Presented at
Summercon 2017,
June 23, 2017, 3 p.m.
(50 minutes)
Defeating Secure Boot Using Electromagnetic Pulses and badFET
We present our process of defeating secure-boot within a modern ARM-based IP Phone, Cisco 8861, using software defined radio and our custom EMP generator as an illustrative vehicle to discuss the following contributions:
* Dissection of a set of (yet undisclosed) vulnerabilities found in Broadcom-implemented trust zone execution environments.
* Our recent advancements in real-time tracking of control-flow of software running in modern embedded devices by the sensing and analysis of involuntary electromagnetic emanations.
* Our novel electromagnetic fault injection (EMFI) techniques capable of reliably and predictably altering computation of modern embedded devices by controlled applications of electromagnetic pulses. We discuss challenges and methods of achieving reliable control-flow modification in modern 1Ghz+ processors.
* Discussion of hardware and software design of badFET, a low-cost programmable electromagnetic pulse generator. It is our hope to release badFET as an open-source project to democratize EMFI research. (badFET is currently functional, but due to the nature of the device, it can cause serious injury or death. We plan to open-source the EMP generator portion of badFET if/when we build sufficient safety features into its design.)
Presenters:
-
Ang Cui
as Dr. Ang Cui
Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled "Embedded System Security: A Software-based Approach", focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is the creator of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial embedded devices and was named a DARPA Riser in 2015.
Rick Housley, Research Scientist at Red Balloon Security, will be co-presenting along with Dr. Cui.
"We'd like to present badFET as an open, low-cost platform for conducting EMFI research. We believe electromagnetic fault injection is a fascinating sub-field of study. The cost of commercial EMFI equipment is prohibitively expensive for many researchers. We would like to democratize this area of research by sharing our low-cost open EMFI platform with the security research community."
Red Balloon Security was founded in 2011 by two of the world's leading cyber-security researchers. They are a Columbia Portfolio Company and a Microsoft Ventures Accelerator Company.
Red Balloon Security
-
Rick Housley
Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled "Embedded System Security: A Software-based Approach", focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is the creator of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial embedded devices and was named a DARPA Riser in 2015.
Rick Housley, Research Scientist at Red Balloon Security, will be co-presenting along with Dr. Cui.
"We'd like to present badFET as an open, low-cost platform for conducting EMFI research. We believe electromagnetic fault injection is a fascinating sub-field of study. The cost of commercial EMFI equipment is prohibitively expensive for many researchers. We would like to democratize this area of research by sharing our low-cost open EMFI platform with the security research community."
Red Balloon Security was founded in 2011 by two of the world's leading cyber-security researchers. They are a Columbia Portfolio Company and a Microsoft Ventures Accelerator Company.
Red Balloon Security
Links:
Similar Presentations: