the hidden nemesis backdooring embedded controllers
play

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp - PowerPoint PPT Presentation

Feb 23, 2023 •26 likes •327 views

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu Targets. Targets. You can be one, too. Assume I briefly have physical access your laptop. #FAIL for you, I

  2. The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu

  3. Targets.

  4. Targets. You can be one, too.

  5. Assume I briefly have physical access your laptop.

  6. #FAIL for you, I know.

  7. Your laptop is reinstalled/reimaged frequently.

  8. You are excellent at forensics.

  9. You can disassemble and reassemble your laptop blindfolded and clean it like your M-16.

  10. You have written backdoors/rootkits yourself.

  11. How would I backdoor your box?

  12. Backdoors in laptops ๏ State of the art: ๏ Hardware (e.g. keylogger: modified keyboard) ๏ Software (usually hooks into operating system’s keyboard handler) ๏ BIOS (see CORE’s talk), ACPI (Heasman) ๏ What about firmware of other devices? ๏ Network card? Graphics card? HDD? AMT? ๏ Anything else?

  13. That’s what this talk is about!

  14. Embedded controller ๏ Microcontroller in (almost?) every PC laptop ๏ MacBooks have SMC instead keyboard is connected through USB ๏ 8- or 16-bit MCU, Renases widespread in ThinkPads ๏ Controls sensors and actuators: temperature, battery, fans, brightness, LEDs ๏ Also responsible for hotkeys (e.g. enable VGA out, brightness control etc.) ๏ Hence: needs access to stream of key presses

  16. MCUs rocking it old school...

  17. MCUs rocking it old school... (EP)ROM inside.

  18. Some common ECs ๏ ENE: KB8910, KB926C/D, KB3310, KB3700 etc. as well as SMSC ๏ 8051 based, 8-bit MCU ๏ ITE (usually includes Super I/O controller): IT8500, IT8502E, IT8516, IT8301 etc. ๏ 8052 core, 8-bit MCU ๏ Nuvoton ๏ CR16 core and others 8051 core ๏ Fujitsu: MB90378, 16-bit core

  19. ThinkPad ECs ๏ Renases H8S, clocked at 10Mhz ๏ Powered when laptop has power (laptop may be turned off) ๏ BIOS and EC code can be flashed over LAN (disable this BIOS option if you own a ThinkPad!) ๏ Prior work on reversing them (benign, for fixing bugs) ๏ IDA Pro Advanced has support for the H8S

  21. Prior work ๏ Commented disassemblies available for T43 ๏ Pins/data lines identified ๏ keyboard scan matrix ๏ LEDs/ThinkLight ๏ fan control ๏ Some patches available to fix annoyances

  22. Source-equivalent ! http://ec.gnost.info/ec-18s.7z ; Source Equivalent for ThinkPad Embedded Controller Firmware ; H8S/2161BV Pin Assignments ; 32..25 PE -> keyboard scan matrix outputs ; 50..43 PF -> keyboard scan matrix outputs ; 58..51 PG <- keyboard scan matrix inputs ; 108 P13 -> BJT -> ThinkLight LED ; 3 P44 -> BJT -> IGFET -> fan motor ; 80 P62 <- BJT <- fan tachometer signal [...] ; Type 1R: T40/p; T41/p; T42/p; R50/p; R51 1829..1831, 1836 [...] ; Type 1Y: T43/p 2668..2669, 0x2678..2679, 0x2686..2687 [...] ; Type 70: T43 1871..1876; R52 0x1858..1863, 0x1958 [...] ; Type 76: R52 1846..1850, 1870 [...] ; Type 1V: R50e, R51 2883, 0x2887..2889, 0x2894..2895 � ; not supported

  24. The PROMIS backdoor folklore ๏ Promis often was sold together with a computer ๏ Anyone remember Inslaw? ๏ Inventor of Prosecutor’s Management Information System, a people-tracking software ๏ Lots of legal fights about this software ๏ Pirated, backdoored versions allegedly sold by CIA and/or Mossad to foreign governments

  25. More on PROMIS ๏ PROMIS and computer (e.g. a Prime) were sold as bundle ๏ Hardware of computer was backdoored, allegedly contained two chips ๏ storage chip (“Elbit”) [using “ambient electricity”] ๏ communication chip, using spread-spectrum modulation to periodically transmit entire contents of database and/or keystroke buffer [“Petrie” chip] ๏ Let’s do it without the additional hardware!

  26. Backdoor Capabilities ๏ For ThinkPads (only tested on X60s at the moment) ๏ Can record and exfiltrate keystroke data ๏ Assuming compression rate of 5:1 and 64KBytes scratch space > 300k keystrokes in ring buffer ๏ Data exfiltration ๏ Can communicate with host CPU through ACPI or temperature readings ๏ Get fancy: Modulate LEDs (Blinkenlights!) for optical and EM modulation!

