HES2011 - Itzik Kolter - Let me Stuxnet You

download HES2011 - Itzik Kolter - Let me Stuxnet You

of 37

  • date post

    11-May-2015
  • Category

    Technology

  • view

    1.903
  • download

    0

Embed Size (px)

Transcript of HES2011 - Itzik Kolter - Let me Stuxnet You

  • 1.I t z i k K o t l e r | A p r i l 2 0 11 Let Me Stuxnet You Itzik Kotler CTO, Security ArtAll rights reserved to Security Art Ltd. 2002 - 2010 www.security-art.com

2. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Goodbye World! S t u x n e t a n d C y b e r Wa r f a r e a r e e x p l o i t i n g the (its complicated) relationship between Software and Hardware to cause damage and sabotage! To d a y i t s a c o u n t r y t h a t s e e k s t o d e s t r o y another nation and tomorrow its a comm erci al comp a n y th at see ks to m ake a rival company go out of business. An act of I n d u s t r i a l C y b e r Wa r f a r e .All rights reserved to Security Art Ltd. 2002 - 2011 3. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Can Software Damage Hardware? Yes! Software controls hardware, and it can m a ke it p e r f orm d a m ag in g op er a tio n Software can damage another software that runs or operates an hardware Software controls hardware, and it can m a ke it p e r f orm op er ati on th a t w ill b e damaging to another hardwareAll rights reserved to Security Art Ltd. 2002 - 2011 4. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Industrial Cyber Warfare Attack? C y b e r Wa r f a r e i s n o t l i m i t e d t o , o r d e s i g n e d exclusively for nations or critical infrastructures A successfully delivered Industrial Cyber Wa r f a r e a t t a c k c a u s e s f i n a n c i a l l o s s , o p e r a t i o n l o ss , o r b o t h t o t h e at t a c ke d company! I n d u s t r i a l C y b e r Wa r f a r e i s L o g i c B o m b s , Pe r m a n e n t D e n i a l - o f- S e r v i c e , A P T a n d m o r eAll rights reserved to Security Art Ltd. 2002 - 2011 5. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Meet Permanent Denial-of-Service P e r m a n e n t D e n i a l - o f- S e r v i c e i s a n a t t a c k that damages hardware so badly that it requires replacement or reinstallation of hardware. The damage potential is on a grand scale, almost anything and everything is controlled by software that can be m o d if ie d or atta c ke dAll rights reserved to Security Art Ltd. 2002 - 2011 6. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Industrial Cyber Warfare: Why & Who? Industrial Espionage Rival Companies Fo re i g n C o u n t r i e s Te r r o r i s m Pol i ti ca l/ S oci al Ag e nd a Re v e n g e Blackmailing Gree d , Power an d etc .All rights reserved to Security Art Ltd. 2002 - 2011 7. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Permanent Denial-of-Service 101 Phlashing:Overwriting the firmware of thecomponent and make it useless (i.e.B r i c ke d ) Overclocking:Increasing the working frequency of thecomponent and make it unstable andoverheatAll rights reserved to Security Art Ltd. 2002 - 2011 8. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Permanent Denial-of-Service (Cont.) Overvolting: Increasing the input voltage of the componentand zap it or cause it to overheat Overusing: Re p et i t i v e l y us i n g a m e c ha n i ca l f e a t u re o f t hecom ponent and cause it to wea r quickerAll rights reserved to Security Art Ltd. 2002 - 2011 9. I t z i k K o t l e r | A p r i l 2 0 11www.security- art.com Permanent Denial-of-Service (Cont.) Power CyclingRe p e t i t i v e l y t u rn o n a n d o f f t h e p o w e rsupply to the component and cause itto wear qu icker (due to temperaturef le c tio n an d s p ike s )All rights reserved to Security Art Ltd. 2002 - 2011 10. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Local Attacks Does anyone smell smoke?All rights reserved to Security Art Ltd. 2002 - 2011 11. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Computer Fans Not a target, per se. Disabling or slowing down the fan RPM speed can result in increased temperature Lengthy exposure to high temperature (due to lack of cooling) can lead to Electromigration that in turn will cause a P e r m a n e n t D e n i a l - o f- S e r v i c eAll rights reserved to Security Art Ltd. 2002 - 2011 12. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com CPU Overheatingdueto Stressing Overheatingdueto Overclocking Overheatingdueto Overvolting Overheatingdueto (always on) P0 @ APM/ACAPI Bricking dueto Phlashing (via Microcode Flashing)All rights reserved to Security Art Ltd. 2002 - 2011 13. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com CPU: Infinite Loop x86 Assembly Code: jm p Description: Infinite loop that jump to selfAll rights reserved to Security Art Ltd. 2002 - 2011 14. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com CPU: Microcode Flashing Not your typical firmware update Microcode goes into the processor, providing a slightly higher level or more complex commands based on the processors basic ("hard-wired") commands Microprogramming can be used to abuse or to damage the microprogram within the processorAll rights reserved to Security Art Ltd. 2002 - 2011 15. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com RAM Overheating due to Overclocking Overheating due to Overvolting Burnout due to OvervoltingAll rights reserved to Security Art Ltd. 2002 - 2011 16. I t z i k K o t l e r | A p r i l 2 0 11www.security- art.com GPU (Graphics Processing Unit) Overheating due to Overclocking Overheating due to Overvolting Bricking due to Phlashing U t i l i t i e s ( e . g . n v f l a s h , N i B i To r , e t c . )All rights reserved to Security Art Ltd. 2002 - 2011 17. I t z i k K o t l e r | A p r i l 2 0 11www.security- art.com Hard disk drive Tr a d i t i o n a l ( i . e . M e c h a n i c a l ) O v e rh e a t i n g d u e t o E xc e s s i v e Wr i t e &Re a d We a r i n g o u t d u e t o E x c e s s i v e H e a dPa r k i n g Bricking due to Phlashing Solid-state drive We a r i n g o u t d u e t o E x c e s s i v e W r i t eAll rights reserved to Security Art Ltd. 2002 - 2011 18. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Hard Drive: Pseudo Format Attack Comma nd: while true; do Description: Infinite loop of read and write requests to diskAll rights reserved to Security Art Ltd. 2002 - 2011 19. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Hard Drive: Spindown Attack Commands: hdparm Description: Sets diskAll rights reserved to Security Art Ltd. 2002 - 2011 20. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com BIOS: Bricking/Firmware Flashing Bricking due to PhlashingAll rights reserved to Security Art Ltd. 2002 - 2011 21. I t z i k K o t l e r | A p r i l 2 0 11www.security- art.com Rouge BIOS Firmware as Platform Allow s au tom ation of: O v e rc l o c k i n g o f C P U , RA M a n d e t c . O v e r v o l t i n g o f C P U , RA M a n d e t c . Pow er C yc lin g (o f th e w h ole Sy ste m ) C a n i n c l u d e a S e l f- d e s t r u c t f u n c t i o nAll rights reserved to Security Art Ltd. 2002 - 2011 22. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com CD-ROM/DVD-ROM We a r i n g o u t d u e t o O v e r u s i n g t h e d r i v e tray Bricking due to PhlashingAll rights reserved to Security Art Ltd. 2002 - 2011 23. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com CD-ROM: Mechanical Part Attack Co de: while true; do eject; eject t; done Description : Infinite loop that opens and closes the CD-ROM trayAll rights reserved to Security Art Ltd. 2002 - 2011 24. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Memory Wear Flash memory has a finite number of program- erase cycles (aka. P/E cycles). Most commercially available Flash products are guaranteed to withstand around 100,000 P/E cycles, before the wear begins to deteriorate the integrity of the storage Popular products that are based on, or using F l a s h m e m o r y: U S B D i s k O n K e y s , S o l i d - s t a t e D r i v e s , T h i n C l i e n t s a n d Ro u t e r s a n d m o re .All rights reserved to Security Art Ltd. 2002 - 2011 25. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Flash: Memory Wear Attack Co de : d d Descripti on: Infinite loop that excessively writes pseudo-random to a flash memoryAll rights reserved to Security Art Ltd. 2002 - 2011 26. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com NIC (Network Interface Card) Bricking due to PhlashingAll rights reserved to Security Art Ltd. 2002 - 2011 27. I t z i k K o t l e r | A p r i l 2 0 11www.security- art.com NIC: TCP Offload Engine TC P O f f l o a d E n g i n e o r T O E i s a t e c h n o l o g y u s e d in network interface cards (NIC) to offload p r o c e s s i n g o f t h e e n t i r e TC P / I P s t a c k t o t h e n e t w o r k c o n t r o l l e r. TOE is primarily used with high-speed network interfaces, such as gigabit Ethernet and 10 Gigabit Ethernet TOE is implemented in hardware so patches must be applied to the TOE firmwareAll rights reserved to Security Art Ltd. 2002 - 2011 28. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com CRT Monitor: There are problems at scan rates which exceed the monitors specifications (low or high). Some monitors can blow if given a too low scan rate or an absent or corrupted signal input.All rights reserved to Security Art Ltd. 2002 - 2011 29. I t z i k K o t l e r | A p r i l 2 0 11www.security- art.com XFree86 Screen Configuration: HorizSync 2 8 . 0 - 7 8 . 0 # Wa r n i n g : T h i s m ay f r y very old Monitors HorizSync 2 8 . 0 - 9 6 . 0 # Wa r n i n g : T h i s m ay f r y o l d Monitors ( t a k e n f r o m a r e a l l i f e , X Fr e e 8 6 C o n f i g f i l e )All rights reserved to Security Art Ltd. 2002 - 2011 30. I t z i k K o t l e r | A p r i l 2 0 11 www.security-art.com Floppy Drive: We a r i n g o u t d u e t o E x c e s s i v e H e a d Ro t a t i o nOn some floppy drives there are novalidity checking on sector/trackvalues, and so the floppy head mightge