logo
allArticlesConferencesPresentations

Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability

Conference:  Defcon 26

2018-08-01

Summary

The presentation discusses the vulnerability found in ARM Cortex M SOC and how it can be exploited to implant malware into the peripheral. The focus is on the security measures built within and around the chip, and how they can be bypassed.
  • ARM Cortex M SOC vulnerability and how it can be exploited to change the SOC unique ID and write firmware or turn the device into a trojan or bot
  • Breaking the security measures built within the SOC and bypassing the unique ID verification in secure boot
  • Breaking the security measures built around the SOC and writing into the firmware
  • Recommendations for chip users to prevent such vulnerabilities
The presentation provides examples of attacks, such as modifying the Remora of a promoter cell to talk linear by cellular user, and discusses the implementation of secure boot in various systems. It also highlights the importance of unique ID feature and customized bootloader to protect against readout and erasure of flash memory.

Abstract

There are billions of ARM Cortex M based SOC being deployed in embedded systems. Most of these devices are Internet ready and definitely security is always the main concern. Vendors would always apply security measurements into the ARM Cortex M product for few major reasons: 1) People will not be able to copy and replicate the product; 2) License control for the hardware and software; 3) Prevent malicious code injection in to the firmware. Vendors normally rely on the security measurements built within the chip (unique ID number/signature) or security measurements built around the chip (secure boot).In this talk, we will share the ARM Cortex M SOC vulnerability that we discovered and it will be two parts:The first is security measurement build within the SOC and how we break it. We could gain control of changing the SOC unique ID and write the firmware or even turn the device into a trojan or bot.The second is security measure built around the SOC and how we break the Secure Boot elements and write into the firmware.
Materials:
Tags:

Post a comment

Related work

2021: A Titan M Odyssey

Conference:  BlackHat USA 2021
Authors:
2021-11-10

Fatal Fury on ESP32: Time to Release Hardware Exploits

Conference:  BlackHat EU 2019
Authors:
2019-12-05

Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Google Reimagined a Phone. It was Our Job to Red Team and Secure it.

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Secure and Dynamic Hardware Partitioning Management on Heterogeneous SoC

Conference:  Linux Security Summit Europe 2022
Authors: Zahra Tarkhani
2022-09-15

Behind the scenes of iOS and Mac Security

Conference:  BlackHat USA 2019
Authors:
2019-08-08