TEMPEST In A Software Defined Radio

June 25, 2017 by 12 Comments

In 1985, [Wim van Eck] published several technical reports on obtaining information the electromagnetic emissions of computer systems. In one analysis, [van Eck] reliably obtained data from a computer system over hundreds of meters using just a handful of components and a TV set. There were obvious security implications, and now computer systems handling highly classified data are TEMPEST shielded – an NSA specification for protection from this van Eck phreaking.

Methods of van Eck phreaking are as numerous as they are awesome. [Craig Ramsay] at Fox It has demonstrated a new method of this interesting side-channel analysis using readily available hardware (PDF warning) that includes the ubiquitous RTL-SDR USB dongle.

The experimental setup for this research involved implementing AES encryption on two FPGA boards, a SmartFusion 2 SOC and a Xilinx Pynq board. After signaling the board to run its encryption routine, analog measurement was performed on various SDRs, recorded, processed, and each byte of the key recovered.

The results from different tests show the AES key can be extracted reliably in any environment, provided the antenna is in direct contact with the device under test. Using an improvised Faraday cage constructed out of mylar space blankets, the key can be reliably extracted at a distance of 30 centimeters. In an anechoic chamber, the key can be extracted over a distance of one meter. While this is a proof of concept, if this attack requires direct, physical access to the device, the attacker is an idiot for using this method; physical access is root access.

However, this is a novel use of software defined radio. As far as the experiment itself is concerned, the same result could be obtained much more quickly with a more relevant side-channel analysis device. The ChipWhisperer, for example, can extract AES keys using power signal analysis. The ChipWhisperer does require a direct, physical access to a device, but if the alternative doesn’t work beyond one meter that shouldn’t be a problem.

Counterfeit Hardware May Lead To Malware And Failure

May 31, 2017 by 89 Comments

Counterfeit parts are becoming increasingly hard to tell the difference from the real deal, the technology used by the counterfeiters has come on leaps and bounds, so even the experts struggle to tell the real product from a good fake. Mere fake branding isn’t the biggest problem with a counterfeit though, as ieee.com reports, counterfeit parts could contain malware or be downright dangerous.

Way back in 2014 the FBI charged [Marc Heera] with selling clones of the Hondata S300, a plugin engine module for Honda cars that reads sensors, and depending on their values can change idle speed, air-fuel mixture and a plethora of other car/engine related settings. What, might you ask, is the problem, except they are obviously not genuine parts? According to Honda they had a number of issues such as random limits on engine rpm and occasionally failure to start. While the fake Hondata S300 parts where just poor clones that looked the part, anything connected to an engine control unit brings up huge safety concerns and researchers have shown that through ECU access, they could hijack a car’s steering and brakes.

It’s not just car parts being cloned, remember the fake USB-to-serial chips of FTDI-Gate? Entire routers are also being cloned, which doesn’t sound too bad until you realise that the cloners could configure your internet traffic to be redirected through their network for snooping. In 2010 Saudi citizen [Ehab Ashoor] was convicted of buying cloned Cisco Systems gigabit interface converters with the intention of selling them to the U.S Dept of Defense. While nothing sinister was afoot in [Ashoor]’s case other than greed, these routers were to be deployed in Iraq for use by the Marine Corps networks. They were then to be used for security, transmitting troop movements and relaying intelligence from field operations back to HQ.

So who are the cloners and why are they doing it? It is speculated that some of them may be state funded, as there are a lot of countries who do not trust American silicon. Circuits are reverse engineered and find their way to the international market. Then just like the FTDI-Gate case, cloners want to make profits from others intellectual property. This also brings up another question, if there is a mistrust of American silicon, nearly everything is made in China these days so why should we trust anything from there? Even analog circuits can be made to spy on you, as you can see from the piece we recently featured on compromising a processor using an analog charge pump. If you want to defend yourself from such attacks, perhaps look at previous Hackaday Prize finalist, ChipWhisperer.

An Analog Charge Pump Fabrication-Time Attack Compromises A Processor

April 25, 2017 by 47 Comments

We will all be used to malicious software, computers and operating systems compromised by viruses, worms, or Trojans. It has become a fact of life, and a whole industry of virus checking software exists to help users defend against it.

Underlying our concerns about malicious software is an assumption that the hardware is inviolate, the computer itself can not be inherently compromised. It’s a false one though, as it is perfectly possible for a processor or other integrated circuit to have a malicious function included in its fabrication. You might think that such functions would not be included by a reputable chip manufacturer, and you’d be right. Unfortunately though because the high cost of chip fabrication means that the semiconductor industry is a web of third-party fabrication houses, there are many opportunities during which extra components can be inserted before the chips are manufactured. University of Michigan researchers have produced a paper on the subject (PDF) detailing a particularly clever attack on a processor that minimizes the number of components required through clever use of a FET gate in a capacitive charge pump.

On-chip backdoors have to be physically stealthy, difficult to trigger accidentally, and easy to trigger by those in the know. Their designers will find a line that changes logic state rarely, and enact a counter on it such that when they trigger it to change state a certain number of times that would never happen accidentally, the exploit is triggered. In the past these counters have been traditional logic circuitry, an effective approach but one that leaves a significant footprint of extra components on the chip for which space must be found, and which can become obvious when the chip is inspected through a microscope.

The University of Michigan backdoor is not a counter but an analog charge pump. Every time its input is toggled, a small amount of charge is stored on the capacitor formed by the gate of a transistor, and eventually its voltage reaches a logic level such that an attack circuit can be triggered. They attached it to the divide-by-zero flag line of an OR1200 open-source processor, from which they could easily trigger it by repeatedly dividing by zero. The beauty of this circuit is both that it uses very few components so can hide more easily, and that the charge leaks away with time so it can not persist in a state likely to be accidentally triggered.

The best hardware hacks are those that are simple, novel, and push a device into doing something it would not otherwise have done. This one has all that, for which we take our hats off to the Michigan team.

If this subject interests you, you might like to take a look at a previous Hackaday Prize finalist: ChipWhisperer.

[Thanks to our colleague Jack via Wired]

Three Of Our Favorite Hackers

October 11, 2016 by 44 Comments

It’s one thing to pull off a hack, it’s another entirely to explain it so that everyone can understand. [Micah Elizabeth Scott] took a really complicated concept (power glitching attacks) and boiled a successful reverse engineering process into one incredible video. scanlime-power-smoothing-alterationsWe know, watching 30 minutes of video these days is a huge ask, just watch it and thank us later.

She explains the process of dumping firmware from a Wacom tablet by hacking what the USB descriptors share. This involves altering the power rail smoothing circuit, building her own clock control board to work with the target hardware and a ChipWhisperer, then iterating the glitch until she hones in on the perfect attack.

This, of course isn’t her first rodeo. Also known as [scanlime], she’s been on the scene in a big way for a while now. Check out more of her work, and perhaps congratulate her on recently being scooped up for a Principal Researcher role that we’d like to attribute in part to the hacks she’s been demoing online. You should also thank her for being a Hackaday Prize Judge in 2015 and 2016.

led-handbag-debra-ansel-geekmomprojects-closeupThis year we spotted [Debra Ansell] at Maker Faire, not as an exhibitor but an attendee taking her newest creation out in the wild. [Debra’s] LED matrix handbag is a marvel of fabrication — both design and execution are so great it is hard to believe this is not a commercially available product. But no, the one-of-a-kind bag uses woven leather strips spaced perfectly to leave room for WS2812 RGB LED modules to nestle perfectly. Look slike she even posted a tutorial since we last checked! If you don’t recognize her name, you might recognize her company: GeekMomProjects. She’s the person behind EtchABot, a robotic addendum to the diminutive pocket Etch a Sketch which [Debra] sells on Tindie.

troubleshooting-veronica-custom-6502-computer
The custom PCBs of Veronica (in troubleshoot mode)

Our fascination with [Quinn Dunki]’s work goes way way back. She has a software background but her hardware chops are to be admired. Recently we’ve delighted in her efforts to beef up the fabrication abilities of her shop. Want to know how to vet your new drill press — [Quinn] has you covered. We also enjoyed seeing her bring an inexpensive bandsaw up to snuff. There are too many other great hacks from [Quinn Dunki] to start naming them all. We’ll leave you with her amazing work on Veronica, the scratch-built 6502 computer that she brought with her for her Hackaday 10th Anniversary talk. Her avatar at the top is from one of her PCB etching tutorials.

Celebrating Ada Lovelace Day

Today is the second Tuesday in October — it’s Ada Lovelace day, a worldwide celebration of women in science and technology. The hackers above are some of our all-around favorites and we have featured all of their work frequently. Their impact on technology is undeniable, we give them much respect for their skills and accomplishments. We’d love to hear your own favorite examples of women who have incredible game when it comes to hardware hacking. Please let us know in the comments below.

Glitching USB Firmware For Fun

October 4, 2016 by 37 Comments

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware For Fun”

Books You Should Read: The Car Hacker’s Handbook

June 23, 2016 by 44 Comments

I just had my car in for an inspection and an oil change. The garage I take my car to is generally okay, they’re more honest than a stealership, but they don’t cross all their t’s and dot all their lowercase j’s. A few days after I picked up my car, low and behold, I noticed the garage didn’t do a complete oil change. The oil life indicator wasn’t reset, which means every time I turn my car on, I’ll have to press a button to clear an ominous glowing warning on my dash.

For my car, resetting the oil life indicator is a simple fix – I just need to push the button on the dash until the oil life indicator starts to blink, release, then hold it again for ten seconds. I’m at least partially competent when it comes to tech and embedded systems, but even for me, resetting the oil life sensor in my car is a bit obtuse. For the majority of the population, I can easily see this being a reason to take a car back to the shop; the mechanic either didn’t know how to do it, or didn’t know how to use Google.

The two most technically complex things I own are my car and my computer, and there is much more information available on how to fix or modify any part of my computer. If I had a desire to modify my car so I could read the value of the tire pressure monitors, instead of only being notified when one of them is too low, there’s nowhere for me to turn.

2015 was the year of car hacks, ranging from hacking ECUs to pass California emissions control standards, Google and Tesla’s self-driving cars, to hacking infotainment systems to drive reporters off the road. The lessons learned from these hacks are a hodge-podge of forum threads, conference talks, and articles scattered around the web. While you’ll never find a single volume filled with how to exploit the computers in every make and model of automobile, there is space for a reference guide on how to go about this sort of car hacking.

I was given the opportunity to review The Car Hacker’s Handbook by Craig Smith (259p, No Starch Press). Is it a guide on how to plug a dongle into my car and clear the oil life monitor the hard way? No, but you wouldn’t want that anyway. Instead, it’s a much more informative tome on penetration testing and reverse engineering, using cars as the backdrop, not the focus.

Continue reading “Books You Should Read: The Car Hacker’s Handbook”

BGA Hand Soldering Video

January 3, 2016 by 31 Comments

By 2016, most people have got the hang of doing SMD soldering in the garage–at least for standard packaging. Ball Grid Array or BGA, however, remains one of the more difficult packages to work with [Colin O’Flynn] has an excellent video (almost 30-minutes, including some parts that are sped up) that shows exactly how he does a board with BGA.

Continue reading “BGA Hand Soldering Video”