Researcher Has New Attack For Embedded Devices

tinkertim writes "Computerworld is reporting that a researcher at Juniper has discovered an interesting vulnerability that can be used to compromise ARM and Xscale based electronic devices such as many popular routers and mobile phones. According to the article, the vulnerability would allow hackers to execute code and compromise personal information or re-direct internet traffic at the router level. Juniper plans to demonstrate not only the researcher's discovery, but also how he managed to use a common JTAG developed Boundary Scan to discover the vulnerability at this month's CanSecWest conference in hopes of shifting more of the black hat community to looking at devices instead of software."

Researcher Has New Attack For DOS

[obarel]

You can use a debugger to actually see where the code checks for the registration key, and by manipulating the program in a hex editor, you could even make the code skip over the check and run without the key.

I've just had the greatest idea for my PhD.

Re:Researcher Has New Attack For DOS

[pytheron]

Hardly new ! We were doing this way back in the warez scene on the Amiga. Whip out your favorite dissasembler, change a few bne.w instructions to jump to the "it's authenticated!" code. Myself and a colleague even did this on the Palm Pilot. (Anyone remember that monkey that you fed crack pipes to on this ?)

Via JTAG?

Is this implying that it could be done remotely? The product I work on supports JTAG access via software, but if you can do that, you already own the box. (And have our internal hardware specifications.)

If it's not remote, then what's the point? I though it was already well-established that if you have physical access to the device you can do anything you want.

Re:Via JTAG?

[microbee]

I believe it requires physical access, so it's like "hacking own box". However, vendors typically do not grant full access (read: shell) to customers so very experienced customers (or competitors) could now use this method to get into the black box and find out more internal details.

Re:Via JTAG?

[yorgasor]

No, he used JTAG to discover the vulnerability. He will disclose how to take advantage of the vulnerability at the conference. He's just letting other people know they can peek into hardware using the JTAG interface as well.

Re:Via JTAG?

[QuasiEvil]

Difficult at best, impossible in 99.999% of cases. For the most part, in modern high speed digital design, all of the bus path lengths are close to the same for reasons of propagation delay. Also, you don't really want to induce current flow, you want to induce a DC voltage at exactly the right moment. As you'll remember, one of the components of induction is frequency, and you'd need to synchronize your induced peaks with exactly when the device was sampling.

I'm not saying it's impossible, but it would be a herculean effort to even provide the most basic of anomalies reliably. Plus, well, most of your massive effort could be defeated by the $4 metal case. :)

Long on hype, short on details

[russotto]

If the attack involves popping open the router and attaching wires to the JTAG port, I'm not going to worry about it.

Re:Long on hype, short on details

[jhfry]

I think what it's actually saying is that, by using the jtag to better understand the configuration of the machine, new exploits can be found.

So it's not exactly an exploit, but a way to discover exploits by targeting issues with the embedded processors as discovered via jtag access to a similar unit.

Re:Long on hype, short on details

[mr_mischief]

My original understanding from the quotes was that the guy actually found a possible exploit vector by using JTAG. (I tend to read just the quotes first in articles which are interviews on technical topics -- it's often easier to get a sense of what the subject of the interview is talking about without misinterpretations by reporters.)

TFA talks about using JTAG itself to run exploits, which I don't care about since physical security is the first layer of any security plan. If someone has better physical access to a router than I do then from a security standpoint it's their router, not mine, no matter who paid for it. At that point, the route is already suspect.

If it's something about sending malformed network traffic that triggers something to happen at the processor level even if the firmware is solid, then that's an expensive thing to fix.

Re:Long on hype, short on details

[HomelessInLaJolla]

Jack used JTAG to discover exploits in the hardware. The exploit can, most probably, be taken advantage of from the WAN side using malformed packets and raw payloads.

The proper trained eye looking at the circuit schematics would have been able to identify the same things--and probably have. The engineers who see the exploits usually take them home and play core wars with their friends. It's the same concept as reverse engineering closed source drivers. The original engineers wrote the closed source implementation and now Jack (at Juniper) is reverse engineering it and finding some interesting twists along the way.

