Backdooring Hardware Devices By Injecting Malicious Payloads On Microcontrollers

Conference:  Defcon 27



The presentation discusses three different instructional techniques for microcontrollers and program memory protections for security purposes.
  • The first four sections of a microcontroller program are not important for instructional techniques.
  • The reset vector is always present at memory address 0 0 0 0 and is followed by a jump to the first assembly instruction of the program.
  • The interrupt vector is present at address 8 or 18.
  • To inject a payload into a microcontroller, a specific assembly subset for the target device must be used.
  • The payload opcodes must be checked and the checksum must be fixed for every effective line after the payload section.
  • A modified framework with the injected payload can be loaded into the target device using MPLAB ID or MPLAB AP with a PICkit.
  • Program memory protections can be used to prevent memory dumps and protect against security threats.
The presentation provides an example of modifying a microcontroller program to inject a payload that causes the car to inject both petrol and CNG at the same time, which may not be safe for the car.


Is targeting microcontrollers worth the effort? Nowadays, they are responsible for controlling a wide range of interesting systems, e.g., physical security systems, car’s ECUs, semaphores, elevators, sensors, critical components of industrial systems, some home appliances and even robots. In this talk, it will be explained how microcontrollers can be backdoored too. After a quick review of basic knowledge about uC, we will dive into three different approaches to achieve payload injection, from basic to advanced techniques. The first method consists on locating the entry point of the firmware and inject our payload there, this is an easy way to execute it at least once. As a second -and more complex- technique, we will backdoor the EUSART communication injecting a malicious payload at the code routine of that hardware peripheral; we will be able to get the right memory address by inspecting the GIE, PEIE and polling process at the uC interrupt vector. Finally, the third technique allow us to take control of the microcontroller’s program flow by manipulating the stack writing memory addresses at the TOS; with this we can execute a payload made with instructions already written in the original program, performing it just like a ROP-chain technique.



Post a comment

Related work

Conference:  Defcon 31
Authors: Dr. Bramwell Brizendine Assistant Professor at University of Alabama in Huntsville, Shiva Shashank Kusuma Master's Student, University of Alabama in Huntsville

Conference:  Defcon 31
Authors: Ron Ben-Yizhak Security Researcher at Deep Instinct