Dumping script window, showing the bytes being dumped one by one from the STM chip

Need To Dump A Protected STM32F0x? Use Your Pico!

February 5, 2023 by Arya Voronova 21 Comments

Sometimes, security mechanisms can be bypassed if you just do things slightly out of the ordinary. For instance, readout protection on microcontrollers is a given nowadays, to the point where it’s intentionally enabled and relied upon as a major technical measure to protect intellectual property. The gist is — when you connect to a microcontroller over its debug interface and then ask to read its flash memory, it will politely refuse. However, [Racerxdl] shows us that in practice, it’s not flawless protection – for certain chips, you just need to be a little quicker than usual.

Usually, flashing and debugging software will chat with the microcontroller for a bit, and probe parameters before going for any direct requests. However, if you skip the courtesy and bluntly get to the point immediately right after power is applied to the microcontroller, you can intimidate them just enough to give you one byte of its memory before it refuses to cooperate further. Since that can be any byte you wish, you can read the entire flash — one byte at a time.

You need to power cycle the chip before you can progress, so the hardware does involve a bit more than just an SWD interface, and it will take a fair bit more time than reading out a non-protected chip the usual way; plus, of course, the debugging interface needs to be active for this in the first place, which isn’t always the case. However, it still beats paying a few thousand dollars for a factory in China to decap your chip and read it out using a fancy machine.

[Racerxdl] didn’t just write a proof-of-concept for this attack – they implemented it for one of our favourite chips, the RP2040. As such, you no longer need an unobtainium STM32 to dump an unobtainium STM32.

To be clear, [Racerxdl] didn’t design this attack — it’s been around for some time now. Credit for that goes to Johanes Obermaier. All in all, this is a wonderful reminder that seemingly reliable security mechanisms can be foiled by the simplest tricks. For instance, if your chip erases the flash when you unlock its protection, you can just tell it not to.

This Week In Security: Github, Google, And Realtek

February 3, 2023 by Jonathan Bennett 4 Comments

GitHub Desktop may have stopped working for you yesterday, Febuary 2nd. The reason was an unauthorized access to some decidedly non-public repositories. The most serious bit of information that escaped was code signing certificates, notably used for GitHub Desktop and Atom. Those certificates were password protected, so it’s unlikely they’ve been abused yet. Even so, Github is taking the proper steps of revoking those certificates.

The only active certificate that was revoked was used for signing the Mac releases of GitHub Desktop, so quite a few older versions of that software is no longer easily installed. If nothing else, it’s a reminder that even a project with a well run security team can have problems.

Sh1mmer-ing Chromebooks

There’s a new, clever attack on the Chromebook, specifically with the goal of unenrolling the device from an educational organization. And the “vulnerability” is a documented feature, the RMA Shim. That’s a special boot loader target that contains a valid signature, but allows the booting of other code, intended for troubleshooting and fixing devices in a repair center. Quite a few of those images have leaked, and Sh1mmer combines the appropriate image with a boot menu with some interesting options.

The first is unenrolling, so the device will act like a privately owned computer. This gets rid of content blocks and allows removing extensions. But wait, there’s more. Like rooting the device, a raw Bash terminal, and re-enabling developer mode. Now, as far as we can tell, this doesn’t *directly* break device encryption, but it’s likely that the RMA shim could be abused to tamper with the device’s filesystem. Meaning that the leak of a bunch of signed shims is a big problem for device security. If you use a Chromebook, it might be time to do some research on whether that model’s shim has been leaked. Continue reading “This Week In Security: Github, Google, And Realtek” →

A modchip described in the article - a small PCB with an epoxy blob on it, soldered to the Cisco switch PCB using four thin wires

Counterfeit Cisco Hardware Bypasses Security Checks With Modchips

February 1, 2023 by Arya Voronova 32 Comments

Some pictures recently surfaced on social media, showing a small PCB tapped into four points on Cisco-branded boards. What is this about? A NSA backdoor so data can be exfiltrated to some third party? Well, that’s theoretically possible, but it’s actually used for bypassing hardware authenticity checks in Cisco hardware being cloned — a sizable industry. Of course, “can’t believe it’s not Cisco” hardware is only valuable insofar that it’s able to run the Cisco software, and that’s where the bodge boards play a major role.

A 2020 report by F-Secure details an investigation, comparing three switches marked as Cisco 2960X – one known genuine and two known counterfeits. The counterfeits had the aforementioned implants either soldered to the bottom of the PCB or added to the board as a separate component, and the paper goes into why they’re important for successful counterfeiting.

Apparently, these chips emulate or bypass an I2C EEPROM containing part of the code executed during the boot sequence, and Cisco depends on this EEPROM’s contents for authenticity verification. Cisco software reads the EEPROM twice — once for verification, and once again for actually running it. The microcontroller included on the mod board can return a genuine binary with a valid signature on the first read, and a binary with hardware checks patched out for subsequent reads.

The paper will tell you about way more than this — it’s thorough yet captivating. As you’d expect, it devotes quite a bit of time to comparing genuine and counterfeit boards, showing that the cloning process is pretty to-the-T, save for some part substitutions. For instance, check out the PDF page 12 to see how via locations are exactly copied between PCBs in a bizarre way, or the Cisco file format and authenticity check analysis closer to the end of the report. All in all, the 38 pages of the document make for a fun foray into what makes Cisco authentication mechanisms tick, and what helps clone hardware makers bypass them.

