HES2011 - Itzik Kolter - Let me Stuxnet You

All rights reserved to Security Art Ltd. 2002 - 2010 www.security-art.com

I t z i k K o t l e r | A p r i l 2 0 1 1

Let Me Stuxnet You

Itzik KotlerCTO, Security Art

All rights reserved to Security Art Ltd. 2002 - 2011

www.security-art.com


Goodbye World!

• Stuxne t and Cybe r War fa re a re exp lo i t i ng the ( i t ’ s comp l i ca ted ) re la t i onsh ip be tween So f tware and Hardware to cau se damage and sabo tage !

• Today i t ’ s a coun t ry tha t seeks to des t roy ano the r na t i on and tomorrow i t ’ s a commerc i a l company tha t seeks to make a r i va l company go ou t o f bu s iness . An ac t o f I ndus t r i a l Cyber War fa re .




Can Software Damage Hardware? Yes!

• So f tware con t ro l s ha rdware , and i t can make i t pe r fo rm damag ing opera t ion

• So f tware can damage anothe r so f tware tha t runs o r ope ra tes an ha rdware

• So f tware con t ro l s ha rdware , and i t can make i t pe r fo rm opera t i on tha t w i l l be damag ing to ano the r ha rdware




Industrial Cyber Warfare Attack?

• Cyb e r War fa re i s n o t l i m i t ed t o , o r des ig ned exc lu s i ve l y f o r na t i on s o r c r i t i ca l i n f r a s t r uc t u res

• A success fu l l y de l i ve red I n du s t r i a l Cyb e r War fa re a t t ack cau ses f i n an c ia l l o ss , ope r a t i on l o ss , o r b o t h t o t h e a t t acked comp an y !

• I nd u s t r i a l Cyb e r War fa re i s Log i c Bom bs , Pe rm an en t De n ia l - o f- Se r v i ce , AP T and m ore




Meet Permanent Denial-of-Service

• Permanen t Den ia l - o f-Se rv i ce i s an a t tack tha t damages ha rdware so bad ly tha t i t requ i res rep lacement o r re ins ta l l a t i on o f ha rdware .

• The damage po ten t ia l i s on a g rand sca le , a lmos t any th ing and every th ing i s con t ro l l ed by so f tware tha t can be mod i f i ed o r a t tacked




Industrial Cyber Warfare: Why & Who?

• I ndus t r i a l Esp ionage– R i va l Co m pa n i e s– Fo re i g n C o u n t r i e s

• Te rro r i sm– Po l i t i ca l / S o c i a l Ag e n d a– Re ve n g e

• B lackma i l i ng– G re e d , Po w e r an d e t c .




Permanent Denial-of-Service 101

• Phlash ing :– O ver wr i t i ng t he f i rmware o f t he

co mpo nent and make i t u se less ( i . e . “B r i c ked” )

• Overc lock ing :– I n c reas ing t he wo rk ing f requency o f t he

co mpo nent and make i t uns t ab le and o ve rhea t




Permanent Denial-of-Service (Cont.)

• O v e r v o l t i n g :– I n c r e a s i n g t h e i n p u t v o l t a g e o f t h e c o m p o n e n t

a n d “ z a p ” i t o r c a u s e i t t o o v e r h e a t• O v e r u s i n g :

– Re p e t i t i v e l y u s i n g a m e c h a n i c a l f e a t u r e o f t h e c o m p o n e n t a n d c a u s e i t t o w e a r q u i c ke r




Permanent Denial-of-Service (Cont.)

• Power Cyc l ing– Repet i t i ve l y tu rn on and o f f the power

supp ly to the component and cause i t to wear qu i cke r (due to tempera tu re f l e c t i on and sp ikes )




Local Attacks

Does anyone smell smoke?




Computer Fans

• Not a ta rge t , pe r se .• Disab l ing o r s l ow ing down the f an RPM

speed can resu l t i n i nc reased tempera tu re• Lengthy exposure to h igh tempera tu re (due

to l ack o f coo l i ng ) can l ead to E lec t romig ra t ion tha t i n tu rn w i l l cause a Pe rmanen t Den ia l - o f-Se rv i ce




CPU

• Overhea t ing due to S t ress ing• Overhea t ing due to Ove rc lock ing• Overhea t ing due to Ove rvo l t i ng• Overhea t ing due to (a lways on ) P0 @

APM/ACAP I• Br i ck ing due to Ph lash ing ( v i a M ic rocode

F lash ing )




CPU: Infinite Loop

x86 Assembly Code:

jmp

Description:

Infinite loop that jump to self




CPU: Microcode Flashing

• Not your typ i ca l f i rmware update• Mic rocode goes i n to the p rocesso r ,

p rov id ing a s l i gh t l y h ighe r l eve l o r more comp lex commands based on the p rocesso r ' s bas i c ( "ha rd -w i red" ) commands

• Mic roprog ramming can be used to abuse o r to damage the m ic rop rogram w i th in the p rocesso r




RAM

• Overhea t ing due to Ove rc lock ing• Overhea t ing due to Ove rvo l t i ng• Burnout due to Overvo l t i ng




GPU (Graphics Processing Unit)

• Overhea t ing due to Ove rc lock ing• Overhea t ing due to Ove rvo l t i ng• Br i ck ing due to Ph lash ing

– Ut i l i t i e s (e .g . nv f l a sh , N iB iTo r , e tc . )




Hard disk drive

• Trad i t i ona l ( i . e . Mechan ica l )– Overheat ing due to Excess ive Wr i te &

Read– Wear ing ou t due to Excess ive Head

Park ing– Br i ck ing due to Ph lash ing

• So l i d - s ta te d r i ve– Wear ing ou t due to Excess ive Wr i te




Hard Drive: Pseudo Format Attack

Command:

while true; do

Description:

Infinite loop of read and write requests to disk




Hard Drive: Spindown Attack

Commands:

hdparm

Description:

Sets disk




BIOS: Bricking/Firmware Flashing

• Br i ck ing due to Ph lash ing




Rouge BIOS Firmware as Platform

• A l lows au tomat ion o f :– Overc lock ing o f CPU , RAM and e tc .– Overvo l t i ng o f CPU , RAM and e tc .– Power Cyc l ing (o f the who le Sys tem)

• Can i nc lude a “Se l f-des t ruc t” f unc t ion




CD-ROM/DVD-ROM

• Wear ing ou t due to Ove rus ing the d r i ve t ray





CD-ROM: Mechanical Part Attack

Code:

while true; do eject; eject –t; done

Description:

Infinite loop that opens and closes the CD-ROM tray




Memory Wear

• F l a s h m e m o r y h a s a f i n i t e n u m b e r o f p ro g r a m -e r a s e c y c l e s ( a ka . P / E c y c l e s ) .

• M o s t c o m m e rc i a l l y a v a i l a b l e F l a s h p ro d u c t s a re g u a r a n t e e d t o w i t h s t a n d a ro u n d 1 0 0 , 0 0 0 P / E c y c l e s , b e f o re t h e w e a r b e g i n s t o d e t e r i o r a t e t h e i n t e g r i t y o f t h e s t o r a g e

• Po p u l a r p ro d u c t s t h a t a re b a s e d o n , o r u s i n g F l a s h m e m o r y: U S B D i s k O n Ke y s , S o l i d - s t a t e D r i v e s , T h i n C l i e n t s a n d Ro u t e r s a n d m o re .




Flash: Memory Wear Attack

Code:dd

Description:

Infinite loop that excessively writes pseudo-random to a flash memory




NIC (Network Interface Card)





NIC: TCP Offload Engine

• TC P O f f l o a d E n g i n e o r T O E i s a t e c h n o l o g y u s e d i n n e t w o r k i n t e r f a c e c a rd s ( N I C ) t o o f f l o a d p ro c e s s i n g o f t h e e n t i r e TC P / I P s t a c k t o t h e n e t w o r k c o n t ro l l e r.

• T O E i s p r i m a r i l y u s e d w i t h h i g h - s p e e d n e t w o r k i n t e r f a c e s , s u c h a s g i g a b i t E t h e rn e t a n d 1 0 G i g a b i t E t h e rn e t

• T O E i s i m p l e m e n t e d i n h a rd w a re s o p a t c h e s m u s t b e a p p l i e d t o t h e T O E f i rm w a re




CRT Monitor:

• There a re p rob lems a t scan ra tes wh ich exceed the mon i to r ' s spec i f i ca t i ons ( l ow o r h igh ) . Some mon i to r s can b low i f g i ven a too l ow scan ra te o r an absen t o r co r rup ted s igna l i npu t .




XFree86 Screen Configuration:

H o r i z S y n c 2 8 . 0 - 7 8 . 0 # Wa r n i n g : T h i s m a y f r y v e r y o l d M o n i t o r s

H o r i z S y n c 2 8 . 0 - 9 6 . 0 # Wa r n i n g : T h i s m a y f r y o l d M o n i t o r s

( t a ke n f r o m a r e a l l i f e , X Fr e e 8 6 C o n f i g f i l e )




Floppy Drive:

• Wear ing ou t due to Excess ive Head Ro ta t i on

– On some f l oppy d r i ves the re a re no va l id i t y check ing on sec to r / t r ack va lues , and so the f l oppy head m igh t ge t h i t repe t i t i ve l y aga ins t the s toppe r (See : NYB Vi rus )




Legacy: Motorola 6800 & 6809

• M o t o ro l a 6 8 0 0 w a s a 8 - b i t m i c ro p ro c e s s o r a n d w a s p a r t o f M 6 8 0 0 M i c ro c o m p u t e r S y s t e m

• T h e M o t o ro l a 6 8 0 0 a n d 6 8 0 9 c a n d a m a g e t h e c o m p u t e r ' s b u s l i n e s b y t h e i n s t r u c t i o n ' H C F ' ( H a l t , t h e n C a t c h Fi re ) .

• H C F s u c c e s s i v e l y t o g g l e s e a c h o f t h e b u s l i n e s , b u t i t d o e s i t s o f a s t t h a t i t c a n d a m a g e t h e m . I t w a s i n t e n d e d f o r m a n u f a c t u re r t e s t i n g .




Summary

• C o m p u t e r F a n s• C P U• G P U• R A M• H a r d D r i v e s• B I O S• C D - R O M / D V D - R O M• E x t e r n a l S t o r a g e ( e . g . D i s k O n K e y )• N e t w o r k C a r d s• C R T M o n i t o r ( L e g a c y )• F l o p p y D i s k ( L e g a c y )• N o n - x 8 6 C h i p




Remote Attacks

The long arm of the Permanent Denial-of-Service




Firmware Updates via Web

• Network -a t tached S to rage (NAS ) App l i ances• Network App l i ances (e .g . Wi -Fi Access

Po in t s )• DSL /ADSL Cab le Modems• Compute r Pe r iphe ra l s (e .g . KVM)• Vo ice Ove r I P (Vo IP ) Phones• And more …




Open Questions

• How th i s a f f ec t s C loud and Vi r tua l i zed Sys tem?




Countermeasures?

• Hardware :– Over-c lock ing Pro tec t ion– Over-vo l tage Pro tec t ion– Over- tempera tu re Pro tec t ion

• So f tware :– Dig i ta l l y s igned Fi rmware B ina r ie s &

Updates




Thanks!

Questions are guaranteed in life; Answers aren't.mailto: [email protected]

mailto:[email protected]

HES2011 - Itzik Kolter - Let me Stuxnet You

Technology

Transcript of HES2011 - Itzik Kolter - Let me Stuxnet You