Prototyping Boards Make It Easier To Find Flaws in Specialized Hardware

wiredmikey writes "Author Robert Vamosi writes an interesting piece on how security researchers are using open source 'prototyping boards' and other open source tools now available via the Internet for rapid prototyping of tools used in hardware analysis. 'The days of saying it would take the resources of a nation-state to discover or exploit vulnerabilities in a particular piece of hardware in an industrial control system or a healthcare environment are rapidly fading,' he writes. Vendors who do not test their products before selling them into the field are doomed to be targets of future research and, perhaps, attacks."

"security through obscurity"

[lkcl]

that's funny, because only a few hours ago there was an article posted on slashdot saying how good "security through obscurity" is, with the author of the paper saying that ignorance of the hardware and software is a "good defense". now someone else is saying that the pace of research into hardware is accelerated, and as a Reverse-Engineer and Security Researcher and an intelligent person whom that "security through obscurity" paper clearly sees as a threat, i feel warm and fuzzy now.

Re:"security through obscurity"

[arielCo]

It's not exactly "X good" then "X bad". More like "X may help" and "it's bad to rely solely on X", which can be said about a LOT of things (vitamins come to mind).

Re:"security through obscurity"

[arielCo]

And of course, "X has its advantages and downside", which regarding obscurity are a) that dedicated attackers will know less about your weaknesses, and b) that you lack the potential "many eyeballs" that _could_ help you if they know what to look for.

Big projects like Linux and Firefox attract said eyeballs, but smaller open-source projects may attract the eyeballs intent on harming you, while not being popular enough to attract helpful scrutiny.

Re:"security through obscurity"

[lkcl]

ok - i may just be a very strange individual, then, because reverse-engineering, whilst time-consuming, is something that i can do pretty easily. and, just that one "eyeball" ok two i have binocular vision, it really didn't take long to "crack" NT Domains Security Logins - about 30 days - and immediately it was obvious that there was a serious problem (40-bit bottleneck). then, i had to tackle NTLMSSP later on: again, about 40 days, and again, immediately detected a serious problem or two.

the gnuradio guys: they're not that many people who bother to reverse-engineer APCO P25. yet the moment they did, they found serious flaws in the algorithms, which have been QUOTES SECURE QUOTES for what... over a decade? what bothers me about this is that it's only when people actually try do you find out that actually it's pretty easy to find security flaws.

so the real problem with the whole "security through obscurity" approach is that you *don't* know who's attacked the algorithm.

there's a very interesting exercise which you should try. take a number, say 1000, and invert it. then subtract from one. so, you get 0.999 in this case. now assume that that's the probability that something is "secure through obscurity". now multiply that 1,000 times (1,000 people) - it drops pretty rapidly, huh? now increase that number to 1,000,000. so you do pow(0.999999, 1000000) - what do you notice? it's roughly the same number, isn't it? actually the number is 1 / 2.718281828 which you should recognise, immediately. now, what's interesting is if you either increase the number of people by even a small margin, or you decrease the probability by even a small margin: that "security" drops like a stone.

basically what this means is that if you rely on security through obscurity, it only takes *one* person - out of however many millions the system is exposed to - to "crack" the system, and you're screwed. and, because the intentions of that person are equally unknown, to rely on security through obscurity is just very very dumb.

Re:Not to worry - and take back open hardware!

[Hatta]

of Arduino and the "open hardware" movement. What is the big deal? Yeah, schematics and documentation are free but the circuits they are using are closed.

Well it wouldn't do much of anything if the circuit wasn't closed.

Re:Not to worry - and take back open hardware!

Ever heard of a capacitor?

Re:Not to worry - and take back open hardware!

[Hatta]

Touche!

Another Arduino story...

[vlm]

The article is just another extremely tired "This existed since the 80s, but now that the Arduino supports it, we can act as if it a new invention." And ABSOLUTELY nothing other than the Arduino. "other open source tools"? Not that I saw in the article.

