Firmware hack starring our friends at NSA

This is somewhat of an admission of failure. You can't easily pigeon-hole everything, and most real projects use commercial software, homebrew, and hardware all at once. So, for you makers out there (including me) - this is where to put whole projects that don't fit well in the other forums.

Firmware hack starring our friends at NSA

Postby Donovan Ready » Mon Feb 16, 2015 7:09 pm

Not sure if this is the place, but:

Kaspersky Labs discussion

They're making much of this. My comment (as Dr. Toad) was posted as a question for Doug or any other systems programmers.
Donovan Ready
 
Posts: 239
Joined: Thu Apr 17, 2014 1:22 pm
Location: Austin, Texas

Re: Firmware hack starring our friends at NSA

Postby Doug Coulter » Tue Feb 17, 2015 12:26 pm

It'll do as a place. I have been following this, as I'd had a crypto project underway that is now utterly co-opted by this. I had all the signs, but simply didn't think evil enough. I'm too nice, apparently. I even take my tinfoil hat off now and then.

NSA has broken the world, it's only going to be a very short time before copycat attacks, since unlike what Kaspersky said, this is simple to do other than intercepting the snail mail, which isn't really required.

A few minutes with a legit drive or bios update and a logic scope and you have all you need to add your little extra package, and signing the code or putting in a readback function helps not at all, since we already know signing can be broken via one bad certificate from one bad CA (there's actually lots of those), and you can't trust it anyway if someone else's code is in there to do "whatever" including reading back what you expect instead of what's really there. That's a trivial hack.
There are only actually a small number of instruction sets out there, it would be relatively easy to figure out which one that house-numbered chip was running...

Perhaps I shouldn't have given away all those old mobos and IDE drives that probably no one has bothered to attack (yet). Does anyone really think the manufacturers will go back to PROM? Even without pressure not to - they are spoiled by getting to ship stuff with bugs and then fix them later, after using us for free (actually we pay them) beta testing.

Some links:
Ars: http://arstechnica.com/security/2015/02 ... d-at-last/
Background, really good, Bunnie Hwang: (with hindsight, all we needed to know, actually - you just had to think more like an attacker than I generally do)
http://www.bunniestudios.com/blog/?p=3554

Kind of surprised there's nothing on Schneier's site yet. Maybe he's thinking about it. But he's in a special situation, having actually seen all the Snowden dox, but promising to let Ed's plan of the journalists deciding what to release be in effect, so he's kind of gagged himself on some things here. Too bad, this is right up his alley, hardly anyone understands the implications better.

What they (Bunnie) did is actually harder than what Kaspersky describes. Most regular hard drives ship with a flash updater, where most USB ones don't: "too cheap to need support". Though as they said, there is obviously code to fool with the USB stick innards out there in China. Not hard to get I suppose, if you have the right friends.

I was going to do a multi-layer crypto that with wrong keys would pop out (random, garbage) plaintext and set off the automated detector you know they have to have in their data centers, as no way they can actually find that many human cypto guys who are also Iowa farm boys...going from Snowden's "at scale" comment and reading between the lines on the fast deflection of multi-layer crypto as an idea there. My plan was to leave it on the digital equivalent of a street corner and run like hell...hoping for viral adoption, based on a USB stick that would wipe a partition with DD after use - really wipe it, running its own read-only distro on the other partition, live. But as Kaspersky points out, if you get the firmware of the drive controller, even that won't work. Too bad, it would have required them running an extra many thousands of lines of code per obfuscated crypto attack, and melted even Utah...I did solve the key-exchange problem without RSA or Diffie-Hellman. But it doesn't matter how good your crypto is - and in general, the good stuff is open source and they can't crack it reasonably - if someone has your plaintext anyway, or key, via this backdoor. You're hosed.

https://www.youtube.com/watch?v=7Ui3tLbzIgQ

The NSA has broken the world. Here come the copycats. The guys complaining about them hoarding zero-days instead of doing their job and making us more secure were right. This sucks.
I suppose I should be glad not to have given away quite all of my "obsolete" machines, you know, the type that aren't field-flashable. At this point, nothing else can be trusted, as you read back the flash in the drive controller/bios using a cpy running out of that same stuff...work it out. Unless you can remove and reprogram the flash as a separate component, you are hosed, and since these days it's mostly all on the same chip...there's nothing whatever you can do. No, DD and hdparm won't help one bit if the attack is even partly-clever. You'll just see what you expect, no matter what's actually there.

If you did something disruptive even with an odd uP - say a Wi-Fire board, and it got popular, who is to say someone doesn't lean on someone to bugger the microcode? Or as Microchip has been doing for a long time now, hiding something in ROM to avoid having to pay royalties on certain patents (an infringing debugger), that takes quite a bit of skill and RE to even find? For now, that's not malicious stuff (in fact, it's an attack surface) but...

The upshot is that just about every machine made for the last 15 year or thereabouts is now not-secure from copycat attacks (and never was from them). Do we just throw them all away? Thanks, guys </sarc>. I suppose they can sleep OK, figuring if not them, someone would have realized this, but...it's still lower than a lizard's belly.
Assume the position:
kermit.jpg
Posting as just me, not as the forum owner. Everything I say is "in my opinion" and YMMV -- which should go for everyone without saying.
User avatar
Doug Coulter
 
Posts: 3515
Joined: Wed Jul 14, 2010 7:05 pm
Location: Floyd county, VA, USA

Re: Firmware hack starring our friends at NSA

Postby Donovan Ready » Tue Feb 17, 2015 7:04 pm

Most appreciated!
Donovan Ready
 
Posts: 239
Joined: Thu Apr 17, 2014 1:22 pm
Location: Austin, Texas


Return to Combined projects

Who is online

Users browsing this forum: No registered users and 2 guests

cron