The Tao of Hardware,

The Te of Implants5 examples of simple and easy hardware implants

Joe FitzPatrick joefitz@securinghardware.com

AbstractEmbedded, IOT, and ICS devices tend to bethings we can pick up, see, and touch. They'redesigned for nontechnical users who think ofthem as immutable hardware devices. Evensoftware security experts, at some point,consider hardware attacks out of scope.Thankfully, even though a handful of hardwaremanufacturers are making some basic efforts toharden devices, there's still plenty of cheap andeasy ways to subvert hardware. The leakedANT catalog validated that these cheaphardware attacks are worthwhile. The projectsof the NSA Playset have explored what'spossible in terms of cheap and easy DIYhardware implants, so I've continued to applythose same techniques to more embeddeddevices and industrial control systems. I'll showoff a handful of simple hardware implants thatcan 1) Blindly escalate privilege using JTAG 2)Patch kernels via direct memory access on anembedded device without JTAG 3) Enablewireless control of the inputs and outputs of anoff-the-shelf PLC 4) Hot-plug a maliciousexpansion module onto another PLC withouteven taking the system offline and 5) Subvert asystem via a malicious display adapter. Some ofthese are new applications of previouslypublished implants - others are brand new. I'll conclude with some potential designdecisions that could reduce vulnerability toimplants, as well as ways of protecting existinghardware systems from tampering.

IntroductionIn Chinese Philosophy, Tao refers to theabsolute principle underlying the universe. Itcombines yin and yang and behavior in balancewith natural order. By extension, the Tao ofHardware refers to the fact that hardware wasand is the underlying bedrock upon witch allthe order of the world of computing dependsupon.Likewise, Te refers to virtue and inner power.This is relevant to implants, because regardlessof their size, complexity, or cost, they harnessinner strength that can dramatically affect theoperation of a normal hardware, and byextension, software system.Lao-Tze, the purported author of the Tao TeChing stated:‘Do the difficult things while they are simpleand do the great things while they are small”Fundamentally, this is the inner strength ofhardware implants. Given a complex mixedsystem of hardware and software, even oneincorporating best practices of both hardwareand software security, oftentimes the simplesthardware implant is able to take advantage ofsome small implicit trust made by the system,and extend that to undermine the entire system.

BackgroundBefore 2013, public knowledge of ‘malicious’hardware implants was generally limited togame console modchips. By tinkering or

tampering with a couple wires, these modchipsare able to undermine the hardware andsoftware security of game consoles to enablehome-brew, cross-region, backed up, andpirated games. While the hardware aspect -which often means installation requiressoldering to a relatively expensive piece ofconsumer electronics – limits adoption ofhardware modchips, it is often the hardwaremod chips that enable further research andunderstanding of systems that eventually makesoft-mods possible.On December 30, 2013, Der Spiegel published“Catalog Advertises NSA Toolbox”,highlighting leaked pages from a purportedcatalog of hardware and software implants andspy toys. Media may have been impressed bythe ‘magic’ some of the hardware implantswere capable of, but motivated hackers workedtogether to publish the NSA Playset, a suite ofopen-hardware and open-software re-implementations of many tools mentioned inthe leaked catalog.

This proved to the world that hardwareimplants are real, but also reminded us thathardware implants don’t live in a vacuum. Themost effective hardware implants exist to

install, enable, or empower malicious software,which is then a much more flexible andversatile tool to carry out the implant’s intendedpurpose.

This paper will review 5 separate uses ofimplants for malicious tampering with systems.First, an implant with a pre-programmed seriesof JTAG commands will escalate privilege of asoftware console with zero feedback from thesystem. Second, a malicious PCIe device willbe used to patch running kernels in anembedded network devices. Moving towardcritical infrastructure targets, an inexpensiveradio and microcontroller quickly embeddedinto an off-the-shelf PLC will enable remotewireless control of the PLC’s outputs withoutany software visibility. Continuing oninfrastructure targets, the previous JTAGimplant will be embedded into a hot-pluggableexpansion module in order to once again toggleoutputs of a PLC system without softwarevisibility. Lastly, this paper will explore somepossibilities of reprogrammable displayadapters that will soon be the only option fordisplay output on many computers.