Which is a pity, because I think a DP bus pirate would be way the heck more useful for this kind of work. I used a DP BP to debug the software for a I2C real time clock, but I'm sure it could be used for reverse engineering or nefarious purposes (much like a screwdriver is multi-purpose)

http://dangerousprototypes.com/docs/Bus_Pirate

The days of saying it would take the resources of a nation-state to discover or exploit vulnerabilities in a particular piece of hardware in an industrial control system or a healthcare environment are rapidly fading

Was anyone technical ever dumb enough to ever believe that? Anyone? Ever? Marketing P.R. BS doesn't count.

Re:Another Arduino story...

[Arlet]

Exactly. Similar hardware that the Arduino uses has been available in different forms for decades. It just took a bit more effort by the user, but anybody skilled enough to reverse engineer existing hardware already has all the knowledge to build their own prototyping board.

Re:Another Arduino story...

[drinkypoo]

Either you believe the "many eyes" theory or you don't. Or in this case, many hands. The reason Arduino is a game-changer is that it has really taken off. We could argue all day about why that is, but I suspect the answer is that it has a combination of features including C programming, open hardware, and pre-made shields that actually do stuff, while also being incredibly inexpensive. You could do all the same stuff with the STK500, but that was thirty bucks more than it will realistically cost you to get started with arduino and you had to use assembler which took it out of the reach of some. You can get online and see how someone else used the Arduino to map out some hardware, and probably get the code they used for free, too.

Re:Another Arduino story...

[mikael]

The days of saying it would take the resources of a nation-state to discover or exploit vulnerabilities in a particular piece of hardware in an industrial control system or a healthcare environment are rapidly fading
Was anyone technical ever dumb enough to ever believe that? Anyone? Ever? Marketing P.R. BS doesn't count.

I guess you would need to be able to afford that piece of hardware/sensor setup. If you want to replicate the entire control system of chemical plant, nuclear reactor or CAT scanner, that's probably going to more than max out your credit card.

20 years ago, you'd need $100K+ to put together a UNIX development setup. Workstations and servers cost $10K each, OS licenses, software development kits and manuals even more.

Now, you get workstation performance out of a bargain-bucket laptop, free and full OS application development software with Linux, software I2C, USB and Bluetooth bus snooping, free SCADA software development kits and low budget PLC boards connected via USB.

Re:Another Arduino story...

[zAPPzAPP]

The only really good thing about Arduino is the libraries.
Of course you need to agree to certain hardware standards to build a library around them. Which pin goes where etc. But other than that, it's like using a breadboard with predefined names for connectors...

Re:Another Arduino story...

[mrmeval]

Lattice sold their Brevia development board which has an instant on FPGA. It also has an I/O system that is remarkable. If there's a specification it can't do it's most likely obsolete. I've been able to use the free development software to hook it up to a 3.3v I/O source and record the digital signals. I bought it for 29.95. Unfortunately the 3.3v is hard wired and I've not checked if I can power the I/O with different voltages.

FWIW there is an atmega 168 FPGA core but I've not tried to make it work. It comes with Lattice's micro8 core as a demo.

As soon as I have the funds I will be getting a bus pirate.

Re:Another Arduino story...

[Bassman59]

Lattice sold their Brevia development board which has an instant on FPGA. It also has an I/O system that is remarkable. If there's a specification it can't do it's most likely obsolete. I've been able to use the free development software to hook it up to a 3.3v I/O source and record the digital signals. I bought it for 29.95. Unfortunately the 3.3v is hard wired and I've not checked if I can power the I/O with different voltages.

FWIW there is an atmega 168 FPGA core but I've not tried to make it work. It comes with Lattice's micro8 core as a demo.

You do realize that Xilinx, Altera and Actel also offer pretty cheap development/starter kits with FPGAs, I/O headers and some peripherals? And they work with the free (as in beer) tools supplied by the vendors? Digilent also make a series of low-cost FPGA kits.

Re:Another Arduino story...

[mrmeval]

Yes and Lattice has 'faib' tools as well. The IDE is available at no cost though getting the Linux one to work is an interesting chore since they only support RHEL. I don't recall any of the other vendors offering an FPGA development kit for under 50. Digilent does not have favorable pricing unless you meet their rules as a student or other academic all but one is over 100. Is there an Altera board that matches the Brevia board available for under 100? Same for Actel but I'd not saddle anyone with Actel.

What?

[Murdoch5]

So there just starting to prototype there designs? Isn't this how every single project is started, you use prototyping boards to test the software, then once it's good to go you actually produce the real thing.

No content in TFA

[pinkeen]

There is no justification in the article for the thesis it states so boldly in its title, ergo, the article is completely worthless. Reads like an advertisement. Slow news day?

Re:No content in TFA

[Whitt83]

I'd mod you up if I had points. This headline has absolutely no relation to the article. It's sensationalism at its finest (worst?).

Re:No content in TFA

[kiwimate]

Yep. And sucker me, I'm giving /. page views by responding. But I read the "article" because I couldn't believe the summary described it accurately because, if it did, I was left scratching my head wondering why on earth this was posted.

Unfortunately (and quite remarkably, considering this is Slashdot, after all), the summary was quite accurate. It really is that worthless a story.

Re:No content in TFA

[bruce_the_loon]

I think the thesis of the article is that because Arduino and other prototyping boards are so cheap, products based on these chips will become more widespread and popular. Once they are out there, reverse-engineering them will be easier because you can get the same hardware that was used to develop them.

The same is true for any FPGA or microcontroller, but since some of them had exorbitant costs for the development environment, the average man in the street will not really be able to hack their way through them.

Re:No content in TFA

[pinkeen]

I skimmed through the article once more. It mentions that some security researchers use tools like arduino. Then there is a lengthy description of the new Arduino Due with no indication as to how you could use it (or how it is being used to such extent) to exploit hardware*. And finally author concludes that developers should test their hardware cause now (supposedly because of arduino due) everyone can try and exploit it.

Upon closer examination I conclude there is absolutely no thesis stated in the article. It is a brainless drone-written piece of trash that is barely coherent.


* I am sure that you could use arduino UNO to poke around some types of industrial hardware. I don't see how the coming of DUE is relevant here.

DISCLAIMER I, for one, am a big fan of arduino and other platforms that enable average basement joe to play with real, physical hardware.

Re:No content in TFA

[Bassman59]

There is no justification in the article for the thesis it states so boldly in its title, ergo, the article is completely worthless. Reads like an advertisement. Slow news day?

Wish I had mod points. I agree.

Re:Not to worry - and take back open hardware!

[fuzzyfuzzyfungus]

I would say that you are not doing open hardware unless you at least have a FPGA and distribute the HDL for your design.

Does the FPGA have to be a part for which the complete schematics and documentation are available under an open license(if such a beast exists), or are blackbox chips running their toolchain's output from an OSS HDL file just better than blackbox chips running their toolchain's output from an OSS C file?

Re:Not to worry - and take back open hardware!

[Arlet]

In that case, you don't need the FPGA either. Just use any microcontroller, and port your application to it. There are dozens of vendors to choose from, with thousands of different designs. Each of them just as open as the FPGA.

I Don't Get It

[Ganty]

A few paragraphs about the latest Arduino developments and then a single paragraph bolted on the end talking about vulnerabilities in industrial control systems and healthcare environments. What's the link between the two?

Ganty

Re:I Don't Get It

[Hatta]

Payola.

Arduino deserves the popularity

[Okian+Warrior]

I've been programming microcontrollers professionally for 30 years, and around 30 years ago I started making/using microcontrollers at home for hobby projects.

At that time I was using 68HC11 micros:

a) The 68HC11 is roughly equivalent to the arduino chip of today (ie - Atmega 168)
b) You could buy a 68HC11 dev board for $50, roughly equivalent to the Arduino
c) The programmer was $100

This is not a whole lot different from the Arduino of today, yet 68HC11 hobbyist development was rare.

The difference is in the software. At that time, you could get any number of chips made by several manufacturers. They almost gave away their development boards, because they wanted people to have familiarity with the units. They wanted people to recommend the micros to their employers, which might lead to a big sale.

The difference is in the software. You could get hardware for around $100, but the cheapest compiler you could get was $350 at the low end, topping out at $10,000. The assembler was free. You had to type assembly language into a text editor, use command-line tools to compile and download it, then debug it instruction-by-instruction.

The reason Arduino took off was not all because of the low price, it was because of the ease of use. Atmel gave out the IDE for free, and it was almost literally plug-and-play. You could get a "blink the LED" program up and running in under an hour, including installation of software. WinAVR (based on GCC) is a perfectly acceptable C compiler, also for free.

