- January 15, 2016
- Posted by: Kerry Tomlinson, Archer News
- Categories: Hacking, Posts with image, Supply Chain Security
Hacking on a tiny scale shows how miniature data treasure chests can be opened for the world to see.
It’s Dr. Andrew Zonenberg’s first live “cooking” demo, and things aren’t going exactly as planned. But the chef manages to successfully prepare and serve up his creation to the crowd—a computer chip, stripped down and ready to be mined for info.
He calls it silicon hacking.
“A lot of people, I don’t think, are even aware it exists,” said Zonenberg, who works with IOActive in Seattle.
His audience at the S4 conference in Miami may know. They are cybersecurity experts from around the world.
But Zonenberg has a message he wants to get out about this kind of hacking that can bring businesses to their knees. The process, he said, is easy and cheap.
“The more simple hardware hacks are not exclusively the domain of nation-states,” Zonenberg told Archer News. “They are something that a relatively unskilled and poorly-equipped adversary is able to pull off, and therefore is something you should be concerned about.”
Many people think of hacking as someone sitting at a computer and taking over another computer far away. This hack is up close and hands-on.
Zonenberg’s supply list includes nail polish, acid, and a source of high-intensity ultraviolet light.
He wants to get inside the chip for its code, which could reveal a multitude of secrets. But the chip has protection to keep him out. So, he’s going to simply erase that protection away.
First, he drops the chip in acid, to get rid of the plastic coating, what he calls “depackaging” the chip.
“The depackaging process is on the order of an hour-ish,” he explained.
The audience doesn’t have an hour to wait, so Zonenberg produces one he depackaged earlier.
Then, he finds the sweet spot on the chip, the place where the secret info is stored. He covers that with black nail polish.
“It’s commonly available,” he said, “And it’s relatively opaque.”
It serves as a mask, to cover up that spot for what is about to happen next.
This time, however, the Miami weather may be changing his plans.
“The thickness of the nail polish,” he said. “It’s a little warmer here than the lab in Seattle, so I had a little trouble here not putting on too much.”
Too much, and his hack could be ruined.
“I do this sort of stuff in the lab on a relatively routine basis,” he said. “I have never tried to do it in front of a live audience on stage, especially 3,000 miles from my lab. Here, I have to bring whatever I can in TSA-approved containers, so that gets a little bit tricky.”
Too much exposure to ultraviolet light, and you could damage your skin. It can damage computer chips, too.
Zonenberg exposes the chip to U-V light, and it erases the digital protections keeping him from getting to the data he wants.
The nail polish protects the “good” data. And Zonenberg manages to make his temperature-affected polish work for the live audience.
“All you’re doing is you’re trying to ensure that the ultraviolet hits the things you want erased, and not the things you want to keep,” Zonenberg said.
Now you’ve picked the chip’s lock, and you’re ready to get in.
“The goal is to get the code out from inside the chip,” he said. “What you do with that depends on your motivations.”
The most common motivation is to reverse engineer the firmware to understand how it works, according to Zonenberg.
For some hackers, the next step is cloning.
“Cloning is a significant threat,” Zonenberg said. “Especially China and their poor enforcement of IP [intellectual property] laws. They’re getting better at it, but they’re still known as a place where software piracy and so on are widespread.”
“A lot of manufacturers of expensive equipment are concerned about someone just duplicating their entire product or making a very, very close rip-off,” he added.
Another motivation—trade secrets. Or, maybe you are fighting back.
“I suspect you used my patent in your chip. I want to reverse engineer your chip for evidence I can use to show a judge,” he said.
More sinister attacks
There is another threat, said Zonenberg, a threat to industrial control systems, with machines that use chips and run factories and power plants.
However, it would take another step for an attacker with a chip to mess with industrial control equipment, he explained.
“Being able to get the code out is not directly a threat to the security of the system,” he said. “The risk is that it can allow me to learn things that will later allow me to compromise something else remotely.”
The chef’s motivation
Silicon hacking does not have to be a nefarious endeavor, according to Zonenberg, who taught a course on it while working on his PhD at Rensselaer Polytechnic Institute in New York, and now does this kind of hardware hacking and reverse engineering for IOActive.
“Our focus is specifically on security,” he said.
He said you can study chips to see what vulnerabilities they have that bad guys can use later to attack.
Or, he said, you may want to retrieve confidential data that you can’t access otherwise.
“For example, encryption keys from a TPM [trusted platform module] or sensitive firmware off of a device. Or, if you’re just trying understand how the device works to verify that it does what it’s labeled as doing,” he said.
Newer chips have more protection, he said.
“A lot of the more modern devices are immune to this attack, but the older ones are still out there. They’re still being used in new designs because they’re still cheap,” he said.
He said board designers should take note.
“If you are already using this chip, there is not a ton you can do, other than be aware that the attack is possible,” he said.
The hack is not new. In fact, there are YouTube videos showing the process for both good guys and bad guys to see.
But Zonenberg wants to remind people that an attacker with a few hundred dollars and a few hours of free time can pull secrets from chips that will let them defeat that same kind of chip in the future.
“It allows you to gather intelligence which may be useful in compromising it down the road,” he said.