  27. Alternatives: JitterBugs ๏ Idea and first PoC by Shah, Molina and Blaze [Usenix Security 2006] ๏ Covert timing channel to leak key strokes ๏ PoC is bump-in-the-wire hardware implementation ๏ firmware approach already suggested by authors ๏ Assumes bursted keyboard activity ๏ Uses inter-packet delays for a 1-bit channel

  28. Demo

  29. Defense ๏ EC firmware: not write-only, can dump it as well ๏ Build repository of known good versions and publish fingerprints (SHA-256) ๏ Ongoing project: http://coderpunks.org/ecdumper ๏ First release will be for ThinkPads only ๏ Contributions (for other models) welcome!

  30. Outlook ๏ Want to cover more vendors/models ๏ Look into other devices with reflashable firmware: ๏ BIOS/ACPI yesterday, ECs now, vPro/AMT next? ๏ Defense: ๏ Build tools to fingerprint more laptop firmware ๏ Make sure firmware is signed & verified ๏ Fundamental discussion on trust placed in firmware necessary

Recommend

Validating Real-Time Behavioral Patterns of Embedded Controllers Jagannath Aghav and Claude

Validating Real-Time Behavioral Patterns of Embedded Controllers Jagannath Aghav and Claude

Validating Real-Time Behavioral Patterns of Embedded Controllers Jagannath Aghav and Claude Petitpierre Swiss Federal Institute of Technology (EPFL) 1 O UTLINE ... 1. Validation Process Cycle 2. Composition of Gear Controller 3. Timing

585 views • 21 slides
Project Feasibility Status Future

Project Feasibility Status Future

The Nemesis The Nemesis Project Feasibility Status Future http://assets.bwbx.io/images/users/iqjWHBFdfxIU/ih42EzFSRhXo/v2/-1x-1.jpg

273 views • 16 slides
Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet

Backdooring your server through its BMC : the HPE iLO4 case Fabien Prigaud, Alexandre Gazet &amp; Jofgrey Czarny Rennes, June 13-15 , 2018 Outline Introduction Previous works Firmware security A fjrmware backdoor Conclusion 1 HP

658 views • 43 slides
Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu

Hardware Backdooring is practical Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian) DISCLAIMER We are not terrorists . We won't release our PoC backdoor. The x86 architecture is plagued by legacy. Governments know.

525 views • 37 slides
Lecture 16 Introduction to Controllers and PID Controllers Process Control Prof. Kannan M.

Lecture 16 Introduction to Controllers and PID Controllers Process Control Prof. Kannan M.

Lecture 16 Introduction to Controllers and PID Controllers Process Control Prof. Kannan M. Moudgalya IIT Bombay Tuesday, 27 August 2013 1/34 Process Control Introduction to controllers Outline 1. Recalling control loop components 2.

577 views • 34 slides
High Performance Design and Implementation of Nemesis Communication Layer for Two-sided and

High Performance Design and Implementation of Nemesis Communication Layer for Two-sided and

High Performance Design and Implementation of Nemesis Communication Layer for Two-sided and One-Sided MPI Semantics in MVAPICH2 Miao Luo, Sreeram Potluri, Ping Lai, Emilio P. Mancini, Hari Subramoni, Krishna Kandalla, Sayantan Sur, D. K. Panda

596 views • 34 slides
Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton , Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology Web Application Overview User: webdb User: httpd

446 views • 22 slides
Process Instruments Controllers and Programmers Controllers and Programmers 2 Sampling of

Process Instruments Controllers and Programmers Controllers and Programmers 2 Sampling of

Process Instruments Controllers and Programmers Controllers and Programmers 2 Sampling of Served Industries 3 End User Products Thermal Processing Equipment Requiring Controls and Instrumentation Batch Furnace Batch Oven Box Furnace

1.02k views • 46 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security

Backdooring X11 with class Matias Katz @matiaskatz matias@matiaskatz.com Andsec Security Conference End of November 2015 Buenos Aires, Argentina www.andsec.org An idea back in 1995... Locking a computer using hardware An idea back in

742 views • 40 slides
EasySet Temperature Controllers 96 x 96 mm 48 x 96 mm 48 x 48 mm 1/4 DIN 1/8 DIN 1/16 DIN

EasySet Temperature Controllers 96 x 96 mm 48 x 96 mm 48 x 48 mm 1/4 DIN 1/8 DIN 1/16 DIN

EasySet Temperature Controllers EDC201 / EDC202 / EDC203 Customer Presentation EasySet Temperature Controllers 96 x 96 mm 48 x 96 mm 48 x 48 mm 1/4 DIN 1/8 DIN 1/16 DIN Control Precision Ease of Setup/Use Vivid Display 2 EasySet

