Events Applied Physical Attacks on x86 Systems

stolen off the internet

On Monday the 28th of September 2015 a rather rare event occurred. At around 4 a.m. the moon changed its colour into a dim of red, luckily the sky was clear enough to see something.

[ picture stolen from NASA ]

If you missed that event your next chance will be in about 15 years or so.

The reason for being awake this early wasn’t the moon in the first place but what followed afterwards – my trip to the Security Conference in The Hague.

I won’t bore you with the details of the trip so I will go ahead in time.

It’s Tuesday the 29th, seven eager people willing to get their hands dirty meet each other in a seventh floor office-room at the “The Hague Security Delta”, to learn something about Hardware Security. One of them was Joe FitzPatrick – our trainer for this and the next day.

The working title for these two days was “Applied Physical Attacks on x86 Systems”. I thought it was about ripping off cases with a hammer and setting server-rooms on fire, but it wasn’t. It was about using Hardware as an enabler to find Software weaknesses and to exploit them. Since I already knew how to set things on fire I thought I’d stay and learn about different attacks on various Bus-Systems.

After a short introduction we jumped right into the topic.

USB was our first victim, but before we get into that – the theory. From the Elecrical-Engineering side it’s basically used to charge your mobile-phone.

First we looked at the Operating System level and how USB-Devices are mapped out on the system, then we took a deeper look at the logical level with a Saleae Logic 4 Logic Analyzer. Then it was time to launch our first attack, we wanted to disable secure-boot on our Windows-Tablet to boot an alternative Operating System from an USB-Drive. Said and done. We figured out which sequence of keyboard commands we needed to use and programmed the Teensy to emulate them. After successfully booting into linux we restarted Windows and started fuzzing with the Facedancer. Weird speaker-sounds and laughter were the outcome of crashing audio-drivers.

Dumping firmware via SPI was the second part of this first day and the first part of the second day. Again we went from the Operating System Level down to the logical Level, and then to a dedicated Hardware device. This time with the BeagleBone Black. What we got out was two Megabytes of BIOS which could be analyzed after that.

After recapturing the SPI results and went on with I2C (or SMBus). Enumerating the Bus from Operating System-level with i2cdetect was our first step. With the BeagleBone Black and some wires in the right place, we were able to do the same without the help of the target Operating System.

In the end we also took the time for an additional session on PCI (the Hardware one).

All in all, I learned a ton of new things and Joe did a great job in getting things across. However, no magic smoke escaped from the used Hardware.

One of the first pictures I took in The Hague, besides the bad quality and my thumb it contains an error, can you spot it?

tip: its not the thumb