Embedded security, cryptography, software protection
The next Baysec meeting is Thursday at Pete’s Tavern. Come out and meet fellow security people from all over the Bay Area. As always, this is not a sponsored meeting, there is no agenda or speakers, and no RSVP is needed. Thanks go to Ryan and Rick Wesson for planning all this.
See you on Thursday, July 17th, 7-11 pm.
Pete’s Tavern
128 King St. (at 2nd)
San Francisco
I was interviewed today regarding my findings regarding the Fastrak electronic toll collection system. It seems that the industry PR spin machine has already begun responding.
First, this article questions my credibility and claims that the Fastrak transponder is read-only.
‘If Lawson has not even established that FasTrak transponders are a read-only device (best called a “tag”) rather than read-write, then he’s totally unqualified to be talking about potential misuse.’
Apparently the author of the article has not even opened the cover on a Fastrak transponder. They use an MSP430F1111A microcontroller, which is flash-based. The firmware and all the data (i.e., your unique ID) are stored in flash. I can easily authenticate this claim by revealing that your 32-bit ID appears at address 0x1002, which is part of the full “0x0001” Title 21 response packet.
Also reverse engineering this device is hardly much of an accomplishment since all the specifications and protocols of Title 21 are open source.
The base specification for Title 21 is freely available, but the extensions to it are not. On disassembling a firmware dump from a transponder, I found some surprising things, including messages that allow a reader to update the transponder flash in the field. Again, I can back up this claim with the message IDs that start this update process: 0x00DE and 0x0480. To unlock the update process, you need to provide a global key that I will not reveal.
Second, I’ve heard that a vendor plans to issue a press release. Expect the standard claims that privacy is protected because they “encrypt” your unique ID in their database and data is not retained for very long. What they mean by “encrypt” is “replace each unique ID with a different one”. The problem is, replacing the unique ID “CAR-A” with “WXYZ” does not change much. There is still a unique ID that is stored which always corresponds to the same car, enabling tracking. Somehow, that information is subject to subpoena, something few Fastrak users are aware of. Corporations issue privacy policies describing exactly what information is collected and how long it is stored. Where can I find that information about Fastrak?
Finally, I spoke last week to a consultant to Caltrans who offered to get the local MTC agency technical staff in touch with me. I explained that I’d be happy to describe my findings and recommendations to them in advance of my Blackhat talk at no charge. Anyone from those agencies can contact me via my company website here.
I just got back from a nice vacation with no laptop. What do I do on long plane rides or while listening to the waves lap against the beach? Dead-listing.
Dead-listing is analyzing the raw disassembly of some target software and figuring it out using only pen and paper. This is great for vacations because your laptop won’t get sand in it. You usually have a long period of time to muse about the code in question without interruptions, something hard to find at home these days. And I’ve gotten some of my best ideas after setting aside my papers for a while and going for a long swim.
Before you leave, pick an interesting target: not too big, not too small. Not just x86 either — ever wondered how one of your cellphone’s applications worked? Never looked at a familiar application’s Java bytecode? Then, get a copy of a disassembler for your target and run it. I often use IDA but for less common CPU architectures, any one will do. Remember that you don’t need full analysis at this point, although it’s useful to be able to separate data from instructions and get basic symbols resolved.
Search the assembly code for any external libraries that might be important. Disassemble them too. While you’re at it, see if you can find the source code or API reference for any of those files. Code reuse helps you reduce the amount you have to reverse yourself.
Now take the listing file and do some cleanup. I like to use a small font that prints well and convert all the call (subroutine) instructions to bold. I insert some extra empty lines before each call target to allow me room to write notes. Finally, I print the listing in landscape with two columns per page. This leaves room for notes on the righthand side of each column and some at the bottom. A binder clip makes it easy to keep pages in order or remove them to compare.
Since you won’t have access to the Internet, you’ll need to find some basic reference materials. The key is to get the basics without carrying a ream of paper. For an embedded system, I usually find or make a small instruction set reference sheet including status flags, I/O port table, PCB layout photos, and any integrated peripherals I find during a brief search of the data accesses. Print these out and put a full copy of all the files on a USB flash drive. You might stop by an Internet cafe if you find you really need to read a missing page. I’ve never found that necessary though. If I can’t infer the function of a particular I/O access, I’ll just look at the whole block’s general effect and take a guess.
