Fun with Sam: Inside the Surface Aggregator Module

Presented at REcon 2017, June 16, 2017, 2 p.m. (60 minutes).

As software and CPU defenses on modern hardware keep getting better and better, the embedded world of USB-PD, ACPI EC, SMBus, SMC and other similar components continues to be ignored. Few people know that a ChromeBook has an embedded micro-controller that you can speak to over a USB charging cable (!). Few know that Apple has one which can secretly turn the USB port into a serial port (except those that attended my NoSuchCon talks). And almost every laptop out there has an ACPI EC or “Embedded Controller” which uses both AML (ACPI Markup Language) as well as sometimes secret protocols over Serial, I2C or USB, to communicate with them. These embedded microcontrollers have access to the LPC Bus, and typically SPI and I2C buses that control the camera, microphone, battery and charging circuits on your laptops, as well as frequently the keyboard as well. What better place to hide an implant? In this talk, we’ll specifically focus on a similar chip in the Surface Pro 4 (which also has an ACPI EC – we’ll discuss that one too), called the Surface Aggregator Module (SAM). Very similar to the Apple SMC, it offers functionality to monitor the various sensors on the device, authenticate access to the expansion port, communicate with the ACPI EC, and lots more, including offering up an entire shell over its various interfaces. How is SAM secured? How is it its firmware updated? Can it be misused to store a hardware implant? This talk will answer all of these questions and look at the firmware format, UEFI relationships, ACPI and AML interactions, and physical bus access to the SAM.


Presenters:

Links:

Similar Presentations: