BSidesMCR 2018: Advanced Hardware Attacks For The Working Hacker by Mark Carney

good morning thank you very much for being here I'm very happy to be here my name is Mark as I was mentioned I'm better known as large card law or they're more of an extra-large Cardinal these days so I'm going to talk to you about advanced hardware attacks for the working hacker who here is a working hacker part of the people like okay good who here likes hardware hacking Oh brilliant who here has done a large amount very small amount or any amount of hardware hacking okay good so some of this you will see and then you'll go oh I know that and then hopefully after that point you'll be learning something ok but first of all I'm going to give you an

introduction to what I do I'm going to give you an overview of the IOT ecosystem as I see it I have a rather different view from some people so hopefully it's going to be interesting then we're going to go over some actual attacks I'm going to cover over what I think are interesting attacks they're not many people know about or that aren't talked about very much okay so hopefully there's gonna give you a good overview as to what's actually going on kind of in the world of breaking silicon and microchips and that kind of thing and then I'm gonna give you some overview maybe some strategies for trying to fix this stuff like how do we

actually go about remediating all this kind of thing okay and then lastly kerckhoffs principle and iot so I went chin I'm going to talk about an ecosystem this I'm gonna claim is the ecosystem that you will see in most of your testing ok you'll have hope you'll see this you'll have some sort of user PC or smartphone ok and that will give you some sort of access to information generally over the Internet to some hosted service a cloud service generally these days five or six years ago we would have said a hosted service from by the company now everything's in the cloud ok the survey just move the problem to someone else's computer effectively but

ok so this is kind of what we see a lot who kind of agrees that this is a kind of a general model yeah you have tested something on here exactly so then we understand this picture really really well ok we understand all the transports we understand Wi-Fi we understand GSM we've hacked Wi-Fi we've had GSM in hacking or trying to hack a WPA 3 we found new attacks on wpa2 for example that came out last week and we know we we understand this model really really well okay because this is all very familiar stuff okay when we add an IOT device it changes to this okay remember the problem with IOT is the eye

Internet of Things we want our kettles for some reason to talk over the Internet okay I need an I need I'm told an app to control my kettle okay I need the app so that I know what temperature is at and when it's boiled from China or from the next room okay someone has somehow we've been convinced this is a good thing and I do feel that the connected world is something that is inevitable but look at what it actually requires on a technological standpoint okay what you're being asked to secure because we are security people is a device that talks Bluetooth to a smartphone maybe Wi-Fi my said if it's in hotspot to talk

to a user PC and almost certainly will talk either via a mobile phone or directly over the Internet to a cloud service okay we've suddenly expanding the attack surface considerably when you look at the actual transports that are in play we're expanding the attack service and we're making our lives a lot harder on a security perspective okay bear in mind we're also asking these devices to run lots and lots of code and secure code is very heavy I have a slide from a previous talk which is all about the Linux random number generator followed by the quote I knew expecting mr. with a nun Audrina okay it's not going to work okay we are trying to find

better solutions but also we're finding that there were more problems in IOT that we can sort of have a look at so this is my favorite example now of IOT gone completely wrong all right the taplok is now for me the canonical example of how you mess it up because there's kids in there okay tap walk was the world's first smart fingerprint lock with a Sam act three aluminium zinc alloy casing that Mac three sounds good doesn't it do you know what it was for I got this from I think it was a Dave or and a at PTP the sunlight flavor was designed to be a heavy feeling high precision diecast model making material okay

it melts at around 400 less than 400 degree C and as we were there at the BSI as you saw a demo of a blowtorch taking care of the lock very easily okay likewise it had barely looked at Low Energy everything's got barely why is it's really easy to implement it's really straightforward to implement it's very very easy to make it work okay however they really messed it up you took the micro dress you gave it to the Bluetooth device and it unlocked group from last night it unlocked faster through the exploit when it did through the app all right and the cloud API you could just get data out including location data because the mobile phone

app sent the location data with the unlock on unlock commands associated with the lock okay it's fine there we go okay to quote I'm from PTP tap walk already knew about the issues but they continue to sell the lock on Amazon and failed to make customers aware I can't think of any term but in model to describe this it's an abuse of trust I agree so basically they've had this wonderful theater this wonderful illusion of security okay they created this kind of way of approaching the problem that said we are the best clearly and they didn't they weren't they were the worst okay this is how we are messing it up in IOT we rush to market they didn't think

