Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Has New Attack For Embedded Devices

Posted by Zonk on from the he-can't-take-it-there dept.

tinkertim writes "Computerworld is reporting that a researcher at Juniper has discovered an interesting vulnerability that can be used to compromise ARM and Xscale based electronic devices such as many popular routers and mobile phones. According to the article, the vulnerability would allow hackers to execute code and compromise personal information or re-direct internet traffic at the router level. Juniper plans to demonstrate not only the researcher's discovery, but also how he managed to use a common JTAG developed Boundary Scan to discover the vulnerability at this month's CanSecWest conference in hopes of shifting more of the black hat community to looking at devices instead of software."

8 of 86 comments (clear)

  1. Via JTAG? by Anonymous Coward · · Score: 5, Interesting

    Is this implying that it could be done remotely? The product I work on supports JTAG access via software, but if you can do that, you already own the box. (And have our internal hardware specifications.)

    If it's not remote, then what's the point? I though it was already well-established that if you have physical access to the device you can do anything you want.

    1. Re:Via JTAG? by yorgasor · · Score: 4, Insightful

      No, he used JTAG to discover the vulnerability. He will disclose how to take advantage of the vulnerability at the conference. He's just letting other people know they can peek into hardware using the JTAG interface as well.

      --
      Looking for a computer support specialist for your small business? Check out
  2. Re:Long on hype, short on details by jhfry · · Score: 3, Informative

    I think what it's actually saying is that, by using the jtag to better understand the configuration of the machine, new exploits can be found.

    So it's not exactly an exploit, but a way to discover exploits by targeting issues with the embedded processors as discovered via jtag access to a similar unit.

    --
    Sometimes the best solution is to stop wasting time looking for an easy solution.
  3. Attacking embedded devices. by oman_ · · Score: 3, Informative


    The article doesn't claim that the attack uses the JTAG port. It claims that he used the JTAG port to find some sort of vulnerability. People do this ALL THE TIME.... I do it at work to reverse engineer automotive computers.

    Now it does say that there is some peculiarity of these specific CPUs that makes them vulnerable to an attack of some sort. I hope the peculiarity isn't the presense of the JTAG port. If you assume people won't get your binary code off of a chip because it doesn't have a debug port then you're a fool.

    --
    Rats would be more funny if they could fart.
  4. If you have physical access, you already won. by argent · · Score: 3, Insightful

    About the only part of the software industry that doesn't assume that you've already won if you've got physical access to the box (and getting into a JTAG port kind of implies that) are the folks who still have a dog in the DRM fight... and there's fewer of them every year.

  5. Re:Long on hype, short on details by HomelessInLaJolla · · Score: 5, Informative

    Jack used JTAG to discover exploits in the hardware. The exploit can, most probably, be taken advantage of from the WAN side using malformed packets and raw payloads.

    The proper trained eye looking at the circuit schematics would have been able to identify the same things--and probably have. The engineers who see the exploits usually take them home and play core wars with their friends. It's the same concept as reverse engineering closed source drivers. The original engineers wrote the closed source implementation and now Jack (at Juniper) is reverse engineering it and finding some interesting twists along the way.

    What do you call a zero day exploit before it's released to the general public and called a zero day exploit? Whatever it's called it has existed since before common home routers have been available at major consumer outlets. It's impossible to think that nobody ever took advantage of it until now.

    --
    the NPG electrode was replaced with carbon blac
  6. Re:Long on hype, short on details by jhfry · · Score: 5, Informative
    The article clearly says that he discovered the exploits while tinkering with JTAG.

    He said he came up with the technique after spending several months cracking open and soldering test equipment onto a range of embedded devices. By taking advantage of ... JTAG (Joint Test Action Group) Jack was able to sneak a peek at the systems' processors and get a close-up look at how they worked. "With every hardware device, there has to be a way for developers to debug the code and all I did was take advantage of that," he said. "As I was digging deeper into the architecture, I saw a couple of subtleties which could allow for some interesting things. So while using the JTAG to debug the processor he noticed a couple of potential exploits.

    The rest of the article goes on to discuss the security implications of leaving the JTAG enabled

    Though some companies are able to cut off the JTAG interface on their products, Jack said it was enabled in 90 percent of the devices he examined. I am certain that this article isn't trying to suggest that hackers break into networks using JTAG... that's just plain dumb. What he is saying, is that because most devices leave their JTAG intact, hackers can debug the code on their processors and find flaws. Essentially reverse engineering the underlying architecture and using that knowledge to exploit it.

    I imagine that Juniper produces some of the 10% of those devices that disable the JTAG on their equipment, that is why they are promoting this in hacker circles.
    --
    Sometimes the best solution is to stop wasting time looking for an easy solution.
  7. Re:Wii by antime · · Score: 3, Informative

    This is the presentation, and you can download a video from here.