![BSL+)ming+aWack+
• Password*byte*comparison*has*a*single*clock&cycle*5ming*difference*
between*the*"correct"*and*"incorrect"*paths*
• Send*each*byte*([0x00&0xff]*x*32)*and*measure*#*of*clock*cycles*to*
determine*byte*makeup*of*password*
BSL*1.10*](https://image.slidesharecdn.com/d301thomasbradenexploitationofhardenedmsp430-baseddevice-141222100353-conversion-gate01/85/NSC-2-D3-01-Thomas-Braden-Exploitation-of-hardened-MSP430-based-device-24-320.jpg)
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
- 2. Who+am+I+ Braden+Thomas+(@drspringfield)+ • Senior*Research*Scien5st,*Accuvant* • Primarily*focus:*embedded*devices,*reverse&engineering,*exploit* development* • Previously*worked*at*Apple*Product*Security* • So#ware(background*
- 3. Agenda+ • What*is*this*lockbox?* • Android*app* • Opening*the*device* • MSP430*Firmware*extrac5on:*techniques*used*and*tried* • Findings* • Demo*
- 4. Why+is+this+interes)ng?+ • Devices*aKemp5ng*to*to*store*crypto*secrets*in* general&purpose*microcontrollers*flash* • Just*because*it’s*cheap*and*easy,*it’s*not* necessarily*smart* – This*lockbox*is*a*case*study*of*why* • Hack*into*houses…* – Over*Bluetooth!*
- 5. • Real*estate*physical*key* container* • #1*in*market,*main* compe55on*is*SentriLock* Unnamed+real+estate+lockbox+ Lockbox* Lockbox*BT* Lockbox*BT*LE*
- 6. Keys+ • Legacy*key* • Cell*radio* • eKey:*iOS/Android* app* • Dongle/Keyfob*for* Bluetooth/IR*
- 7. Android+App+
- 8. • Focused*on*authen5ca5on*algorithm* • Each*eKey*has*a*serial*number*and*a*“syscode”* – Syscode*is*an*integer*corresponding*to*regional*market** (e.g.*Atlanta)* • Serial*number/Syscode*are*required*at*first*app*launch* in*an*obfuscated*blob* eKey+Android+app+
- 9. eKey+Android+app+ • Serial*number/syscode*are*used*as*creden5al*to*speak*to* back&end*web*service* • Web*service*provides*authen5ca5on*“cookies"*(binary*blobs* of*data)* • App*transmits*cookies*to*the*Lockbox*over*Bluetooth/IR* • Must*provide*PIN*code*(associated*with*serial*number/ syscode)*to*open*the*lock*
- 11. Programmed+auth+ • All*cookies*contain*AES*MACs*so*cannot*be*modified* • eKey*also*sends*“update*bytes”*which*change*daily* – Only*available*from*Manufacturer*server*(AES*MAC)* • eKey*can*generally*only*open*lockbox*in*same*syscode*
- 12. Must+access+firmware+ • AKacker*doesn’t*have*a*valid*serial/syscode* • Even*if*obtained*one*(social*engineering),*don’t*have* keyholder’s*PIN* • And*doesn’t*want*to*communicate*with*Manufacturer’s* server*to*obtain*cookies*
- 16. Internals+ Lockbox:+ • MSP430F147* • TFBS4710*serial*IR* transceiver* • 24LC256*serial* EEPROM* Lockbox+BT:+ • MSP430F248* • STMicroelectronics* bluetooth*serial*module* • Atmel*EEPROM*
- 17. Reverse7engineering+steps+ • Focus*on*Lockbox* – Board*easier*to*obtain*(no*annoying*rivets)* – Older*sooware*more*likely*to*be*insecure* – Keys*are*the*same*anyway!* • Map&out*the*test*pads* • Find*debugging*interfaces* • Perform*firmware*extrac5on*
- 19. MSP430+firmware+extrac)on+ • JTAG+ – 4&wire*and*2&wire* – MSP430F147*only*supports*4&wire* – JTAG*security*fuse*is*blown,*prohibi5ng*JTAG* • BSL+
- 20. BSL+Overview+ • “Bootstrap*loader”* • Serial*interface* • Permits*read/write*access*to*flash*memory* • Implemented*with*code*stored*in*special*flash*region* • Nearly*all*acccess*is*restricted*with*password* – Interrupt*vector*table*is*used:*inherently*unique*and*secret* – Only*mass&erase*can*be*performed*without*password*
- 21. Exis)ng+BSL+aWacks+ • Travis*Goodspeed:*“Prac5cal*AKacks*Against*the*MSP430* BSL”*in*2008* – Voltage*glitching*aKack* – BSL*password*comparison*5ming*aKack*
- 22. Voltage+glitching+ aWack+ • Used*GoodFET22*with*ADG1634*+*DAC* for*glitching*during*authen5ca5on* check* • Remove*the*chip*from*the*board*to* avoid*interference* • Step*down*voltage*on*all*lines*using* resistors* • Only*feasible*on*BSL*1.x*to*avoid*mass& erase*on*incorrect*password* – MSP430F147*has*BSL*1.1*
- 23. Results+of+voltage+glitching+ • Failed*to*reproduce* • Device*con5nued*running*undeterred*or*died*altogether* • GoodFET's*MSP430*is*too*slow*to*glitch*another*MSP430* – BSL*runs*at*1Mhz,*and*GoodFET*(MSP430F2618)*can*be*clocked*up* to*16Mhz*
- 25. Timing+aWack+problems+ • 1*start*bit,*8*data*bits,*parity*bit,*1*stop*bit* • Bit&banged* • Between*bytes,*will*wait*for*start*bit*to*go*low*when*receiving* • If*this*loop*executes*>*1*5me,*you*have*destroyed*all*prior*5ming* informa5on* • Device*will*check*that*RX*line*aoer*stop*bit*is*high,*or*cause*an*error*
- 27. Timing+aWack+problems+ • Ideal*Tinterbyte*=*number*of*instruc5ons***clock*speed* – Clock*speed*is*highly*inconsistent* • BSL*uses*DCOCLK*(sooware*clock),*cannot*force*crystal* – Number*of*instruc5ons*varies* • Due*to*5ming*vulnerability* • Any*mistakes*are*mul5plied*34x*(since*34*post&header*bytes* per*auth)*
- 29. Timing+aWack+problems+ • If*5ming*is*bad,*you*will*receive*a*NAK*response* • Since*password*is*inherently*wrong,*you*will*receive*a*NAK** response* • No*good*way*to*differen5ate*between*the*NAKs!*
- 30. Timing+aWack+game+plan+ • Test*with*same&model*chip*(with*known*BSL*password)*to* find*ideal*5ming* • Use*external*crystal*on*GoodFET*to*eliminate*aKacker&side* clock*problems* • Slowly*decrease*Tinterbyte*un5l*correct*password*is*no*longer* ACKed* – Find*the*run*with*the*lowest*overall*total*5me* – You*have*found*ideal*Tinterbyte* – Re&use*on*target*chip*
- 32. Timing+aWack+results+ • Looks*good*at*macro*level* • Wildly*inconsistent*at*micro*level* • Overall*total*5mes*will*vary*by*thousands*of*aKacker*clock* cycles* • Tried*modifying*BSL*to*expose*bit*read*5me*on*a*line* • Tried*just*focusing*on*last*byte:*only*need*to*get*three* Tinterbyte*correct* – last*byte*+*checksum*
- 34. Timing+aWack+conclusions+ • AKack*was*a*failure* • Likely*due*to*DCOCLK*inconsistencies*during*the*tare* rou5ne,*which*produces*vic5m*chip’s*5ming*for*serial* communica5on*(length*of*“sleep”s)* • If*this*tare*rou5ne*value*is*inconsistent,*the*5ming*used*for* every(serial(bit*will*differ,*mul5plying*errors* • Doesn’t*appear*to*average*out*in*the*short*term*
- 35. “Paparazzi”+aWack+ • Firmware*extrac5on*technique* – Goodspeed*told*me*about*this* – Permits*bypassing*JTAG*security*fuse* – Most*likely*due*to*photoelectric*effect*
- 36. MSP430+JTAG+security+ • MSP430F1xx/2xx/4xx:*physical*fuse* – Once*blown*(“programmed”),*it’s*blown* • MSP430F5xx/6xx:*electronic*fuse*mechanism* – Can*be*unprogrammed*by*erasing*0x17fc* – Not*successful*at*aKacking*these*
- 38. “Paparazzi”+aWack+ • Decap*the*chip* – Ensure*bonding*wires*remain*intact* • Jet*etching*may*be*required* – <$100*outsourced*to*lab* • Run*a*5ght*JTAG*loop*on*reset& tap*+*fuse&check* • Every*~200*itera5ons*aKempt* authen5cated*ac5on* – Read*first*address*in*BSL*memory*space*
- 40. • When*valid*data*returned,*success!* • Do*not*power*the*chip*down,*or*flip*reset*line* – Requires*GoodFET*sooware*modifica5on* • Be*sure*to*power*the*chip*externally*during*aKack* • Don’t*expect*chip*to*be*in*normal*state* – I*usually*just*read*BSL*password*then*reset* “Paparazzi”+aWack+
- 41. • JTAG*fuse*check*works*by*measuring*current*across*fuse* – Photoelectric*effect*causes*transistor*to*release*electrons*when* struck*with*photons* – Causes*current*to*appear*to*pass*across*the*fuse* – Alterna5ve*theory*is*UV*erasing*memory*cell*where*JTAG*state* stored*(e.g.*bunnie’s*aKack*on*PIC*microcontroller),*but*digital* camera*flash*produces*minimal*UV*and*aKack*is*instant* “Paparazzi”+aWack:+Why?+
- 43. FINDINGS+
- 44. MSP430+firmware+reversing+ • Calling*conven5on* – R12* – R14* – Remaining*arguments*pushed*to*stack* – Return:*R12* • Occasionally*R13*is*also*used,*if*32&bit*return*
- 46. IrDA+ • Surprisingly*large*(~25%)*amount*of*firmware*dedicated*to*IrDA* • Bit&banged*serial&ish*with*short*pulse*width* • Can*be*sniffed*from*test*pad*on*board*and*decoded*with*custom*Logic* plugin* • Export*from*Logic,*post&process*with*python*into*pcap,*and*Wireshark* does*the*rest*
- 48. Manufacturer’s+crypto+architecture+ • All*crypto*keys*used*are*derived*from*or*encrypted*with*two*keys*(AES128)* • Device+Key+ – Rarely*used*in*the*field,*used*to*get*high*authen5ca5on*level*(i.e.*for* “deprogramming”*a*device*to*use*it*in*another*syscode*region)* • Syscode+Key+ – Root*of*trust*for*all*normal*opera5ons*(e.g.*opening*the*key*container)* – Shared*by*en5re*geographical*region* • Neither(are(ever(accessible(to(the(eKey(app(or(readable(via(remote( commands( 1+
- 49. Syscode+Key+ • Provisioned*during*unknown*process*at*local*MLS*office* – Device*must*be*in*deprogrammed*mode* – They*must*have*some*authen5cated*channel*to*obtain*the*syscode*key*for* their*region* • A*MAC*key*and*an*Encryp5on*key*are*derived*from*syscode*key,*and* used*to*validate*cookie*integrity*and*decrypt*other*ephemeral*keys* • Compromising*this*key*permits*aKacker*to*generate*fake* “authen5ca5on*cookies”* – Can*open*any*lock*in*geographical*region*without*leaving*a*trace* 2+
- 50. Third+authen)ca)on+mode+ • Permits*access*to*visitor*log*in*EEPROM* – Useful*if*the*lock*has*been*unlocked*before* • Requires*no*authen5ca5on*cookies*for*access* • Visitor*log*contains*the*serial*number/syscode*of* connec5ng*eKeys* – This*solves*one*of*our*earlier*problems,*but*s5ll*need*PIN*to*use* 2+
- 51. Brute+Force+ • PIN*only*4*digits* • However*device*has*PIN*brute&force*protec5on* – eKey*will*get*"locked*out"*and*cannot*communicate*for*10m* – Exhaus5ve*PIN*brute*force*would*take*about*1*week*wai5ng*for* lockouts* – However,*lockout*counter*stored*in*EEPROM*and*can*be*erased* with*physical*access* 3+
- 52. Hardware+backdoor+ • Deprogrammed*authen5ca5on* – Android*app*only*uses*this*method*when*device*is*deprogrammed* • Can*actually*be*used*when*device*is*programmed*if*you* know*the*Device*Key* – Highest*access*mode,*permits*overwri5ng*keys* – Likely*used*by*MLS*office,*they*must*have*a*secure*channel*to*get* Device*Keys*for*their*devices* • Implementa5on*contains*hardware*backdoor* 3+
- 53. Hardware+backdoor+ • P3.1*goes*high* • Immediately*test*P3.2* • If*low,*backdoor*is*in*effect* 3+
- 54. Hardware+backdoor+ • P3.1*and*P3.2*are*connected* to*each*other*(through*a* resistor)* • Desolder*the*resistor*and*you* can*bypass*per&device* authen5ca5on* • Destroy*the*resistor*with*a* single*drill*hole*in*back*of* closed*lockbox*and*you*can* open*it*up*with* deprogrammed*auth* 3+
- 55. Flash+write+erase+aWack+ • Way*to*extract*Syscode*Key*without*decapping?* • Keys*are*in*“Informa5on*Memory”*which*is*erased*by*BSL*mass&erase* • Generally,*must*erase*flash*between*writes* • Lockbox*has*Memory*Write*command*that*permits*wri5ng*to*same* informa5on*memory*segment*where*keys*are*stored* – En5re*segment*is*copied*to*stack*buffer,*Flash*segment*is*erased,*modified,* and*then*wriKen*back* – Stack*is*in*RAM…*which*is*not*erased*by*BSL*mass&erase* 4+
- 56. Flash+write+erase+aWack+ • First*use*hardware*backdoor*to*“authen5cate”* • Ini5ate*a*Memory*Write*command*to*informa5on*page*(at*an* unused*loca5on)* • Informa5on*page*will*be*copied*to*stack*buffer,*modified,*and* wriKen*back*to*flash* • Quickly*reset*device*and*perform*mass&erase*of*flash*via*BSL* • Read*RAM*using*BSL*(using*default*password)* 4+
- 57. Flash+write+erase+aWack+ • Great+success!+ • Special*GoodFet*applica5on*that*counts*clock*cycles* – Run*applica5on*right*before*sending*Memory*Write* command* – Send*Memory*Write*command* – Applica5on*will*reset*chip*and*put*into*BSL*mode* – Subsequently*can*mass&erase*and*read*RAM* – AKack*can*only*be*performed*once,*but*Syscode*Key*is* obtained* 4+
- 58. Demo+
- 59. Conclusions/solu)ons+ • Manufacturer* – Discussed*issues*with*them*in*June* – Very*recep5ve,*started*working*on*fixes* • Other*applica5ons:* – Avoid*storing*cryptographic*secrets*in*general*purpose* microcontrollers*flash*memory* • Hack*all*the*devices!*
- 60. Greetz+ • Hardware*socket*by*Aaron*Kobayashi* • Thanks*to*Nathan*Keltner*and*Kevin*Finisterre* • Thanks*to*Travis*Goodspeed*for*prior*work*
- 61. Ques5ons*