about security and this was for a security product that's the best part of all this it was a security product okay so moving on what I'm not gonna cover in this talk is stuff you probably already know ok I'm not gonna tell you how to use your eyes he's got you out on a root or something who's who's done that kind of stuff brilliant who's used it to find RCE in the web application ok because you can set your payloads to be an RCE that was in the string out you can scoop this in Python if you want the example code I will send it to someone I'll put them online maybe later I'll clean it up

first I'm very like you know self-conscious about my code but like so you can use a you've built a simple web crawler and what you do is you just have it sent payloads over Python earth to every endpoint and then usually have it send a string a random string to as a nasty payload but you send it to the serial port and then you read that out over UART okay you do that you have RCE you do it on a bug bounty you get money done win see easy there are better ways of using this stuff we're told oh yeah you get you might get a root shell yeah that's not a hack okay if I get into someone's

house all I can solder on a you are port they found me already okay if that if that's the attack vector that I'm not worrying about the attacks okay however you know we cover this kind of stuff a lot when we talk about hardware hacking putting thermal off with SPI who's done this quite a few people I would imagine brilliant how do the reverse engineer that that's all well documented also electronics I'm not going to teach you electronics but if you want to learn elcome turf Mikhailovsky has a really good electronics for geeks page okay really really good can thoroughly recommend okay thoroughly recommend and what I want to talk about is a tax on cryptography and tax on firmware

protections and how fault injection attacks work okay I want to be able to cover off how we're going to attack these things in new and interesting ways okay so here's what we're going to do we are going to start off by looking at some CRP bypasses if you saw side the given stalker piece Isley's there's a lot of overlap okay so could be that protection is very very straightforward okay we are basically trying to lock down the firmware from being read to do that you normally use something like a security bit if the bit is set then the firmware isn't read out this applies to micro controllers not micro processors difference being micro processors tend to have external flash

an external one so reading it off is a matter of removing the chip putting it on to a breakout board and reading the flash off okay or using a emmc hacks or you know doing some stuff like that on a micro controller the flash is integrated it's actually on the silicon die so what you have to do is you have to work a lot harder to actually get it out all right so you set these bits so to prevent you from resetting these bits with a little bit of ultraviolet light okay we just happy if you'll ever work with eproms and you have to take the tape off and flash it and then put it back on if you

ever done that it still works okay but to stop your doing that they did this they put some metal coverings over okay I mean that's fixed right that's that's done right I can't hack that can i does anyone know this then they will not know this just flip it 45 degrees well that the light reflects from the bottom up to the metal plate metal is reflective it will then it will then commence to do we set the bit and here is bunny actually doing the attack okay it works okay simple stuff like this all right how else can we do it ldiot just to read our attack on an RF five one eight two two so this was

documented very well I'll put my slides online somewhere this was found by include security so for those of you not familiar overly with ARM arm instructions because it's risk it doesn't let you talked about these in memory you have to load and store data okay so the load instruction is very very important and you will always find it all right because you'll always find it is little target to have a look out on some microchips so the flash is locked on these chips it says no you're not allowed to be the flash no but you have debug access so what you do is use the script like this this will work over open a CD and all it does is it just

sets the program counter to where you've located the LDR instruction what LDR does is it dereferences the value in here it's in register 3 okay dude 11 says that as a memory address and then puts the app that the answer into r4 which means you just step through all of the possible addresses and you read the firmware out okay it takes a while but it works really well simple script like this bypasses code reader protection on this interestingly enough the RF v 2 series isn't wonderful to this if I remember correctly okay so they did actually fix it but it took throwing up to the next generation of chips these are still used these are in the BBC

micro if I'm on the right way but they're these these chips are everywhere ok another well-known attack now is a thing called a cold boot stepping attack I know I'm rushing through some of this maybe it feels and I don't want to dwell too much on the details because I want to really cover off that these things work ok and I really want to get to the DPA stuff and the more air and preserving involved mathematics therein so CRP doesn't always protect memory ok on the stm32 f1 who's using stm32 chip a few people yeah the clinical chips you know they work really well mice arm cause in them very easy to get a hold

off very cheap very useful and they have this little bug certainly on this one probably on others as well but I haven't had the time to really go through and check I think some others aren't doing this well what you can do is you can actually attack the memory if the chip if the firmware does a kind of a self check occur crc32 just a consistency check if it does that it loads all of the bytes into memory that memory can be read over debugger okay if that sounds bad that's because it is all right what does that mean it means that put simply you can just bypass this control by finding where it does a crc32 check

halting it there and then pulling out the value and then letting it rip memories setting it I think it went again to the next value I'm putting it out reset it let it go to the one after that do you have to do the check many many thousands of times so it does take a while to get the data round but it really does work okay it's a very workable attack but what if debug is disabled well there's an interesting bug stm32 is have a number of ways actually across the whole series for disabling debug okay the canonical way on most of the chips that you'll find is they actually turn on the clock for GPIO on Bank a so the debug

pins are actually on GP gpio Bank a when debug is enabled then it runs debug through those pins all right however when you disable debug and this is when you use things like stm32 cuba max which is one of the software packages for generating code bases when you run this what it does is it actually turns around and goes okay I'm gonna enable the clock on these pins for GPIO and that will stop the debug kicking in okay if that sounds like it's a fairly haphazard workaround that's because it is and it's a glitch away from actually being turned off there but there's a more interesting thing on the stm32 f103 also note that as the blue

pill okay the blue pill press the capability of what's amazing asked me the people has converted to you of actually being having its debug and abled and disabled by 2 bits across 2 bytes okay the the way that it works is if it's if there's two bites at oh f 1 8 I think yeah there we are you can see isn't there another one 8 now set to 806 to then debug will be disabled okay on the other side anyway so basically if this bits and bytes are set to these values and it will disable debug alright but that's not necessarily protection okay what you can do is you can actually turn around and go right let's put into boot

mode so the bootloadable one brute mode will then allow us to get the firmware off we can patch out the firmware and then load it back on and you can do this for the other disable of the other disabling as well you just patch out the function that is turning on the clock for GPIO bang bang ok you turn these things off you've really able debugger why is it a bootloader it's effectively not a fix basically ok these things are not implemented very well alright I was going to do a demo of this but I've actually lent my stuff to a friend of mine so I'm not going to do it here because it's in a different room

somewhere however if you want to see more of these with demos and everything then please go watch cyber gamers talk and do teeny there he give it off a piece I sleeves which I may or may not be involved with I may or may not be the organizer so I switch for that ok [Music] hello I'm a help me help me the organizers would be size leads I'm totally the organizer of these hands leads so he'd give a really good talk and it was it was actually fantastic and if you want to go and see these things in depth and in great detail he runs through with demos of all of these and a few more as well so that's a really

really good talk of these attacks and it really runs through in great detail how they work and how they work really effectively okay by the way if you can't hear me just not making this motion I don't know what you mean so what else can we do to these well we have a microchip it relies on certain things such as power or a clock signal or not being messed with by people like me so what we're going to do is I'm going to show you a few attacks that were that use glitching in new and interesting ways okay this attack is from Chris kolinsky Christie linskey gave this talk at recon 2016 the talk is actually really really

good and he shows how you can use voltage fault injection to actually get the firmware out or go to kick it into bootloader mode which then gives you the firmware okay the way that it works is it will see on the lower left the reset to application so if you reset the chip and it runs into his actual main code the power trace looks like this however if you reset the bootloader it looks like this okay so we want this we don't want this that make sense okay how do we do it well we use a voltage fault injection or a glitch as they're often called okay a friend of Mines let's rephrase the glitch in your security matrix fault

injection attacks because that's what they do they are very effective when used properly okay so the voltage fault injection is when you take the power either all the way down and you allow the natural capacitance of the chip to just let it ride a little bit before you power it back up but you lower lower the power enough that it actually has it has a problem it has a little bit of a moment and then it causes it to glitch in a way that it wasn't programmed to you can also do clocks as well a clock works through a rising edge so if you have a rising edge on a square wave like this and then you take the

square wave and you inject another rising edge you will cause a problem in the chip okay well that means you can do is it means you can actually introduce unexpected behavior by just messing with the clock so your one instruction will begin while it's running in the background the glitch will cause another instruction to begin out of time and out of synchronization and that means that the one so if it's like getting the security bit for example and then you glitch of a clock it might actually cause it to fall out and not return the security bits properly which would default to being open by the way okay and that's what we saw here so good s

key found on the LPC 1343 the the chip had four levels of protection CRP level one two and three and also no ISP and these were well defined okay though the values are well defined so o X 1 1 2 2 3 3 3 4 4 I think it was would mean CRP level 1 ok whereas Oh X 2 2 4 4 6 6 8 8 would mean CRP level 2 it is very well defined but if those bytes were anything else that meant there was no protection in that situation a glitch works really well ok what you have is the ability to say right if I can get it to not read properly and to read in a way that it

isn't supposed to then it will default to open all right and that's just what you did so you use I think was a max 46:19 switch circuit switch package what it does is it lets you have microsecond switching between two pins and he had 3.3 volts that were operating voltage on wamp in and then he had 1.2 volts which is a brownout voltage for the chip on the other pin so if you took it but below 1.3 I think you showed the video where it just went down and then it at that level it went no and the chip is shut off okay so around so what you do is you send it to a voltage level words

unstable other things you might do is because I had a friend of mine who's an electrical engineer say yeah but what about my capacitors and I just support that coming off the PCB aren't they you know he's didn't quite safe think that I would I'm gonna mess with your board I'm gonna you know hockey I'm gonna cause you problems by you know sort of manipulating the physical nature of the board so that I can actually hack it okay and then you took to that voltage and he got the trace that you see here which mean it went into bootloader without the security bits okay this is a viable workable attack it is reliable it is

repeatable it works your code is not protected on these chips interestingly enough the USB boot loader doesn't have this problem the USB boot loader actually has a defined value saying if you are set with this value then you have no protection okay and that's effectively one of the fixes that you can make so this is a very reliable attack but this attack is something that's absolutely spectacular so microscope better known as scanline did this really amazing work on getting the firmware out of I think as a Wacom tablet the pen of the Pens and drawing things it's brilliant it's a 36 minute YouTube video I think it is absolutely worth your time to watch okay what she

did was she developed this so this is a nut maker but microprocessor with a little USB chip Enmax 3421 EE USB controller what that does is it handles all the USB hardware for you okay it takes SPI in SPI we know and understand that's good and out the other side it sends USB but it lets you record and it's two-way communication so it lets you record what's going on on the USB step well that means is with this particular board we can control the USB stack and because it's designed to be used with a chip whisperer who's heard of a chip whisperer but who's used one we can come have a go later and I'm

gonna do a demo a bit but it plugs directly into the board it's got all the right pin outs and it lets the chip was broken troll the USB stack all that means is we were able to do the USB handshape with the device and then work out how to do the video shows you the process of glitching the problem of a glitch is twofold there's the when and the how long okay when do you glitch and how do you miss do you glitch for several microseconds do you glitch for longer do you glitch in all the way into the milliseconds no you'll never do that by the way okay but what you do is you have this kind of

zoning in process which is the thing that you never see in the talks because it's boring put simply okay it's really it's just watching someone just do this the chip Whisperer does have a lot of software built into it to help you out and again Michael Scott's video shows you how that process works which is really nice to see isn't just here's the result it's here's a result and also here's how I got that okay so it's a particularly good example but also it's just like this is it's called the face whisperer because the face dancer who's heard of this people yeah the face dancer uses the same chip only has an MSP for 32 I

should do the SPI control and our handles the USB over and FTDI serial chair so this is a brilliant brilliant attack what it allowed her to do was a glitch in such a way that when it went to fetch its version number for the USB traffic coming back okay so it would remove all chips report their version numbers or some other data about themselves to the host when it went to fetch the version number it just went boom and then had a moment and then dumped the firmware into a USB reply right because it dereference the pointer and it just went through everything how did she find it she just scrolled through and look for the really big packet all right

there was this USB packet of several kilobytes oh look it's the firmware winning okay when you actually get it working these things are actually very straightforward okay when they don't work they're infuriating and time-consuming and you end up wanting to hit something not in a bad way okay they can't miss this stuff does take a bit of practice it does take a lot of work but scanlines video on this is really well for watch cause it gives you a really good insight as well as to what's going on so this is what I mean by a glitching it practical it's workable and that's what I want to change people's minds about these are not theoretical attacks yes

quite a few of them come out of a university Cambridge for one has a group with lots of this kind of thing going on but I think Lancaster's doing something as well I'm not sure but it's workable it's real-world this stuff works now we're going to go on to DPA DPA is one of my favorite things in the whole wide world okay so if you don't like this you hate me you don't it's fun I'm being dramatic power power line analysis who's heard of power line analysis brilliant okay let's have a look at them so determining bits of an RSA key by power line analysis yes you can do it what is an RSA key just tell