Blindly Escalating Privilege via JTAGSOLDERPEEK from the NSA Playset is areimplementation of FLUXBABBIT, disclosedin the previously mentioned Der Spiegel article.It is a general-purpose microcontroller that canplay back a scripted series of JTAG commandsto modify the state an execution of a runningsystem. SOLDERPEEK was introduced atDEFCON 24, and was followed with “JTAG toRoot, 5 ways” which described a series ofdifferent ways that JTAG could be used tomanipulate an operating system to escalateprivilege.In this example, we use SOLDERPEEK todeliver a series of JTAG commands that willpatch getty on the fly to force authentication ofa user when they attempt to login. The target is

an Intel Quark CPU, and based on memoryanalysis of the system, we know where inmemory to find getty and exactly what addressto patch.

In this case, the implant was based on anATMega328p – found on many completeArduino boards for under $5. The payload wasprototyped with OpenOCD, and then a log ofJTAG transactions was trimmed down to theessential few to get the job done. Installationwas rapid because the chosen target boardalready had a JTAG header populated. Since thedesign of SOLDERPEEK is quite simple, it istrivial to adapt it to various shapes, sizes, andpinouts. Lasty – SOLDERPEEK speaks JTAG.At the lowest transport level, JTAG isstandardized, so SOLDERPEEK can work onx86, ARM, MIPS, and other architectures.

Patching Kernels via DMA on embedded devicesSLOTSCREAMER was another entry in theNSA Playset. While not based directly on anentry in any NSA catalog, similar capabilitiesare available from forensics tools suppliers.DMA attacks are not new, and PCIe basedDMA attacks have been demonstrated over andover again, but SLOTSCREAMER did it with a$15 ASIC instead of a $75 FPGA, meaning thata complete functional board is both compactand inexpensive.There is a common assumption that PCIe slotsonly exist in full-fledged desktop computers.The reality is that, in pursuit of I/O

performance, even sub-$10 embedded armSOCs now contain PCIe. Even when PCIe isnot used in a specific design, the functionalitystill exists on the silicon and may beconfigurable. Fundamentally, PCIe is aspecification designed to be easy to work withfrom a hardware perspective. As long as thewires are connected right, software can do allthe rest. Since PCIe devices are almostexclusively I/O devices, it makes sense forthem to be granted access to the system in orderto transfer data in and out of memory. DMA isnearly the whole point of why PCIe exists, soit’s usually trivial to get DMA working once aPCIe device is connected properly.In this case, the implant was inserted into aMediatek MT7629 MIPS-based router with aminiPCIe slot. This particular system ships witha linux image that includes built-in drivers forseveral PCIe-based SATA, USB, and WIFIcontrollers. By reporting itself to be a SATAcontroller, SLOTSCREAMER coaxes thesystem into enabling DMA access. In thisdemonstration, an attack system controlsSLOTSCREAMER via USB, but there is anembedded 8051 core that could handle all ofthat control.

The key takeaway from this example is thateven ‘small’ systems have advanced interfaces.No device is too simple or too complicated tobe impervious to implants. In addition, justbecause a device doesn’t use an interface likePCIe doesn’t mean the interface is trulydisabled in a way that it couldn’t be re-enabledfrom hardware.

Enable wireless control of an off-the-shielf PLCThe two previous examples could be dismissedas ‘junk hacking’. There’s no need to challengethat assertion, but the reality of junk hacking isthat it’s the NDA-free, low-risk playground forhoning hardware skills. The differencesbetween a $20 IOT doodad on kickstarter and a$300 PLC are minimal or nonexistent to askilled hardware engineer.The selected targets are Siemens S7-200 andS7-1200 Programmable Logic Controllers.These are devices that are used to controlvalved, dials, machinery and other controls inan industrial setting. Usually they are installedin secured locations – but not always. Inaddition the definition of ‘secured’ is relative.Disassembling either device reveals anorganized design with a Power PCB,Logic/CPU PCB, and I/O PCB. Off-the-shelfparts are easy to identify and the fundamentalfunctionality is apparent in a matter of secondsto a skilled engineer. Signals to control theindustrial equipment are generated by softwarerunning on an ARM cpu on the logic PCB, andthen travel over a connector to the I/O PCBwhere they are buffered and drive relays. Byintercepting these signals electrically, we cancontrol them far enough down the wire thatsoftware has no way of perceiving that they arebeing manipulated.As an implant, an off-the-shelf Arduino ProMicro ($2) is combined with an nRF24L01+radio module($1). The implant is so cheap, thewire and solder are significant contribution tothe overall cost of the implant.