Are such chips ever used for adding backdoors and data exfiltration? There’s no evidence of that, as much as that’s not to be excluded — bypassing anti-cloning protections would make other hijinks more viable no doubt, that said, only hardware authentication bypass measures were found so far. This mechanism also breaks during software updates, and absolutely, leaves some to be desired when it comes to its stated functionality. That said, such fun insights can help us, say, enforce right-to-repair, enable hardware reuse, and thwart many predatory business practices in areas where laws fail us.

Opening A Safe With A Stepper Motor And DIY Auto-Dialer

January 29, 2023 by Maya Posch 24 Comments

What do you do when you happen to come into possession of a safe of which the combination is lost to the sands of time? If you’re someone like [eNBeWe], you grab a stepper motor with driver module you had lying around gathering dust, an ESP8266 for the brains and a few other pieces to build your very own auto-dialer to crack that safe combination. The software has been made available on GitHub for those interested.

While other auto-dialers used with the fun hobby of safe cracking can generally find the combination in a matter of hours if not less, it took [eNBeWe]’s contraption two days to crack the combination. Much of this was due to the hacked together nature of the structure, with the glue joints among other weak points that’d probably not take too kindly to a lot of abuse. Since there was no particular rush to get into the safe, this worked out fine.

As an impromptu auto-dialer thrown together with parts that were lying around it seemed to perform just fine for the task, and we presume that this is the beginning of a beautiful new lock- and safe-picking hobby.

Continue reading “Opening A Safe With A Stepper Motor And DIY Auto-Dialer” →

This Week In Security: GTA, Apple And Android, And Insecure Boot

January 27, 2023 by Jonathan Bennett 11 Comments

When we first saw tweets about a security issue in Grand Theft Auto V, it sounded a bit like a troll. “Press ‘alt and f4’ to unlock a cheat mode”, or the hacker that claims to be able to delete your character. [Tez2]’s warning tweet that you shouldn’t play GTA Online without a firewall sounds like another of these online urban legends. But this one actually seems legit. NIST is even in on the fun, assigning CVE-2023-24059 for the exploit.

When playing an online game, other users send a “join request” to join the active session. This packets can contain malformed data which has been observed to crash the game client remotely. It’s believed, though not publicly confirmed, that it’s also a Remote Code Execution (RCE) vulnerability. It seems likely that this aspect will be added to some of the various cheat panels that are already widely used for this 10-year-old game. So now, rather than just giving your own character infinite ammo and health, you can inflict some havoc on other players, possibly up to corrupting their character files and getting them banned.

But why stop there? If we have code execution inside the game, what stops another player from launching a real attack? A video game isn’t sandboxed like a browser, and there’s nothing preventing a disk wiper attack or even a worm from compromising a bunch of players. The worst part is that it’s an old game, and even though there’s a large playerbase, it’s not guaranteed to get a fix. There’s at least one project aiming to be a firewall to prevent the issue. Continue reading “This Week In Security: GTA, Apple And Android, And Insecure Boot” →

Four images in one. Top left is an image of four individuals in a room with whiteboards and desks in the background along with various clutter on the floor. Over the people is a wireframe overlay of their poses. The image on the top right is just the wireframe people on a black background. Bottom left image is of a single individual standing in a room with the pose wireframe overlay. Bottom right image is the single pose wireframe on a black background.

Tracking Humans With WiFi

January 26, 2023 by Navarre Bartz 46 Comments

In case you thought that cameras, LiDAR, infrared sensors, and the like weren’t enough for Big Brother to track you, researchers from Carnegie Mellon University have found a way to track human movements via WiFi. [PDF via VPNoverview]

The process uses the signals from WiFi routers for an inexpensive way to determine human poses that isn’t hampered by lack of illumination or object occlusion. The system produces UV coordinates of human bodies by analyzing signal strength and phase data to generate a 2D feature map and then feeding that through a modified DensePose-RCNN architecture which corresponds to 3D human poses. The system does have trouble with unusual poses that are not in the training set or if there are more than three subjects in the detection area.

While there are probably applications in Kinect-esque VR Halo games, this will probably go straight into the toolbox of three letter agencies and advertising-fueled tech companies. The authors claim this to use “privacy-preserving algorithms for human sensing,” but only time will tell if they’re correct.

If you’re interested in other creepy surveillance tools, checkout the Heat-Sensing Crotch Monitor or this Dystopian Peep Show.

An illustration of a key sitting on an ID card. The key is light grey and the ID card is a darker grey gradient. The ID card says ID-1 Card 85.60 by 53.98 mm

All Your Keys Are Belong To KeyDecoder

January 21, 2023 by Navarre Bartz 56 Comments

Physical security is often considered simpler than digital security since safes are heavy and physical keys take more effort to duplicate than those of the digital persuasion. [Maxime Beasse and Quentin Clement] have developed a smartphone app that can duplicate a key from a photo making key copying much easier.

KeyDecoder is an open source Android app that can generate all the necessary bitting info to duplicate a key from just an image. Luckily for the paranoid among us, the image must be taken with the key laying flat without a keyring on an ISO/CEI 7810 ID-1 ID or credit card. A passerby can’t just snap a photo of your keys across the room and go liberate your home furnishings, but it still would be wise to keep a closer eye on your keys now that this particular ~~cat~~ hack is out of the bag.

The project’s GitHub page is awash in warnings that this tool is designed solely for “pentesters and security enthusiasts” to warn their friends and clients about the dangers of leaving their keys exposed. After learning about this tool, we wouldn’t be surprised if some in the audience start rethinking how they carry and store their physical keys from now on.

If you want to see some more hacks to duplicate keys, checkout Copying High Security Keys With OpenSCAD And Light and Methods Of Copying High Security Keys.