Page 12 of 18
It’s the kind of research result that screams hype, but online attacks that have physical-world consequences are fundamentally a different sort of threat. I suspect we’ll learn more about what’s actually possible in the coming weeks.
HP has issued a rebuttal.
Really nice article on crypotographer Paul Kocher and his company, Cryptography Research, Inc.
Worried about someone hacking your implanted medical devices? Here’s a signal-jamming device you can wear.
It’s a power-analysis attack, which makes it much harder to defend against. And since the attack model is an engineer trying to reverse-engineer the chip, it’s a valid attack.
Abstract: Over the last two decades FPGAs have become central components for many advanced digital systems, e.g., video signal processing, network routers, data acquisition and military systems. In order to protect the intellectual property and to prevent fraud, e.g., by cloning an FPGA or manipulating its content, many current FPGAs employ a bitstream encryption feature. We develop a successful attack on the bitstream encryption engine integrated in the widespread Virtex-II Pro FPGAs from Xilinx, using side-channel analysis. After measuring the power consumption of a single power-up of the device and a modest amount of o-line computation, we are able to recover all three different keys used by its triple DES module. Our method allows extracting secret keys from any real-world device where the bitstream encryption feature of Virtex-II Pro is enabled. As a consequence, the target product can be cloned and manipulated at will of the attacker. Also, more advanced attacks such as reverse engineering or the introduction of hardware Trojans become potential threats. As part of the side-channel attack, we were able to deduce certain internals of the hardware encryption engine. To our knowledge, this is the first attack against the bitstream encryption of a commercial FPGA reported in the open literature.
Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple’s iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries could also be used for more malicious purposes down the road.
[…]
What he found is that the batteries are shipped from the factory in a state called “sealed mode” and that there’s a four-byte password that’s required to change that. By analyzing a couple of updates that Apple had sent to fix problems in the batteries in the past, Miller found that password and was able to put the battery into “unsealed mode.”
From there, he could make a few small changes to the firmware, but not what he really wanted. So he poked around a bit more and found that a second password was required to move the battery into full access mode, which gave him the ability to make any changes he wished. That password is a default set at the factory and it’s not changed on laptops before they’re shipped. Once he had that, Miller found he could do a lot of interesting things with the battery.
“That lets you access it at the same level as the factory can,” he said. “You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You’d need a vulnerability in the OS or something that the battery could then attack, though.”
As components get smarter, they also get more vulnerable.
Unsuprisingly, the U.S. military is funding reseach in this.
All I know is what’s in these two blog posts from Elcomsoft. Note that they didn’t break AES-256; they figured out how to extract the keys from the hardware (iPhones, iPads). The company “will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic and intelligence agencies.”
NIST has released “BIOS Protection Guidelines.”
EDITED TO ADD (6/12): Good write-up.
This FBI surveillance device, designed to be attached to a car, has been taken apart and analyzed.
A recent ruling by the 9th U.S. Circuit Court of Appeals affirms that it’s legal for law enforcement to secretly place a tracking device on your car without a warrant, even if it’s parked in a private driveway.
Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file’s cluster positions have been encoded.
The code depends on whether sequential clusters in a file are situated adjacent to each other on the hard disc or not. If they are adjacent, this corresponds to a binary 1 in the secret message.
Sidebar photo of Bruce Schneier by Joe MacInnis.