Your Peripheral Has Planted Malware-An Exploit of NXP SOCs Vulnerability

Presented at DEF CON 26 (2018), Aug. 10, 2018, 4 p.m. (45 minutes)

There are billions of ARM Cortex M based SOC being deployed in embedded systems. Most of these devices are Internet ready and definitely security is always the main concern. Vendors would always apply security measurements into the ARM Cortex M product for few major reasons: 1) People will not be able to copy and replicate the product; 2) License control for the hardware and software; 3) Prevent malicious code injection in to the firmware. Vendors normally rely on the security measurements built within the chip (unique ID number/signature) or security measurements built around the chip (secure boot).

In this talk, we will share the ARM Cortex M SOC vulnerability that we discovered and it will be two parts:

The first is security measurement build within the SOC and how we break it. We could gain control of changing the SOC unique ID and write the firmware or even turn the device into a trojan or bot.

The second is security measure built around the SOC and how we break the Secure Boot elements and write into the firmware.

Presenters:

• Mingchuang Qun - Senior security researcher at the Radio Security Research Department of 360 Technology,
  Mingchuang Qin is a senior security researcher at the Radio Security Research Department of 360 Technology,the core developer of Skyscan Wireless Intrusion and Prevention System,specializing in IoT and wireless device security. With rich experience in embedded system development, he is proficient in with WiFi and Bluetooth protocol analysis and vulnerability discovery.
• Yunding Jian - Senior Security Researcher, Unicorn Team, 360 Technology
  Yunding Jian is the co-founder of UnicornTeam. He is the leader of RocTeam in the Radio Security Research Department of 360 Technology. He is the designer of all pervious SyScan360 Conference badges. He also made serial presentations on Blackhat USA, Blackhat Europe & Asia (Arsenal) ,HITB about his hardware security research and design experience.
• Shaokun Cao - Freelance Security Researcher
  Shaokun Cao is a freelance Security researcher, a consultant of UnicornTeam. He is currently focusing on the chip-level security issues, such as microcode, ROM, bootloader, and firmware.
• Yuwei Zheng - Senior Security Researcher, Unicorn Team, 360 Technology
  Yuwei Zheng is a senior security researcher at Radio Security Department of 360 Technology, core member of UnicornTeam. He is the core researcher of decryption blackberry project, which manage to decrypt Blackberry BBM, PIN message, and BIS secure mail without keys. He is currently focusing on the security research of cellular network, IoT system, and mobile baseband. He had presented his research works at top level security conferences like BlackHat, DEF CON, HITB etc.

Links:

• https://defcon.org/html/defcon-26/dc-26-speakers.html#Zheng2
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Zheng and Panel - Your Peripheral Has Planted Malware An Exploit of NXP SOCs Vulnerability.mp4
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Zheng and Panel - Your Peripheral Has Planted Malware An Exploit of NXP SOCs Vulnerability.srt (subtitles)
• https://www.youtube.com/watch?v=0_E2NxpCAfw

Similar Presentations:

• NolaCon 2022 / Build your first SOC
• Black Hat Asia 2019 / Reverse Engineering Custom ASICs by Exploiting Potential Supply-Chain Leaks
• Kernelcon 2019 / SOC Transformation - From 3-Tier to Functional SOC