Using sample code available directly fromArduino, the implant listens for a command toset an output to high when it receives a ‘1’, lowwhen it receives a ‘0’ and high-impedancewhen it receives an ‘x’.The implant is then placed inside the easilydisassembled PLC. Lines for Power, Ground,and Signal are soldered or crimped to specificlocations on the I/O PCB. The implant isreassembled and placed into service running aknown program – but at any point in time, theimplant might receive a command to alter theoutput of the system.What’s most surprising about this implant ishow cheap it is. Second, how quickly, easily,and undetectably it can be implanted into atarget devices. It might be unrealistic to enter acontrolled facility to manipulate an installedPLC, but it’s entirely conceivable to interdictshipments or otherwise intercept the supplychain to deliver tampered PLCs. Also – theconcept and implant are portable to nearly anytype of embedded system.

Hot-Plug malicious PLC expandersWhile the previous implant requireddisassembly and invasive manipulation of thetarget PLC, this implant is an attempt tomanipulate a live system. In this case,SOLDERPEEK is re purposed against aPhoenix Contact PLC.Inspecting the PLC reveals that there is a JTAGheader adjacent to the 10-pin female header thatthe expansion modules typically plug into.USB, Serial, and Ethernet modules areavailable, but the device ships with blanks inplace. Solderpeek is combined with carefullyplaced pogo pins inside a blank so that whenthe blank is inserted, it gets power from theexpansion header, and touches the JTAG pins ofthe exposed unpopulated header.Like many embedded processors, the NXPLPC1765 inside this PLC controls its outputsvia memory mapped IO regions. Analysis of the

PCB reveals which PLC outputs are driven bywhich LPC1765 I/O pins, and the relatedmemory mapped regions are well documentedin the chip’s datasheet.

In this scenario, the SOLDERPEEK isprogrammed to delay 5 seconds, then play backa JTAG script that will overwrite the GPIOoutput to turn on one of the output relays. Thecode running on the system is unaware that thishas happened, and operates like normal.Software control to enable/disable the outputworks like normal and never knows that therewas any manipulation.Critics of ‘junk hacking’ consider it unrealisticand too easy when targeting low-end consumerdevices, but the reality is that high endindustrial devices are not much different. JTAGshould be disabled – but it’s usually not. Testheaders still exist on most production devices.In this case, the implant can be attached to alive, running system in operation with minimalinterruption. The moral of the story – if you canget JTAG working, you win.

BadUSB-style display adaptersThe last implant is not a custom hardwaredevice, but a re-purposed off-the-shelf device.Malicious USB devices have been talked aboutfor over a decade marked by advanced in lowerand lower level attacks without muchimprovement in user habits. USB type C wasrecently unveiled as a new, better, more

universal connector. Regardless of any newvulnerabilities USB type C might have added,one new risk is how it affects usage andbehavior.For decades, display outputs have remainedmostly just outputs. As systems are smaller andmore integrated, and as display outputs requirehigher and higher bandwidths, manufacturerskeep combining display outputs with otherports. The combined Thunderbolt/Displayportconnectors on nearly all Macs are an example –you cannot plug in a display adapter withoutusing a port that also exposes a much morevulnerable interface (PCIe). The best solution isto carry and use only a trusted knownDisplayport to VGA/HDMI/Displayport cableand not trust others.USB type C causes this same problem again,but worse. Every USB type C device needs tosupport a series of interfaces, implemented inmultiple chips, regardless of whether anystandard USB functionality is needed. Theresult is an $80 Apple USB type C to HDMIadapter the only way to get display output forma Macbook – that comes complete with a suiteof progammable chips and pads for a JTAGheader. At the lower end of the spectrum areclones that have no experience or desire to takehardware precautions.

An inexpensive USB type C to HDMI adapteravailable for $20 includes two programmableNXP chips for power delivery and to supportthe USB Billboard Device – the USB devicethat shows up when you plug a USB type Cdisplay adapter into a host that doesn’t supportdisplay over USB type C. On this particular

device, the NXP USB microcontroller hasDevice Firmware Update enabled. Withoutopening the case, the micro controller can bereprogrammed to function as a keyboard, massstorage device, or any other USB functionality.The result is, with USB type C, even basicdevices have reached a level of complexity thatnormal end users can’t fathom or be expected tofathom.

Summary and ConclusionsIn summary, the 5 implants show each cost onlya few dollars. They can be implemented byanyone with basic electronics skills. Custommalicious hardware implants are no longerexclusive to nation-state actors, and belong inthe threat model whenever both supply chainand physical security can not be guaranteed. Asshown, it only takes a matter of seconds toinsert an implant that can completelyundermine the security of a system.