Teridian SoC Exploitation: Exploration of Harvard Architecture Smart Grid Systems

Presented at Black Hat USA 2013, Aug. 1, 2013, 5 p.m. (Unknown duration)

The Teridian 8051 based chips are found in a variety of places in daily life, from the smart energy grid to smart cards and pin-pads. While the most prominent placement in the US is currently the metrology and power measurement side of a smart meters, the 8051 core is ubiquitous in embedded devices. They are additionally found in power distribution automation (the backend power shoveling inside your utility) and home automation (monitoring energy usage and changing configuration of appliances and similar in the home).

The Teridian System-on-a-Chip platform wraps a complete system around a modified 8051 core, with additional features for chip security to block debug functionality and external access to memory. Additionally, the Harvard architecture design sets relatively rigid barriers between code and data (as opposed to x86/64), which presents an unintentional security barrier, somewhat similar to robust hardware DEP on x86/64 platforms.

In this talk, we will quickly cover architecture and system overviews, then dive into exploitation scenarios with techniques to attack Harvard architecture systems and code security implementations. End state results include pathways to gain coveted binary images of firmware and resident code execution.


Presenters:

  • Nathan Keltner / Natron - Accuvant, Inc.   as Nathan Keltner
    Nathan Keltner is a Senior Research Consultant at Accuvant LABS, performing custom-scoped research engagements for clients in industrial, healthcare, financial, and similar industries heavily utilizing embedded systems. Prior to Accuvant, he was focused on breaking into (and out of) corporate networks for a living, with an increasing focus on hardware exploitation that evolved into his current position. He's previously spoken on smart grid and post exploitation topics at various security conferences over the years, including black hat, defcon, and smaller regional conferences. Widely held to be the finest Nathan Keltner of his generation, other notable accomplishments include once lifting a Volkswagen Jetta above his head for over thirty seconds, while reciting a passage from Finnegan's Wake. Though born without the capacity to see the color amber, he nonetheless developed a keen interest in technology at a young age, compensating for his disability by learning to identify the position of his PC's "turbo" button by feel alone.
  • Josh Thomas / m0nk - Accuvant LABS   as Josh 'm0nk' Thomas
    Security researcher, mobile phone geek, mesh networking evangelist and general breaker of things electronic. Typical projects of interest span the hardware / software barrier and rarely have a UI. m0nk has spent the last year or two digging deep into Android and iOS internals, with a major focus on both the network stack implementation and the driver and below hardware interfaces. He uses IDA more frequently than Eclipse (and a soldering iron more than both). His life dreams are to ride a robot unicorn on a moonlit beach and make the world a better place, but mostly the unicorn thing... Josh is currently employed by the nice people @ Accuvant LABS and the very mean people @ MonkWorks, LLC.

Links:

Similar Presentations: