts 3. How AutograftX overcomes the problem of peripheral blood infiltration of the

144 views • 13 slides
Peripheral Nervous System 50a A&P: Nervous System - Peripheral Nervous System Class

Peripheral Nervous System 50a A&P: Nervous System - Peripheral Nervous System Class

50a A&P: Nervous System - Peripheral Nervous System 50a A&P: Nervous System - Peripheral Nervous System Class Outline 5 minutes Attendance, Breath of Arrival, and Reminders 10 minutes Lecture: 25 minutes Lecture: 15

606 views • 33 slides
VECTOR Table of Content Bio What phishing is? Types of Phishing Anatomy of

VECTOR Table of Content Bio What phishing is? Types of Phishing Anatomy of

THE STATE OF PHISHING ATTACK VECTOR Table of Content Bio What phishing is? Types of Phishing Anatomy of Phishing Counter Measures Reports on Phishing Isaac K. Acheampong Facilities Manager BSc IT, Dip. IT, Sec+ STATE OF

711 views • 34 slides
B = Y Z Z Z where y z 1 1 y z

B = Y Z Z Z where y z 1 1 y z

ARMAX Models Vector (multivariate) regression: output vector y t, 1 y t, 2 y t = . . . y t,k input vector z t, 1 z t, 2 z t = . . .

419 views • 12 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
Choosing Wisely NL Peripheral Artery Disease Practice Points Approximately 12% of adults in

Choosing Wisely NL Peripheral Artery Disease Practice Points Approximately 12% of adults in

Choosing Wisely NL Peripheral Artery Disease Practice Points Approximately 12% of adults in Newfoundland and Labrador have Peripheral Artery Disease (PAD). Usually, patients with PAD DO NOT need a test or revascularization procedure.

255 views • 11 slides
Honolulu Authority for Rapid Transportation STAFF SUMMARY TITLE: STAFF CONTACT:

Honolulu Authority for Rapid Transportation STAFF SUMMARY TITLE: STAFF CONTACT:

Honolulu Authority for Rapid Transportation STAFF SUMMARY TITLE: STAFF CONTACT: DATE: Vector Control Installation Contract In-Tae Lee, Deputy Director May 16, 2019 of Design & Engineering Type: Goal Focus Area Reference

539 views • 12 slides
Vectors Presented by: Ana Chang-Gonzalez, Alyssa Michalke, Kirsten Schroeder, and Connie Xavier

Vectors Presented by: Ana Chang-Gonzalez, Alyssa Michalke, Kirsten Schroeder, and Connie Xavier

Vectors Presented by: Ana Chang-Gonzalez, Alyssa Michalke, Kirsten Schroeder, and Connie Xavier Uses of Vectors Projectile motion Determine resultant force Construction of buildings Determine direction and magnitude Describe

471 views • 22 slides
CUTENSOR High-Performance CUDA Tensor Primitives Paul Springer, Chen-Han Yu, March 20 th 2019

CUTENSOR High-Performance CUDA Tensor Primitives Paul Springer, Chen-Han Yu, March 20 th 2019

CUTENSOR High-Performance CUDA Tensor Primitives Paul Springer, Chen-Han Yu, March 20 th 2019 pspringer@nvidia.com and chenhany@nvidia.com ACKNOWLEDGMENTS Colleagues at NVIDIA Collaborators outside of NVIDIA Albert Di Dmitry Liakh

2.04k views • 41 slides
+ ; = ; where the

+ ; = ; where the

Phase space, Tangent-Linear and Adjoint Models, Singular Vectors, Lyapunov Vectors and Normal Modes = Assume a phase space of dimension N where is a state vector . Autonomous governing equations with initial state

739 views • 7 slides
Vector diagrams *Vectors should be drawn tip-to-tail *Put arrows on all vectors *Resultant arrow

Vector diagrams *Vectors should be drawn tip-to-tail *Put arrows on all vectors *Resultant arrow

Vector diagrams *Vectors should be drawn tip-to-tail *Put arrows on all vectors *Resultant arrow goes toward last open arrow *angle is measured from the starting point a. Find the speed of the model airplane. b. On the diagram, draw a vector

649 views • 39 slides
Greedy Algorithm Fails in Compact Vector Summation G. Chelidze, S. Chobanyan, G. Giorgobiani, V.

Greedy Algorithm Fails in Compact Vector Summation G. Chelidze, S. Chobanyan, G. Giorgobiani, V.

1 Greedy Algorithm Fails in Compact Vector Summation G. Chelidze, S. Chobanyan, G. Giorgobiani, V. Kvaratskhelia N. Muskhelishvili Institute of Computational Mathematics of the Georgian Technical University Abstract. Scheduling Theory has found

69 views • 4 slides
A JEALOUS A JEALOUS CRYPTANALYST CRYPTANALYST In search of a short vector A story by Leo

A JEALOUS A JEALOUS CRYPTANALYST CRYPTANALYST In search of a short vector A story by Leo

A JEALOUS A JEALOUS CRYPTANALYST CRYPTANALYST In search of a short vector A story by Leo Ducas, Marc Stevens and Wessel van Woerden ONCE UPON A TIME ONCE UPON A TIME ONCE UPON A TIME ONCE UPON A TIME A cryptanalyst visited the

307 views • 18 slides
TMVCA Student Presentation Competition Student presentation competition is held in conjunction

TMVCA Student Presentation Competition Student presentation competition is held in conjunction

TMVCA Student Presentation Competition Student presentation competition is held in conjunction with the Tennessee Mosquito and Vector Control Associations Annual Meeting. Those entering this competition will present findings from their

59 views • 3 slides

More recommend