the hidden nemesis backdooring embedded controllers
play

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp - PowerPoint PPT Presentation

Feb 23, 2023 •26 likes •327 views

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu Targets. Targets. You can be one, too. Assume I briefly have physical access your laptop. #FAIL for you, I

  2. The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu

  3. Targets.

  4. Targets. You can be one, too.

  5. Assume I briefly have physical access your laptop.

  6. #FAIL for you, I know.

  7. Your laptop is reinstalled/reimaged frequently.

  8. You are excellent at forensics.

  9. You can disassemble and reassemble your laptop blindfolded and clean it like your M-16.

  10. You have written backdoors/rootkits yourself.

  11. How would I backdoor your box?

  12. Backdoors in laptops ๏ State of the art: ๏ Hardware (e.g. keylogger: modified keyboard) ๏ Software (usually hooks into operating system’s keyboard handler) ๏ BIOS (see CORE’s talk), ACPI (Heasman) ๏ What about firmware of other devices? ๏ Network card? Graphics card? HDD? AMT? ๏ Anything else?

  13. That’s what this talk is about!

  14. Embedded controller ๏ Microcontroller in (almost?) every PC laptop ๏ MacBooks have SMC instead keyboard is connected through USB ๏ 8- or 16-bit MCU, Renases widespread in ThinkPads ๏ Controls sensors and actuators: temperature, battery, fans, brightness, LEDs ๏ Also responsible for hotkeys (e.g. enable VGA out, brightness control etc.) ๏ Hence: needs access to stream of key presses

  16. MCUs rocking it old school...

  17. MCUs rocking it old school... (EP)ROM inside.

  18. Some common ECs ๏ ENE: KB8910, KB926C/D, KB3310, KB3700 etc. as well as SMSC ๏ 8051 based, 8-bit MCU ๏ ITE (usually includes Super I/O controller): IT8500, IT8502E, IT8516, IT8301 etc. ๏ 8052 core, 8-bit MCU ๏ Nuvoton ๏ CR16 core and others 8051 core ๏ Fujitsu: MB90378, 16-bit core

  19. ThinkPad ECs ๏ Renases H8S, clocked at 10Mhz ๏ Powered when laptop has power (laptop may be turned off) ๏ BIOS and EC code can be flashed over LAN (disable this BIOS option if you own a ThinkPad!) ๏ Prior work on reversing them (benign, for fixing bugs) ๏ IDA Pro Advanced has support for the H8S

  21. Prior work ๏ Commented disassemblies available for T43 ๏ Pins/data lines identified ๏ keyboard scan matrix ๏ LEDs/ThinkLight ๏ fan control ๏ Some patches available to fix annoyances

  22. Source-equivalent ! http://ec.gnost.info/ec-18s.7z ; Source Equivalent for ThinkPad Embedded Controller Firmware ; H8S/2161BV Pin Assignments ; 32..25 PE -> keyboard scan matrix outputs ; 50..43 PF -> keyboard scan matrix outputs ; 58..51 PG <- keyboard scan matrix inputs ; 108 P13 -> BJT -> ThinkLight LED ; 3 P44 -> BJT -> IGFET -> fan motor ; 80 P62 <- BJT <- fan tachometer signal [...] ; Type 1R: T40/p; T41/p; T42/p; R50/p; R51 1829..1831, 1836 [...] ; Type 1Y: T43/p 2668..2669, 0x2678..2679, 0x2686..2687 [...] ; Type 70: T43 1871..1876; R52 0x1858..1863, 0x1958 [...] ; Type 76: R52 1846..1850, 1870 [...] ; Type 1V: R50e, R51 2883, 0x2887..2889, 0x2894..2895 � ; not supported

  24. The PROMIS backdoor folklore ๏ Promis often was sold together with a computer ๏ Anyone remember Inslaw? ๏ Inventor of Prosecutor’s Management Information System, a people-tracking software ๏ Lots of legal fights about this software ๏ Pirated, backdoored versions allegedly sold by CIA and/or Mossad to foreign governments

  25. More on PROMIS ๏ PROMIS and computer (e.g. a Prime) were sold as bundle ๏ Hardware of computer was backdoored, allegedly contained two chips ๏ storage chip (“Elbit”) [using “ambient electricity”] ๏ communication chip, using spread-spectrum modulation to periodically transmit entire contents of database and/or keystroke buffer [“Petrie” chip] ๏ Let’s do it without the additional hardware!

  26. Backdoor Capabilities ๏ For ThinkPads (only tested on X60s at the moment) ๏ Can record and exfiltrate keystroke data ๏ Assuming compression rate of 5:1 and 64KBytes scratch space > 300k keystrokes in ring buffer ๏ Data exfiltration ๏ Can communicate with host CPU through ACPI or temperature readings ๏ Get fancy: Modulate LEDs (Blinkenlights!) for optical and EM modulation!

  27. Alternatives: JitterBugs ๏ Idea and first PoC by Shah, Molina and Blaze [Usenix Security 2006] ๏ Covert timing channel to leak key strokes ๏ PoC is bump-in-the-wire hardware implementation ๏ firmware approach already suggested by authors ๏ Assumes bursted keyboard activity ๏ Uses inter-packet delays for a 1-bit channel

  28. Demo

  29. Defense ๏ EC firmware: not write-only, can dump it as well ๏ Build repository of known good versions and publish fingerprints (SHA-256) ๏ Ongoing project: http://coderpunks.org/ecdumper ๏ First release will be for ThinkPads only ๏ Contributions (for other models) welcome!

  30. Outlook ๏ Want to cover more vendors/models ๏ Look into other devices with reflashable firmware: ๏ BIOS/ACPI yesterday, ECs now, vPro/AMT next? ๏ Defense: ๏ Build tools to fingerprint more laptop firmware ๏ Make sure firmware is signed & verified ๏ Fundamental discussion on trust placed in firmware necessary

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Validating Real-Time Behavioral Patterns of Embedded Controllers Jagannath Aghav and Claude

Validating Real-Time Behavioral Patterns of Embedded Controllers Jagannath Aghav and Claude

Validating Real-Time Behavioral Patterns of Embedded Controllers Jagannath Aghav and Claude Petitpierre Swiss Federal Institute of Technology (EPFL) 1 O UTLINE ... 1. Validation Process Cycle 2. Composition of Gear Controller 3. Timing

585 views • 21 slides
Project Feasibility Status Future

Project Feasibility Status Future

The Nemesis The Nemesis Project Feasibility Status Future http://assets.bwbx.io/images/users/iqjWHBFdfxIU/ih42EzFSRhXo/v2/-1x-1.jpg

273 views • 16 slides
Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet &amp; Jofgrey Czarny Rennes, June 13-15 , 2018 Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 1 HP

658 views • 43 slides
Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian) DISCLAIMER We are not terrorists . We won't release our PoC backdoor. The x86 architecture is plagued by legacy. Governments know.

525 views • 37 slides
Lecture 16 Introduction to Controllers and PID Controllers Process Control Prof. Kannan M.

Lecture 16 Introduction to Controllers and PID Controllers Process Control Prof. Kannan M.

Lecture 16 Introduction to Controllers and PID Controllers Process Control Prof. Kannan M. Moudgalya IIT Bombay Tuesday, 27 August 2013 1/34 Process Control Introduction to controllers Outline 1. Recalling control loop components 2.

577 views • 34 slides
High Performance Design and Implementation of Nemesis Communication Layer for Two-sided and

High Performance Design and Implementation of Nemesis Communication Layer for Two-sided and

High Performance Design and Implementation of Nemesis Communication Layer for Two-sided and One-Sided MPI Semantics in MVAPICH2 Miao Luo, Sreeram Potluri, Ping Lai, Emilio P. Mancini, Hari Subramoni, Krishna Kandalla, Sayantan Sur, D. K. Panda

596 views • 34 slides
Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton , Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology Web Application Overview User: webdb User: httpd

446 views • 22 slides
Process Instruments Controllers and Programmers Controllers and Programmers 2 Sampling of

Process Instruments Controllers and Programmers Controllers and Programmers 2 Sampling of

Process Instruments Controllers and Programmers Controllers and Programmers 2 Sampling of Served Industries 3 End User Products Thermal Processing Equipment Requiring Controls and Instrumentation Batch Furnace Batch Oven Box Furnace

1.02k views • 46 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security Conference End of November 2015 Buenos Aires, Argentina www.andsec.org An idea back in 1995... Locking a computer using hardware An idea back in

742 views • 40 slides
EasySet Temperature Controllers 96 x 96 mm 48 x 96 mm 48 x 48 mm 1/4 DIN 1/8 DIN 1/16 DIN

EasySet Temperature Controllers 96 x 96 mm 48 x 96 mm 48 x 48 mm 1/4 DIN 1/8 DIN 1/16 DIN

EasySet Temperature Controllers EDC201 / EDC202 / EDC203 Customer Presentation EasySet Temperature Controllers 96 x 96 mm 48 x 96 mm 48 x 48 mm 1/4 DIN 1/8 DIN 1/16 DIN Control Precision Ease of Setup/Use Vivid Display 2 EasySet

457 views • 18 slides
1 Outline Orbital Insertion Example Model-based Programming Turn camera off and engine on