what it is it's an exponent so if you have 2 to the 464 or 2 to the 53 the 53 is the key in RSA the 2 is the base is that they'll never be to trust me you'll never be to it'll break ok but the idea is that it's just an exponent expose us make numbers ok so we have come up with ways of optimizing active doing exponentiation and the most common one is called the square multiplying method so you read the bits of the exponent here the bits of the RSA key and if it's a zero you just do a square and if it's a one you do a square and then I multiply that's

what that pseudocode is trying to show you so that's basically they're here if it's a you always do be square and then occasionally you're doing a multiply all right but the correlation between these operations on a chip and the power consumption is really strong ok so you can easily identify what the power trace is look which power traces are which operation ok so the way you would make it work is here you have you might read off I'm going to get square square square multiply and square multiply square multiply square square multiply as an operation that gives me the bits of the key because of this direct correlation between power consumption and what data you're processing okay

this works this is workable there are papers all of my slides which I can have lengths of papers which will give you more information so that you can sort of go away and read on this this is only an overview just to show you that these things are workable you're working hackers I want to show you that you can do this and it's not that hard to tall up it takes a bit of learning yeah you're just going to learn a bit of electronics but it's fully workable it's practical power analysis is really fun ok and this is differential power analysis aka magic all right so I call it magic because that's how it's described when I show people that I

might that's magic it's like yeah I know right ok so the way that it works here's a kind of an overview the general overview of DPA is this traces and gathered so what we do is we do we perform some operations and encryption operation right this is targeting AES it was originally done on des and the aim was to break the DES encryption on RFID cards ok that's why it was first used but then they realized that actually any almost Inc block ciphers that use an sbox I will explain these terms will actually be vulnerable to these attacks and AES is vulnerable to this kind of attack what you do is you make some measurements particular measurements of

power traces of the actual encryption and you record the plaintext ciphertext you know what went in and what came back down together the aim is that you're gonna make some sort of assumption about these traces and then you're going to do some testing ok remember the key part here there was a direct correlation between what operations are running what key bits are being read and the amount of power that will be consumed to read them all right the way the chip whispered does this by the way is it has a really really clean if you wanna come have a look at it some lovely circuitry here really clean power source is going in and then on the other side of a

resistor that's where it actually takes the the measurement so between those two as it says those resistors are called shunt resistors and what that lets you get is a really solid measurement of how the power is being consumed all right so you make a guess you then take you then do sort what the trace is based on the data that you understand okay and then you make some sort of decision then let's run through this in some detail Windell cipher named after riemann and damon run the nist competition in 2000 it is a hardware optimized easy relatively easy to implement encryption cipher that has a lot of really good features okay it's broke it's a block

mod cipher which means that basically this is only half the story the other story is whether it's how it propagates over the data okay but this isn't a cryptography lecture this is this is paralysis this is to give you an overview of how it works so that you can understand how the algorithm works at the end all right so sub bytes is where you actually change out the bikes through an S box and s boxes are nonlinear kind of table or which is reversible but it let you actually substitute out the bit the bytes of data okay you then pass it through shift rows which is just rotating the rows okay you shift the rows around they're mixed

columns which isn't actually mixing the columns around it's passing it through linear transform matrix and you just do the multiplication all the way down but it's reversible okay so it's absolutely final don't worry and then you add round key this is the most familiar part of encryption you do an XOR all right so all of these things come together like this okay and you have these property whereby you get a round key this is important so the key expansion the key expander gives you a new key the reason you do this is because there's a thing called a slide attack if you use the same key on every block then you can abuse collisions in input and output to

actually work out what's called the slide of a function and then you know that this ciphertext has this commonality because it's slid this way and all this other stuff if you're not familiar with it there's a book by John for the Bombers all serious cryptography I thoroughly recommend it it's absolutely brilliant so and he covers off all of this in great detail there's a really good book on cryptographic engineer it really is a good text so the keys function gives you a new keep around the UM perform all these shift rounds the reason you do all this shifting by the way is you ensure that one change in the bit in plain text affects all the other

bits or could affect all the other bits okay so it's a way of making sure that things get a little bit crazy a little bit chaotic and then stuff bites uses a nonlinear sbox the reason you want that is otherwise it just becomes a system of linear equations if they sound familiar that's because that's what you're solving in high school you just weren't doing it in a bit field or binary field you were doing it in decimal but it's the same kind of thing without some nonlinear nough stew the whole thing then you would have a problem so this is why you have all these things but the point don't really take home is a es is a well designed

cipher it is hard and it is well optimized so how are we going to break it simple he says to attack it we're allowing the kick function and the sbox being reversible by definition they are okay because otherwise you wouldn't be able to recover the data all right so what we do is we actually want to get out be 30th and 14th round keys so we do is we take our power traces this this kit by the way is exactly what I have here do feel free to come and have a little look this is how you kind of measure the power consumption of a device so you measure the actual you measure this voltage you know the resistance okay

