Backdooring Hardware Devices by Injecting Malicious Payloads on Microcontrollers

Presented at Black Hat USA 2019, Aug. 8, 2019, 2:30 p.m. (50 minutes).

Throughout the years, many studies have been published addressing different ways of backdooring devices by leveraging on their own hardware components. However, most of the existing work focuses on backdooring devices based on powerful microprocessors – such as ARM, Intel or AMD – instead of microcontrollers.

Is targeting microcontrollers worth the effort? Nowadays, they are responsible for controlling a wide range of interesting systems, e.g., physical security systems, car's ECUs, semaphores, elevators, sensors, critical components of industrial systems, some home appliances and even robots.

In this talk, it will be explained how microcontrollers can be backdoored too. After a quick review of basic knowledge about uC, we will dive into three different approaches to achieve payload injection, from basic to advanced techniques. The first method consists of locating the entry point of the firmware and inject our payload there, this is an easy way to execute it at least once. As a second, and more complex technique, we will backdoor the EUSART communication injecting a malicious payload at the code routine of that hardware peripheral; we will be able to get the right memory address by inspecting the GIE, PEIE and polling process at the uC interrupt vector. Finally, the third technique allow us to take control of the microcontroller's program flow by manipulating the stack writing memory addresses at the TOS; with this we can execute a payload made with instructions already written in the original program, performing it just like a ROP-chain technique.


Presenters:

  • Sheila A. Berta - Security Researcher, None   as Sheila Ayelen Berta
    Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, Sheila has discovered lots of vulnerabilities in popular web applications and softwares. She also has given courses of Hacking Techniques in universities and private institutes in Argentina. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers and microprocessors x86/x64), C/C++, Golang and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat Briefings, DEFCON 26, DEFCON 25 CHV, HITB, HackInParis, Ekoparty, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.

Links:

Similar Presentations: