Joykill: Previously Undisclosed Vulnerability Endangers User Data

Researchers have recently announced a vulnerability in PC hardware enabling attackers to wipe the disk of a victim’s computer. This vulnerability, going by the name Joykill, stems from the lack of proper validation when enabling manufacturing system tests.

Joykill affects the IBM PCjr and allows local and remote attackers to destroy the contents of the floppy diskette using minimal interaction. The attack is performed by plugging two joysticks into the PCjr, booting the computer, entering the PCjr’s diagnostic mode, and immediately pressing button ‘B’ on joystick one, and buttons ‘A’ and ‘B’ on joystick two. This will enable the manufacturing system test mode, where all internal tests are performed without user interaction. The first of these tests is the diskette test, which destroys all user data on any inserted diskette. There is no visual indication of what is happening, and the data is destroyed when the test is run.

A local exploit destroying user data is scary enough, but after much work, the researchers behind Joykill have also managed to craft a remote exploit based on Joykill. To accomplish this, the researchers built two IBM PCjr joysticks with 50-meter long cables.

Researchers believe this exploit is due to undocumented code in the PCjr’s ROM. This code contains diagnostics code for manufacturing burn-in, system test code, and service test code. This code is not meant to be run by the end user, but is still exploitable by an attacker. Researchers have disassembled this code and made their work available to anyone.

As of the time of this writing, we were not able to contact anyone at the IBM PCjr Information Center for comment. We did, however, receive an exciting offer for a Carribean cruise.

30 thoughts on “Joykill: Previously Undisclosed Vulnerability Endangers User Data

  1. I’ve just discovered a serious timing exploit in battery backed Disk-on-RAM-banks…

    I call the attack BrainDead because of the human brain… when the power is gone it is dead… lost forever!

    The timing attack requires the attacker to wait 10years or more from implementation before pulling power to the RAM bank.
    This can be remotely exploited by finding out the supplying sub-station and causing the sub-station to shut off out-going supply.

    These “exploits” on such old equipment just bring a smile to my face, because of recent events with hardware and firmware exploits. :D

  2. Hopefully this is all in jest. If not, I would like to keel haul, throw in irons, and perhaps introduce the gunners daughter – to the incompetent bureaucrat that signed off any taxpayer funded grant to these “researchers” ! Another stirling example of waste in the name of “research”. Right up there with grant money for trying to figure out why gay men hang out in gay bars. Lord help us all !

    1. If it makes you feel any better; I’m just finishing up an NIH grant application to study the ergonomics of typing with an enormous chip on your shoulder.

      Sweet government cash will be mine!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s