Ohm's law then gives you the actual current measurement okay the current measurement is then what you use to say that you are using this much power okay and you can see here on the red the power consumption goes up and down depending on what the chip is doing okay this is our window in okay the chip whisperer has a really nice is a column a Flynn who's a lovely guy by the way he actually developed open ADC as well I think and it's included on the board because it works really well okay gives you a nice high resolution power trace so you measure this voltage so that gives you a level of power you can then get this kind of graph out and

now you understand a lot about the operation of the chip we just don't know which bit is which okay and that's what we have to decipher so we now have these this power consumption data what are we going to do with it so it's actually quite strong it's not quite straightforward I'm going to cover off DPA and also CPA very briefly and it's a demo CPA because it's a more reliable attack but as I covered up how it works first thing you do is you work out the key length alright the key length affects the number of rounds so if you have a queue length of 128 bits you will use 10 rounds the key length of

192 bit you will use 12 rounds 256 bits you will use 14 rounds in AES okay that's important to know because otherwise you're gonna get everything wrong when you actually do the calculations and it will just just not work okay we're going to look at a s12 8 because it's simpler but the same world my point is the same works as you go up the complexity it's the same attack you just do some different mathematics in the background because you change the number of rounds that's their difference ok so what we're doing is we're going to say right this is a a s12 8 key have a look I leave it as an exercise to work

out how I know that but anyway now that we've got this we can target particular keys with our mathematics what mathematics works in this case though how does this have you come about they'll show you the algorithm it's actually quite straightforward so we know the structure of the encryption and we also know some plaintext and ciphertext what we don't know is the key that's what we want okay we made a guess simple we make a guess and what we do is we go through all possible guesses and all possible plane tests yeah we then say if this is a correct guess that would mean that this trace goes into the the working of the LSB here this power trace would go into

the zero box and this power trace will go into the one box yeah we make a guess now if the guess is wrong and it could be and it usually is then it was all stay inside this green okay you won't have any outlines all right this is a key point when the guess is correct what you find is that many of the traces and this is where you have to gather multiple traces many of the traces will have power consumption that will spike at that point remember power consumption is directly correlated to what you're doing on the chip all right all that means is is that actually you can see these huge spikes come out here

up and down in the power traces because these traces are agreeing and they're agreeing with your guess that makes sense so because your guess is right you now have planted the key right do it 16 times you get a key right and that's how it works you go over their traces iteratively and what you do is you just take these measurements and do these things and the latest attack is yep owned privately right the correlation power analysis is a very similar idea this is a more reliable attack this is the one I'm actually gonna demo for you correlation power analysis is using the Hamming weight who doesn't know what a Hamming weight is or familiar okay so

how many weights is basically the number of ones in a binary string remember what is high so one means you're using power for that bit so if you measure the power consumption processing certain bytes maybe the bytes of the key you might say then you he get out effectively what the power consumption should be and you can check that against your assumptions using our here use appears and coefficient cover of correlation this one here which is just a covariance divided by the two standard deviations multiplied together okay if you don't know why don't worry that's just for those of you who are technically minded I'm a mathematician I make every apology for it okay what we're doing is we take

these measurements and we go by we're doing a very similar process we're taking all possible guesses and we're iterating through them and we're going we're doing the sbox lookup or the plaintext with an X or the key guess all right we then take the humming power of our position and we get the Hamming weight of the exports to look up okay so we assign that into our hamming power and then we increment the position by one and we go all the way through we then actually take the actual power and we get all the traces and we do a comparison between the two okay if the comparisons match you get something like this in the analysis yeah if you see

that that means that you have a part of the key that's a correct guess how many guesses do you make all of them it's processing power is cheap enough we just make all the guesses do some relatively straightforward calculations and then we can actually get this information out of a chip just by listening to it really carefully all right this is workable okay this is not lots and lots and reams and reams of typical code and hopefully now I'm going to be able to show you a CPA attack on a yes could you because someone wouldn't you know did you just hold this while I typed it both hands because my elbows giving thank you very much

okay so all going to do first is so those of you who didn't see it earlier this is a chip Whisperer but this is a target board I see that we've 308 I think it's called and what we're going to do is actually measure the power I'm plugging it in and going into the capture software okay this is what it looks like so first of all we just connect to it that was easy and then we go to the AES attack okay what this does if you look at the code is it just sets it up so that we get some nice traces it's just setting up the wait what the clocks are set to the resolution of the

ADC that kind of thing okay that's all this doing it's just a little bit optimized we could do this without but these optimizations help bring out the differences in power consumption so if I press this you should see oh there we are lovely big bright red trace okay now if I can show you this this is what we're actually doing in the background we sent this text in we got this text out we expected this there's lots of expected and given keys because we want to be able to check that what we're doing is right or wrong so what you would do is you would find the same chip and you would practice the attack on us on that on a like-for-like

before you practice on the target okay because the target usually but we're building anything that happens sometime at measurements all think all sorts of things consider be different so you want to reduce these things and known problems so you fix it on an apt or target that there's a development board say and then you actually do the measurement on divid the real target as well so well all we have to do is just take I think 50 sample should be enough and you can see it's wiggling it's a little bit of wiggling yeah that wiggling is the difference in power consumption okay that was it what we do now is we sieve it because that's what

we do I've got lots of example traces where I messed up in there I've got lots of example traces I've been working on we'll all do test D pa8 and that's basically that safe so now what we need to do is move to the analysis software okay so the analysis software tzitzit analyzer all this is going to do is open up our dataset like that and here is the CPA attack so you can go through all the chip whisperer code and see how quite how it works it'll look very similar to the CPA code that I posted earlier but basically the attack when it runs looks like this so here it is actually doing analysis the

red is the key of giving it so that we actually know when it's actually found the right key and apart from one bite which is got wrong it's found the key if I show you another example that I did just as you're all coming in because this these things are little bit unstable I've got this there's this data cables display cables affecting the power on the chip whisperer you know these things are very sensitive so you have to sort of try a lot on you know so it really gets used with it if you took a thousand samples it would work first time every time I know about different data sets and you'll just see that it

just works on the data set and all the little bit of it come to the top before we've even got to the halfway point there we are locked in done there's the key oops come on behave there you go thank you he's using boned done that's it it's that straightforward you tool it up correctly and you will be able to attack the hardware encryption on a chip just by listening really carefully and understanding how the encryption actually works any questions on that bother me yeah the question is how well does it work when the chip is like multi-threading or something um not particularly well if I'm honest with you but again you're looking for a

correlation in power so if you took more samples you probably have a better chance of finding it and this is why you were done but then again multi-threading on microcontrollers is quite rare so on an Intel chip this would be a very difficult that attack because it's optimized for doing lots of concurrency but on embedded systems this works really well they raid as well as you saw like that was only a hundred samples in the second example and it's got the key out and it it's giving you the those numbers or the confidences that it has from the statistical analysis but if you check the code that is the correct key is in red because I said to be a red for

visual purposes cool so who thinks that's workable who think that works as an attack yeah whereas most people it's fully worth it yes it came out of a university yes this stuff you know sounds academic but no it readers work okay I wanted to requires a little bit of an understanding fairly straightforward mathematics we didn't even have to do it yourself just get the computer to do it's what we invented them for literally okay so the theory is actually quite sound and hopefully not scared anyone off no one's running for the door so I said that was a good sign and what want to do is now have a bit of a conversation about how we're going to

try some of this okay because these things are all very well and good alright but what can we do to try and fix it well hopefully a little bit more the thing we didn't talk about in security very much is the when of security all right we talked a lot of other how we occasionally talk about the whom attribution dice for example and we took a lot of other what well what we going to do and or you know how we had to implement it we don't talk about the when the when of security is really important especially when it comes to things that I ot because you have to make certain decisions at different

times okay here's briefly how I start to consider things like a wasp all right does it give you an example of how I process something that is very well known this is possibly wrong in some people's eyes that's fine this is all in context okay this is all for different different security postures but here what I'm trying to do is show you you do certain things early you do other things in the middle and the rest of it you can be till later you don't worry about your firewall setup when you're writing it on a laptop for the first time okay you should worry about filtering out things like XSS or injection attacks okay you should worry about a little bit