What do you call a zero day exploit before it's released to the general public and called a zero day exploit? Whatever it's called it has existed since before common home routers have been available at major consumer outlets. It's impossible to think that nobody ever took advantage of it until now.

Re:Long on hype, short on details

[jhfry]

The article clearly says that he discovered the exploits while tinkering with JTAG.

He said he came up with the technique after spending several months cracking open and soldering test equipment onto a range of embedded devices. By taking advantage of ... JTAG (Joint Test Action Group) Jack was able to sneak a peek at the systems' processors and get a close-up look at how they worked. "With every hardware device, there has to be a way for developers to debug the code and all I did was take advantage of that," he said. "As I was digging deeper into the architecture, I saw a couple of subtleties which could allow for some interesting things. So while using the JTAG to debug the processor he noticed a couple of potential exploits.

The rest of the article goes on to discuss the security implications of leaving the JTAG enabled

Though some companies are able to cut off the JTAG interface on their products, Jack said it was enabled in 90 percent of the devices he examined. I am certain that this article isn't trying to suggest that hackers break into networks using JTAG... that's just plain dumb. What he is saying, is that because most devices leave their JTAG intact, hackers can debug the code on their processors and find flaws. Essentially reverse engineering the underlying architecture and using that knowledge to exploit it.

I imagine that Juniper produces some of the 10% of those devices that disable the JTAG on their equipment, that is why they are promoting this in hacker circles.

Re:Is the article suggesting

[ePhil_One]

that Juniper wants the BLACK HAT hackers focusing on their hardware?

Not on their hardware, but hardware in general. Show folks that those Linksys firewalls aren't as good as the Netscreen product which cost 5x to 100x more. I'm sure they are unreasonably confident in the security of their own product.

Attacking embedded devices.

[oman_]

The article doesn't claim that the attack uses the JTAG port. It claims that he used the JTAG port to find some sort of vulnerability. People do this ALL THE TIME.... I do it at work to reverse engineer automotive computers.

Now it does say that there is some peculiarity of these specific CPUs that makes them vulnerable to an attack of some sort. I hope the peculiarity isn't the presense of the JTAG port. If you assume people won't get your binary code off of a chip because it doesn't have a debug port then you're a fool.

If you have physical access, you already won.

[argent]

About the only part of the software industry that doesn't assume that you've already won if you've got physical access to the box (and getting into a JTAG port kind of implies that) are the folks who still have a dog in the DRM fight... and there's fewer of them every year.

Re:Wii

[antime]

This is the presentation, and you can download a video from here.

Re:Good God...

[billcopc]

Firmware can only do so much. They're basically taking advantage of the JTAG debugging circuitry. It's the kind of thing you use during design, then usually you just strip off the connector/header before shipping. You could completely remove the JTAG and be safe that way, but that means reworking the circuit one last time _without_ debugging functionality, where a lot of things can go wrong and you have no way of tracing them... well, not without pulling out your grand-daddy's digital probe and frequency counter.

JTAG vulnerabilities are one way that satellite hackers (I refuse to call them "testers") pull decryption keys from dish receivers. You could think of JTAG as the hardware equivalent to a software debugging interrupt, where you can read/write to the bus and send commands to many components of the device.

JTAG Is a tool, not an exploit

Barnaby used the JTAG to determine vulnerabilities in embedded hardware and the RTOS running on it. The vulnerability is not that he used a JTAG, or even that companies leave JTAG ports enabled on hardware (as i've seen clever hardware hackers pin out the chips themselves to re-enable a removed JTAG port). The point of this article, and much of the work barnaby has been doing for the past couple years (http://research.eeye.com/html/advisories/publishe d/AD20060714.html , also previous presentations at cansec, blackhat, and other confs), is that hardware is not safer than software. Hardware has a slightly higher cost of entry into the vulnerability research area, but it also offers a treasure trove of vulnerabilities for those willing to make the jump.