1 Outline Orbital Insertion Example Model-based Programming Turn camera off and engine on

Programming Long-lived Embedded Systems With Complex Autonomic Processes Model-based Programming: Controlling Embedded Systems by Reasoning about Hidden State Brian C. Williams And Michel Ingham Artificial Intelligence and Space Systems Labs

551 views • 7 slides
Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS

Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS

Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS Operating Systems Major differences Details XPE / CE Embedded PC 2 The Windows Embedded OS family The modular, real The modular, real- -time

611 views • 22 slides
M odels for Inexact Reasoning Fuzzy Logic Lesson 8 Fuzzy Controllers M aster in

M odels for Inexact Reasoning Fuzzy Logic Lesson 8 Fuzzy Controllers M aster in

M odels for Inexact Reasoning Fuzzy Logic Lesson 8 Fuzzy Controllers M aster in Computational Logic Department of Artificial Intelligence Fuzzy Controllers Fuzzy Controllers are special expert systems KB expressed in terms of fuzzy

475 views • 20 slides
Modelling and Control of Dynamic Systems PID Controllers Sven Laur University of Tartu Basic

Modelling and Control of Dynamic Systems PID Controllers Sven Laur University of Tartu Basic

Modelling and Control of Dynamic Systems PID Controllers Sven Laur University of Tartu Basic structure of a PID controller P System r [ k ] u [ k ] y [ k ] e [ k ] I + + g [ z ] D -1 PID controllers are unity feedback controllers

199 views • 15 slides
101 iOS Container View Controllers Container View Controllers Display a view controller inside

101 iOS Container View Controllers Container View Controllers Display a view controller inside

101 iOS Container View Controllers Container View Controllers Display a view controller inside another view controller Great for reuse Great for decomposing Special segue: embed Set up with prepareForSegue View Hierarchy Tab Bar VC Main

544 views • 7 slides
Self-Supervised Exploration via Disagreement Deepak Pathak* Dhiraj Gandhi* Abhinav Gupta UC

Self-Supervised Exploration via Disagreement Deepak Pathak* Dhiraj Gandhi* Abhinav Gupta UC

Self-Supervised Exploration via Disagreement Deepak Pathak* Dhiraj Gandhi* Abhinav Gupta UC Berkeley CMU CMU, FAIR ICML 2019 * equal contribution Exploration a major challenge! Exploration a major challenge! Mohamed et.al.

817 views • 66 slides
GP-RARS: Evolving Controllers for the Robot Auto Racing Simulator Yehonatan Shichel &amp; Moshe

GP-RARS: Evolving Controllers for the Robot Auto Racing Simulator Yehonatan Shichel &amp; Moshe

GP-RARS: Evolving Controllers for the Robot Auto Racing Simulator Yehonatan Shichel &amp; Moshe Sipper Ben-Gurion University 2011 HUMIES AWARDS FOR HUMAN-COMPETITIVE RESULTS RARS: Robot Auto Racing Simulator Car-race simulation

350 views • 23 slides
Distributed Design of Glocal Controllers Hampe pei i Sasahar ahara a (KTH), ), Takayuk uki

Distributed Design of Glocal Controllers Hampe pei i Sasahar ahara a (KTH), ), Takayuk uki

IEEE E CDC 2019 19 Distrib tribute uted d Contr ntrol ol I/ ThA20 A20 Hierarchical Model Decomposition for Distributed Design of Glocal Controllers Hampe pei i Sasahar ahara a (KTH), ), Takayuk uki i Ishiza hizaki (Tok okyoT

737 views • 22 slides
Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013

Out of Control: Demonstrating SCADA Exploitation Brian Meixell Eric Forner Black Hat 2013 Agenda SCADA 101 Attack Scenarios Common Vulnerabilities Remediation Exploit Demo SCADA 101 SCADA DCS Supervisory Distributed

626 views • 45 slides
Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3 David S. Touretzky September, 2017 Dynamical Control The Marr-Albus models are static models that map a single input pattern to a

508 views • 28 slides
Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3

Forward and Inverse Models in the Cerebellum Computational Models of Neural Systems Lecture 2.3 David S. Touretzky September, 2015 Basics of Control Theory Desired Control Controller Plant state signals Current state The plant

716 views • 26 slides
Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today MVC

Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today MVC

Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today MVC Object-Oriented Design Pattern Continuation of Calculator Demo Computed Properties, MVC, Laying out the UI to work with different devices CS193p Winter

817 views • 33 slides
1 Basics of Exceptions Cortex-M4 Core Peripherals System Control Block (SCB) SCB

1 Basics of Exceptions Cortex-M4 Core Peripherals System Control Block (SCB) SCB

1 Basics of Exceptions Cortex-M4 Core Peripherals System Control Block (SCB) SCB Registers SysTick Timer Registers Configuration Code Example Nested Vectored Interrupt Controller (NVIC) Exception/Interrupt

988 views • 72 slides

More recommend