more about sensitive data exposure when you start actually start doing testing on a development server in the back of your office you shouldn't be worrying about that when it's already mated to production it's too late okay to give you a sense of how this works in IOT these are the decisions that you should make and when you should make them and again this is open to discussion please do argue with me disagree with me Tommy I'm full of nonsense but its but the aim is to say look let's put this in time it is very hard to fix your cryptographic decisions later if your chip does it support proper encryption then you are going to have a very hard time if you

find out later you should have had encryption you're gonna have a really about Tuesday okay all right more than the windows guys okay all right secure storage if you need that you need to decide that earlier have a chip with an HSN that does the encryption that you want right likewise in pre-production as when you should implement in a firmware update method implement it early because then you can fix it because you'll mess it up it's fine we all do I these things take iteration these things take development we have to think about these things earlier likewise when you're in production that's when you should really move to clean up your PCB remove the debug ports please Frank

you're making my life so easy when you do that okay and likewise you have other considerations in post-production okay you are responsible for what are effectively software updates it is your job as developers to actually go I make I make sure my SDK is up-to-date okay obviously there's no Windows operating system or Linux operating system to fall back on there's no system administrator sitting in the background you are all of it because you control the firmware also if you can have a piece set a part of security incident response team I've dealt with that they really do work I think when they do when you don't have them I send you an email and nothing

happens I found out I found a bug in an error that's cool and that's it you know use these because they can't fix it to be honest with you so here's the Marx's three-point plan for IOT security nirvana it's not going to keep you nirvana I'm very sorry but we'll try and get you close there these are the three things that I wish all IOT companies did all right first of all ensure you have a per device secret make sure that every device has something unique on it and that that is the reference point for things like setting up passwords vouchers have been doing this now for a while and it does work why because then

a vulnerability is strictly limited to the vertical between the device and whatever it talks to it doesn't mean that I can then take the attack copy paste and run it on devices laterally okay a per device secret is really important all right what are the more IOT complete it is things network for example will let you have a default API key for your lower one device is that is the same encryption key because it's used in the assessment of encryption in the setup of the encryption keys the app session key in the net session key it will you have a static app key across all devices it also doesn't give you any provision for mediating such an issue you have to

do it to the firmware update all right at least it's my second point have firmware updates Tim would be surprised how many companies int companies don't do this right they don't give you a way of fixing the problem more more are doing it but I think as a community we need to start saying well look you need to do this this is important if you don't do this you will have a problem okay and also there example there's example code out there and it's broken so we have to go out and maybe find it maybe we should be a little bit more proactive as an enforcer community but the developers also should have a look

at this is what I think maybe make them qualify for a CBE and my help and my help and lastly make the security problem someone's problem this is a business issue this is not a technical issue the number of times I try and engage with a company about a security issue and I can't why because everyone do it is just stuck in orbit around the office in emails aimlessly going round and round it never lands anywhere because it doesn't land anywhere it doesn't get any kind of it doesn't get it on JIRA it doesn't get put on any kind of management for fixes and those issues are raised in the get so nothing gets done okay but if security is

someone's problem they can have the bad Tuesday you can take them on for drinks later to this file okay but in doing so you will then actually have a better chance of fixing it this is a business and step that things that the IOT sf recommendations don't include could they concentrate a lot on the tech which is great they've got some amazing recommendations for how to secure IOT devices but I think we need to go further and engage on the business structures as well because there's certain things that just can't happen unless there's someone who has it responsibilities so kerckhoffs principle an IOT I mentioned I alluded to this earlier this is after the talk by under

tyranny where he sort of mentioned this at the end and I want to say it again because I'm we need to agree with it okay hey Anton kerkhof was a Dutch I think cryptographer from the late 19th century and he said a crypto system should be secure even if everything about the system except the secret key is public knowledge that is the idea for example of AES by the way don't you visit with Kirchhoff Kirchhoff's law of circuits is not the same thing as kerkoff's law of cryptography they're very different things but they have a confusing spelling this is kerkhof to be remove the K you get cut off the same K that is okay just in case you're ever wondering

and googling it later and you don't find it that's why okay so maybe we have an idea of this for IOT here's how I might look me 20:18 there should be a level of security a short and an IOT system even if complete compromise of one device is assumed the point of all these cool attacks and the point of all these advanced things I have bypassing CRP glitching getting the firmware out the problem you have is that you that they all rely on the assumption that that's not going to happen I'm trying to prevent it to happen if you write your code with the assumption that it's going to happen because it is then maybe we

can improve the security posture from the ground up don't forget the enemy knows the system okay every time my name is Mark I'm better known as large Cardinal thank you very much I'll take some questions