Atmel gave out the IDE for free, then someone noticed and came out with the Arduino. Bam! Instant market penetration.

That's why the Arduino became so popular: it's because Atmel took the trouble to make using/tinkering with the unit so easy. There was almost no learning curve associated with using the system - you could concentrate almost immediately on getting your work done.

Re:Arduino deserves the popularity

[ColdWetDog]

Perhaps, but TFA is talking about hacking SCADA and other high value targets (stuff that 'nation - states' might be interested). Persons so interested are not going to be put off by a compiler or an IDE. Besides, BASIC STAMP and similar have been around for ages, have similar capabilities, dirt cheap boards and software.

Firstly, I don't see a huge attempt to reprogram every PLC or FPGA in existence. Secondly, much of said behavior is likely script kiddy level. It is now sexy to start talking about hacking at hardware type things, even if not much comes out of it. Thirdly, remember that Ardunos are still pretty weak machines compared to a commercial PLC / FPGA system - it isn't clear how much you can actually accomplish with it.

So this guy goes to a conference and finds a couple of people playing with something. It's the next big thing....

I hope next year the Dev/Ops folks start bringing toasters to the conference. That should muck up the journalist's brain for a while.

Re:Arduino deserves the popularity

[Nethead]

I played with the 68HC11 back in the 90s, damn nice chip. Then a friend turned me on to Intel's 8052AH-BASIC and I don't think I ever burned another 68xx chip after that. Put a payphone into production using the 8052, not because it was cheaper (not by a very long shot) but because we were in a rush to market and an integer BASIC is so much faster to develop in than asm and converting the output to S-code.

Re:Arduino deserves the popularity

[Bassman59]

Firstly, I don't see a huge attempt to reprogram every PLC or FPGA in existence. Secondly, much of said behavior is likely script kiddy level. It is now sexy to start talking about hacking at hardware type things, even if not much comes out of it.

Well, the obvious reason (well, obvious to me, anyway; I'm an EE who does FPGA design for a living) there are very few attempts to reprogram every FPGA in existence is because the FPGAs are always installed on an application-specific circuit board, with application-specific I/O and peripherals. Modifying some product to do something else is a non-starter, simply because of the rework involved.

Re:Arduino deserves the popularity

[drinkypoo]

a) The 68HC11 is roughly equivalent to the arduino chip of today (ie - Atmega 168)
b) You could buy a 68HC11 dev board for $50, roughly equivalent to the Arduino
c) The programmer was $100

This is not a whole lot different from the Arduino of today, yet 68HC11 hobbyist development was rare.

The difference is in the software.

$150 in 1980 dollars is $390 in 2010 dollars. But an Arduino is $20 (or less!) and a programmer is $0 (It's USB.) So even putting the software aside, you are just wrong. Even STK500 is only $50 and comes with a device, which is almost only an eighth of the price of a device and programmer for the Motorola solution, back in the day! And then there's the butterfly...

Re:Arduino deserves the popularity

[Animats]

The reason Arduino took off was not all because of the low price, it was because of the ease of use. Atmel gave out the IDE for free, and it was almost literally plug-and-play. You could get a "blink the LED" program up and running in under an hour, including installation of software. WinAVR (based on GCC) is a perfectly acceptable C compiler, also for free.

I've programmed both the 68HC11 and the Atmel ATMega128, but without the Auduno cult. He's right about the 68HC11 - back in the 1980s, it was really hard to get a C compiler for the thing. At one point I used a commercial Forth interpreter.

For the ATMega128, which is a reasonably modern low-end microcontroller, the Atmel tool suite is free, and quite straightforward if you're a programmer and an electrical engineer. But if you give someone whose previous experience is limited to Javascript an ATMega development board and the software to develop for it, they'll be overwhelmed.

What the Arduno has is beginner-friendly documentation and some simplified programmingtools. There have been other machines that did - the PIC and the Basic Stamp powered a generation of low-end hobbyist hardware projects, for far longer than they should have. There were better microcontrollers for years, but they were not hobbyist-friendly. (Motorola 680x0-based microcontrollers, for example, were cheap and powerful, but never caught on in the hobbyist world.)

There's nothing magic about development boards - most complex general-purpose parts have one. That's not a security issue. Nor is there much mystery about how industrial control systems work. You don't need the resources of a nation-state. The gear tends to be more expensive than consumer gear, but we're talking thousands, not millions. Anybody who can afford to customize a car can play in that game.

Re:Arduino deserves the popularity

[Muad'Dave]

Also in the mix are the chips from Microchip - there are no-cost C compilers for most of their line, and they've recently adopted Eclipse as their IDE platform.

I was hacking together projects using their CPUs before Arduino existed (IIRC). Before that, Z-80's. RAS/CAS, anyone?

Re:Arduino deserves the popularity

[mantaraya36]

Atmel gave out the IDE for free, then someone noticed and came out with the Arduino. Bam! Instant market penetration.

Actually Wiring (http://wiring.org.co/) was first, then Arduino took the code to use it on cheaper chips. And Arduino keeps using code from Wiring, even today, without a proper attribution. It's true they stick to Wiring's license, but it would be nice if they let the world know it wasn't their idea.

I always use prototyping boards because...

[MindPrison]

...it makes it easier to get results here and now.

Sure, I can EAGLE it all, and print a result, 2 weeks later get a PCB and THEN fault find...suuuuure....but it sucks donkeysballs.
I'm an old guy by kids standards, and I love to get my results here and now, so I use prototyping boards, I've bought a bunch of these from eBay suppliers, and I'm as happy as a kid on christmas or a kid in a candy store about these, it's cheap, it's just solder and go...and I've got instant results here and now!

Now that...to me...and old SKOOL 300/75 Baud hacker like me...stuff I can relate to!

Re:I always use prototyping boards because...

[Man+On+Pink+Corner]

What model router do you use?

Re:Not to worry - and take back open hardware!

[Arlet]

On the other hand, the microcontroller offers many advantages over the FPGA. They use a single power supply, while an FPGA may use 3 different ones. They have more package options, including small ones, with 6 or 8 pins, and a variety of DIP packages. Flash/EEPROM memory is usually included for microcontrollers, and usually not for FPGAs. Analog interfaces, such as ADC/DAC/comparator and brown-out circuitry are typically integrated, as well as semi-analog stuff such as USB PHYs. In addition, the microcontroller is cheaper, easier to use, and has a wider selection of tools (including open ones such as GCC)

If you're just looking for plain old microcontroller functionality, nothing beats a microcontroller.

Re:Not to worry - and take back open hardware!

[JimCanuck]

Speaking of Arduino and the "open hardware" movement. What is the big deal? Yeah, schematics and documentation are free but the circuits they are using are closed. It is a shame that all the Arduino people have taken the "open hardware" label and misused it.

Pretty much. Arduino does nothing the Atmel Studio already did such as interface with AVR-GCC. You just save on the ISP due to the bootloader, which other development boards have had anyways for a while. And its something Atmel has published, the specifications and methods to set up boot loader for the AVR.

Actually, AVR Studio 4/5 is over all better quality then the Arduino IDE GUI that looks like it was put together by a grade 10 computer science student. And the interface to AVR-GCC ain't all that great. Using AVR-GCC directly or through Studio will produce less issues especially once you start to use more advanced features of the AVR controller.

Re:Not to worry - and take back open hardware!

[artor3]

Ever heard of a Clapp oscillator?

thanks

[kordsoft]

[url=www.kordsoft.com]Rapidshare, Megaupload, Mediafire, HotFile, Uploading, free download, parts, part, portable, full, crack, serial, patch, update, key, antivirus, software, apps, online, find, search, wallpaper, windows, application, episode, episodes, torrents, direct, season, Torrents[/url]

Article Says Nothing

[Gyorg_Lavode]

The article says nothing. After reading it I am no more aware of how a programmable microcontroller could be used in attacks than I was before. While I would love to either think of or read about how microcontrollers could directly benefit pen testing (as opposed to the current method of using them to control a quadcopter or UAV plane), I still don't have the answer.

P.S. Of course there have been examples. The malicious mouse which contained a mass storage device and a HID emulator to run malware from the storage was pretty cool.