The most important part is to stay light. You don’t need exhaustive manuals (e.g., instruction timing). Instead, treat these barriers as a challenge. For example, most timing loops are relative to each other. You can figure out that one loop is twice as slow as the other without knowing its exact delay in nanoseconds. Doing hexadecimal conversions on paper builds character.
Once you’re away, enjoy doing a little bit at a time. I’d often work through a subroutine or lay out a switch statement over coffee before the family gets moving, then set it aside for the rest of the day. Before putting it down, keep a separate log of open questions and tasks, marking them off as you solve them. I usually reserve a page in this notebook as my “symbol table”, marking down function names/addresses as I finalize them.
I mostly work through the code in two modes: looking for high level blocks or walking through a single subroutine in detail. Was this compiled C or C++? How does the optimizer work? When accessing hardware, where did the author use inline assembly? Draw arrows, bracket blocks, use highlighters if that’s your style. Since it’s more free-form than working on a computer, you’ll find new ways to annotate it. The amount of marks per page gives a good idea as to code coverage so you can start a day by refining an existing page or try to take a broad guess what a blank page does.
I am always surprised how much I accomplish in only a little bit of time using this method. It’s also so much fun. Throw in reading a few interesting but unrelated books and you may wax philosophical on the meaning of life or why the compiler suddenly switched to byte instead of word operations for a single function.
I hope you have a great summer. Be sure to stop by my Blackhat 2008 talk, “Highway to Hell: Hacking Toll Systems“. I’ll be posting more details about it here in the coming weeks.
The next Baysec meeting is Thursday at Pete’s Tavern. Come out and meet fellow security people from all over the Bay Area. As always, this is not a sponsored meeting, there is no agenda or speakers, and no RSVP is needed. Thanks go to Ryan for planning all this.
See you on Thursday, June 19th, 7-11 pm.
Pete’s Tavern
128 King St. (at 2nd)
San Francisco
Like any mainstream article on security, this recent AP article sensationalizes China’s response to multiple accusations of state-sponsored hacking. First, the money quote:
“Is there any evidence? … Do we have such advanced technology? Even I don’t believe it.”
— Foreign Ministry spokesman Qin Gang
Is this supposed to play into some pompous Western belief that China is a backwater and thus incapable of hacking computers? Does anyone believe it takes advanced technology to break into PCs?
Next we have the meaningless numbers. The Pentagon claims its network is scanned or attacked 300 million times a day. For this to be true, that would be an average of 3400 times per second. If we consider every packet to be a scan, that is about 200 KB/second. However, the entire port scan should be considered a single attempt. Of course, bigger numbers sound more scary and justify a higher budget. Perhaps each TCP option in the header of each packet could be considered a separate attempt since they could be attacking both timestamp and window scaling implementations!
The more interesting allegations are that China copied the contents of a laptop of the visiting U.S. Commerce Secretary and hacked into the office computers of two House representatives. The laptop incident is more interesting since it seems easier to prove. Did they confiscate the laptop and take it to another room? Did the file access times change or was it powered off? I assume he continued using the laptop during the trip and thus it would be harder to tell. Was he using disk encryption? Why not?
The allegations regarding the two House members are much less provable. The FBI investigated their computers and said they’d been accessed by people in China. How did they first decide they should call the FBI? Porn popups? Without more evidence showing a clear intent, this is more likely a malware incident. It is surprisingly convenient that their allegations appear alongside House Intelligence committee meetings on hacking.
Security Focus just posted this interview of me, talking about DRM. Here are a few choice quotes.
On authoring software protection for Vista:
The rules of the game are changing recently with Microsoft Vista kernel patch protection. If you’re a rootkit author, you just bypass it. If you’re a software protection designer, you have to play by its rules. For the first time in the PC’s history, it’s not a level playing field any more. Virus scanner authors were the first to complain about this, and it will be interesting to see how this fundamental change affects the balance of power in the future.
On using custom hardware for protection:
Custom hardware often gives you a longer period until the first break since it requires an attacker’s time and effort to get up to speed on it. However, it often fails more permanently once cracked since the designers put all their faith in the hardware protection.
rdist 