457 views • 18 slides
1 Outline Orbital Insertion Example Model-based Programming Turn camera off and engine on

1 Outline Orbital Insertion Example Model-based Programming Turn camera off and engine on

Programming Long-lived Embedded Systems With Complex Autonomic Processes Model-based Programming: Controlling Embedded Systems by Reasoning about Hidden State Brian C. Williams And Michel Ingham Artificial Intelligence and Space Systems Labs

551 views • 7 slides
Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS

Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS

Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS Operating Systems Major differences Details XPE / CE Embedded PC 2 The Windows Embedded OS family The modular, real The modular, real- -time

611 views • 22 slides
M odels for Inexact Reasoning Fuzzy Logic Lesson 8 Fuzzy Controllers M aster in

M odels for Inexact Reasoning Fuzzy Logic Lesson 8 Fuzzy Controllers M aster in

M odels for Inexact Reasoning Fuzzy Logic Lesson 8 Fuzzy Controllers M aster in Computational Logic Department of Artificial Intelligence Fuzzy Controllers Fuzzy Controllers are special expert systems KB expressed in terms of fuzzy

475 views • 20 slides
Modelling and Control of Dynamic Systems PID Controllers Sven Laur University of Tartu Basic

Modelling and Control of Dynamic Systems PID Controllers Sven Laur University of Tartu Basic

Modelling and Control of Dynamic Systems PID Controllers Sven Laur University of Tartu Basic structure of a PID controller P System r [ k ] u [ k ] y [ k ] e [ k ] I + + g [ z ] D -1 PID controllers are unity feedback controllers

199 views • 15 slides
101 iOS Container View Controllers Container View Controllers Display a view controller inside

101 iOS Container View Controllers Container View Controllers Display a view controller inside

101 iOS Container View Controllers Container View Controllers Display a view controller inside another view controller Great for reuse Great for decomposing Special segue: embed Set up with prepareForSegue View Hierarchy Tab Bar VC Main

544 views • 7 slides
Contiki: A Lightweight and Flexible Operating System for Tiny Networked Sensors Protothreads:

Contiki: A Lightweight and Flexible Operating System for Tiny Networked Sensors Protothreads:

Contiki: A Lightweight and Flexible Operating System for Tiny Networked Sensors Protothreads: Simplifying Event-Driven Programming of Memory-Constrained Embedded Systems SensorWare Fibers Mantis Exokernel Nemesis Contiki Open source

432 views • 10 slides
Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$

Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$

Hidden$Terminals$ Nodes$A$and$C$are$hidden$terminals$when$sending$to$B$ Cant$hear$each$other$(to$coordinate)$yet$collide$at$B$ We$want$to$avoid$the$inefficiency$of$collisions $ CSE$461$University$of$Washington$ 53$

463 views • 31 slides
Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a

Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a

Hidden Markov Models Pratik Lahiri Introduction A hidden Markov model (HMM) is a statistical Markov model in which the system being modeled is assumed to be a Markov process with unobserved (hidden) states. We call the observed event

741 views • 13 slides
Best Practices for AVB Jeff Koftinoff Devices and Controllers &lt;jeff.koftinoff@gmail.com&gt;

Best Practices for AVB Jeff Koftinoff Devices and Controllers &lt;jeff.koftinoff@gmail.com&gt;

April 2014 IEEE 1722.1 F2F Best Practices for AVB Jeff Koftinoff Devices and Controllers &lt;jeff.koftinoff@gmail.com&gt; Overview AVDECC Entity Types: Controllers, Talkers, Listeners, Responders Minimum requirements as defined by IEEE

332 views • 18 slides
Devices and Device Controllers network interface graphics adapter secondary storage

Devices and Device Controllers network interface graphics adapter secondary storage

I/O 1 Devices and Device Controllers network interface graphics adapter secondary storage (disks, tape) and storage controllers serial (e.g., mouse, keyboard) sound co-processors . . . CS350 Operating Systems Winter

533 views • 28 slides
Lecture 14: I/O Controllers &amp; Devices RS 232 UART/ modem ACIA USB printer video CPU

Lecture 14: I/O Controllers &amp; Devices RS 232 UART/ modem ACIA USB printer video CPU

Lecture 14: I/O Controllers &amp; Devices RS 232 UART/ modem ACIA USB printer video CPU monitor Serial ATA disk SA SCSI ETHERNET LAN I/O controllers I/O devices Inf2C Computer Systems - 2010-2011 1 Computer System Organization

573 views • 19 slides
Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

414 views • 20 slides
Devices and Device Controllers A computer system contains a multitude of I/O devices and their

Devices and Device Controllers A computer system contains a multitude of I/O devices and their

G Device I/O Devices and Device Controllers A computer system contains a multitude of I/O devices and their respective controllers: network card graphics adapter disk controller DVD-ROM controller serial port USB

1.4k views • 33 slides

More recommend