Backdooring Hardware Devices by Injecting Malicious Payloads on Microcontrollers

Conference:  BlackHat USA 2019



The presentation discusses techniques for injecting malicious code into microcontrollers and protecting program memory from memory dumps.
  • Techniques for finding a place to inject malicious code into microcontrollers were discussed
  • Specific assembly subsets for the target device must be used to turn on different LEDs in a picmicrocontroller
  • Program memory protections can be used to prevent memory dumps and protect against overwriting the program memory of microcontrollers
The presenter provided an example of a proof-of-concept where a modified firmware with injected payload caused two additional lights to turn on in a device that originally had four blue lights for petrol and one yellow light for CNG or CMD sectors.


Throughout the years, many studies have been published addressing different ways of backdooring devices by leveraging on their own hardware components. However, most of the existing work focuses on backdooring devices based on powerful microprocessors – such as ARM, Intel or AMD – instead of microcontrollers.Is targeting microcontrollers worth the effort? Nowadays, they are responsible for controlling a wide range of interesting systems, e.g., physical security systems, car's ECUs, semaphores, elevators, sensors, critical components of industrial systems, some home appliances and even robots.In this talk, it will be explained how microcontrollers can be backdoored too. After a quick review of basic knowledge about uC, we will dive into three different approaches to achieve payload injection, from basic to advanced techniques. The first method consists of locating the entry point of the firmware and inject our payload there, this is an easy way to execute it at least once. As a second, and more complex technique, we will backdoor the EUSART communication injecting a malicious payload at the code routine of that hardware peripheral; we will be able to get the right memory address by inspecting the GIE, PEIE and polling process at the uC interrupt vector. Finally, the third technique allow us to take control of the microcontroller's program flow by manipulating the stack writing memory addresses at the TOS; with this we can execute a payload made with instructions already written in the original program, performing it just like a ROP-chain technique.