Secure Coding mailing list archives
embedded systems security analysis
From: jeremy.j.epstein at gmail.com (Jeremy Epstein)
Date: Thu, 20 Aug 2009 17:39:50 -0400
I spent a fair bit of time doing stuff relating to voting systems, which all have embedded systems. (I am not one of the experts who pulls them apart, lest anyone think I'm claiming credit for them.) They are supposedly closed systems, but every time someone competent has tried to attack them, they've been successful - even if there are no published APIs or documents, all of them have attack surfaces. It might be something like the ability to insert a card in a PC slot (as in the Princeton attack on Diebold touchscreen systems), a USB stick (some of the UC Santa Barbara attacks - I think that was ES&S touchscreen machines), Harri Hursti's attacks via a memory card on Diebold optical scanners, Princeton's attacks via a proprietary memory card on Sequoia systems, etc. (There are others too - the machines in my county use USB sticks and run Windows CE, so I believe they're susceptible to even trivial attacks via an autorun.) I also worked with a team that did some attacks on another embedded system in a voting machine, although we didn't get far enough to publish results before we ran out of students to do the grunt work. So I'd 1000% agree with Arian - not only is assuming you're safe dangerous, but it's also wrong. There's lots of attacks on other types of embedded systems - there have been a few against electric power control systems, water control systems, etc. And there are more that haven't seen the light of day.... I just heard about a very serious attack the other day that hasn't ever made it into the news. --Jeremy On Thu, Aug 20, 2009 at 2:09 PM, Arian J. Evans<arian.evans at anachronic.com> wrote:
Rafael -- to clarify concretely: There are quite a few researchers that attack/exploit embedded systems. Some google searches will probably provide you with names. None of the folks I know of that actively work on exploiting embedded systems are on this list....but I figure if I know a handful of them in my small circle of software security folks - there have to be many more out there. Assuming you are safe is not just a dangerous assumption: but wrong. Specifically - One researcher I know pulls boards & system components apart and finds out who the source IC and component makers are. Then they contact the component and IC makers and pretends to be the board or system vendor who purchased the components, and asks for documentation, debuggers, magic access codes hidden in firmware (if he cannot reverse them). If this fails, the researcher has also befriended people at companies who do work with the IC or board maker, traded them information, in exchange for debuggers and the like. This particular researcher does not publish any of their research in this area. They do it mainly (I think) to help build better tools and as a hobby. (Several of you on this list probably know exactly whom I'm talking about. This person would prefer privacy, and I think the person's employer demands it, unless you get him in person and feed him enough beer.) If I were a bettin' man I'd figure if I know a few person doing this type of thing for quite a few years now -- there are bound to be many, many more.... Not sure what list to go to for talks on that type of thing. Blackhat.com has some older presentations on this subject. -- Arian Evans On Wed, Aug 19, 2009 at 8:36 AM, Rafael Ruiz<rafael.ruiz at navico.com> wrote:Hi people, I am a lurker (I think), I am an embedded programmer and work at Lowrance (a brand of the Navico company), and I don't think I can't provide too much to security because embedded software is closed per se. Or maybe I am wrong, is there a way to grab the source code from an electronic equipment? That would be the only concern for embedded programmers like me, but I just like to learn about the thinks you talk. Thank you. Greetings from Mexico. _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ______________________________________________________________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- embedded systems security analysis Arian J. Evans (Aug 20)
- embedded systems security analysis Goertzel, Karen [USA] (Aug 20)
- embedded systems security analysis Jeremy Epstein (Aug 20)
- embedded systems security analysis Rafael Ruiz (Aug 20)
- embedded systems security analysis Goertzel, Karen [USA] (Aug 21)