# Reverse-Engineering the Supra iBox Exploitation of a hardened MSP430-based device ### Who am I #### **Braden Thomas** - Senior Research Scientist, Accuvant - Primarily focus: embedded devices, reverse-engineering, exploit development - Previously worked at Apple Product Security - Software background ### Agenda - What is the iBox? - Android app - Opening the device - Firmware extraction: techniques used and tried - Findings - Demo ### Why is this interesting? - Devices attempting to to store crypto secrets in general-purpose microcontrollers - Just because it's cheap and easy, it's not necessarily smart - iBox is a case study of why - Hack into houses... - Over Bluetooth! ### Supra iBox - Real estate physical key container - #1 in market, main competition is SentriLock ### **Keys** - ActiveKEY - Cell radio - eKey: iOS/Android app - Dongle/Keyfob for Bluetooth/IR ## Android App ### eKey Android app - Focused on authentication algorithm - Each eKey has a serial number and a "syscode" - Syscode is an integer corresponding to regional market (e.g. Atlanta) - Serial number/Syscode are required at first app launch in an obfuscated blob ### eKey Android app - Serial number/syscode are used as credential to speak to back-end web service - Web service provides authentication "cookies" (binary blobs of data) - App transmits cookies to the iBox over Bluetooth/IR - Must provide PIN code (associated with serial number/ syscode) to open the lock ### **Programmed auth flow** - Two authentication modes: - Programmed and deprogrammed authentication - Programmed authentication used exclusively in the field - Send IDENTITY cookie - Send CONFIGURATION cookie - Send OBTAIN KEY message - Send KEYAUTH cookie - Send DEVICE OPEN message ### **Programmed auth** - All cookies contain AES MACs so cannot be modified - eKey also sends "update bytes" which change daily - Only available from Supra server (AES MAC) - eKey can generally only open iBox in same syscode ### Must access firmware - Attacker doesn't have a valid serial/syscode - Even if obtained one (social engineering), don't have keyholder's PIN - And doesn't want to communicate with Supra's server to obtain cookies ## Opening the Device ### Physical access - iBox: - Cut off hard plastic shell - Remove hex screws - Open key container - Use legitimate eKey or exploit - iBox BT: (above, plus) - Cut off shackle - Must pop rivets (big pain!) ### **Board photos** iBox iBox BT ### **Internals** #### iBox: - MSP430F147 - TFBS4710 serial IR transceiver - 24LC256 serial EEPROM #### iBox BT: - MSP430F248 - STMicroelectronics bluetooth serial module - Atmel EEPROM ### Reverse-engineering steps - Focus on iBox - Board easier to obtain (no annoying rivets) - Older software more likely to be insecure - Keys are the same anyway! - Map-out the test pads - Find debugging interfaces - Perform firmware extraction ## **Firmware Extraction** ### **MSP430** firmware extraction #### JTAG - 4-wire and 2-wire - MSP430F147 only supports 4-wire - JTAG security fuse is blown, prohibiting JTAG #### BSL ### **BSL Overview** - "Bootstrap loader" - Serial interface - Permits read/write access to flash memory - Implemented with code stored in special flash region - Nearly all acccess is restricted with password - Interrupt vector table is used: inherently unique and secret - Only mass-erase can be performed without password ### **Existing BSL attacks** - Travis Goodspeed: "Practical Attacks Against the MSP430 BSL" in 2008 - Voltage glitching attack - BSL password comparison timing attack # Voltage glitching attack - Used GoodFET22 with ADG1634 + DAC for glitching during authentication check - Remove the chip from the board to avoid interference - Step down power on all lines using resistors - Only feasible on BSL 1.x to avoid masserase on incorrect password - MSP430F147 has BSL 1.1 ### Results of voltage glitching - Failed to reproduce - Device continued running undeterred or died altogether - GoodFET's MSP430 is too slow to glitch another MSP430 - BSL runs at 1Mhz, and GoodFET (MSP430F2618) can be clocked up to 16Mhz ### **BSL** timing attack - Password byte comparison has a single clock-cycle timing difference between the "correct" and "incorrect" paths - Send each byte ([0x00-0xff] x 32) and measure # of clock cycles to determine byte makeup of password ``` ROM: OCDA handle tx passwd: : CODE XREF: sub E10-1B8'i ROM: OCDA IVT address (correct password) #OFFEOh, R6 ROM: OCDE #20h, R7 ROM: OCE2 ROM: OCE2 check next byte: ; CODE XREF: sub E10-11A j ROM: OCE2 call #rx byte ROM: OCE 6 cmp.b &received byte, O(R6); compare byte by byte ROM: OCEC equal byte jz bis.b ROM: OCEE #WILL SEND NAK, &bsl state ; bad pw bit ROM: OCF2 ROM: OCF2 equal byte: ; CODE XREF: sub E10-124'j ROM: OCF2 R6 inc.w R7 ROM: OCF 4 dec.w check next byte ROM: OCF 6 jnz ``` **BSI 1 10** - 1 start bit, 8 data bits, parity bit, 1 stop bit - Bit-banged - Between bytes, will wait for start bit to go low when receiving ``` ROM: 0F2E bitcnt_is_0: ROM: 0F2E bitcnt_is_0: ROM: 0F2E bitcnt_is_0 bit.b #BIT2, &P2IN pinz bitcnt_is_0 | CODE XREF: ROM: 0F32 j ``` - If this loop executes > 1 time, you have destroyed all prior timing information - Device will check that RX line after stop bit is high, or cause an error - Ideal T<sub>interbyte</sub> = number of instructions \* clock speed - Clock speed is highly inconsistent - BSL uses DCOCLK (software clock), cannot force crystal - Number of instructions varies - Due to timing vulnerability - Any mistakes are multiplied 34x (since 34 post-header bytes per auth) - If timing is bad, you will receive a NAK response - Since password is inherently wrong, you will receive a NAK response - No good way to differentiate between the NAKs! ### Timing attack game plan - Test with same-model chip (with known BSL password) to find ideal timing - Use external crystal on GoodFET to eliminate attacker-side clock problems - Slowly decrease T<sub>interbyte</sub> until correct password is no longer ACKed - Find the run with the lowest overall total time - You have found ideal T<sub>interbyte</sub> - Re-use on target chip ### Timing attack results Total time vs decrease in Tinterbyte ### Timing attack results - Looks good at macro level - Wildly inconsistent at micro level - Overall total times will vary by thousands of attacker clock cycles - Tried modifying BSL to expose bit read time on a line - Tried just focusing on last byte: only need to get three T<sub>interbyte</sub> correct - last byte + checksum ### **Modified attack results** Guessed byte vs overall time ### Timing attack conclusions - Attack was a failure - Likely due to DCOCLK inconsistencies during the tare routine, which produces victim chip's timing for serial communication (length of "sleep"s) - If this tare routine value is inconsistent, the timing used for every serial bit will differ, multiplying errors - Doesn't appear to average out in the short term ### "Paparazzi" attack - Firmware extraction technique - Goodspeed told me about this - Permits bypassing JTAG security fuse - Most likely due to photoelectric effect ### **MSP430 JTAG security** - MSP430F1xx/2xx/4xx: physical fuse - Once blown ("programmed"), it's blown - MSP430F5xx/6xx: electronic fuse mechanism - Can be unprogrammed by erasing 0x17fc - Not successful at attacking these ### MSP430 1/2/4xx fuse - Fuse check is performed by toggling TMS line twice with TDI high - Current is measured from TDI across the fuse Figure 1-12. Fuse Check and TAP Controller Reset Chip logic remembers the result ## "Paparazzi" attack - Decap the chip - Ensure bonding wires remain intact - Jet etching may be required - <\$100 outsourced to lab</p> - Run a tight JTAG loop on resettap + fuse-check - Every ~200 iterations attempt authenticated action - Read first address in BSL memory space ## "Paparazzi" attack Expose the die and hit with camera flash ### "Paparazzi" attack - When valid data returned, success! - Do not power the chip down, or flip reset line - Requires GoodFET software modification - Be sure to power the chip externally during attack - Don't expect chip to be in normal state - I usually just read BSL password then reset ### "Paparazzi" attack: Why? - JTAG fuse check works by measuring current across fuse - Photoelectric effect causes transistor to release electrons when struck with photons - Causes current to appear to pass across the fuse - Alternative theory is UV erasing memory cell where JTAG state stored (e.g. bunnie's attack on PIC microcontroller), but digital camera flash produces minimal UV and attack is instant ## Paparazzi Demo ## **FINDINGS** ## **MSP430** firmware reversing - Calling convention - R12 - R14 - Remaining arguments pushed to stack - Return: R12 - Occasionally R13 is also used, if 32-bit return ## **MSP430** firmware reversing - Only unique thing was "sparse index" switch statement construction - Used a common helper function that reads function return address off the stack, then parses data structure after call to find out jump destination ``` seg001:0000A7F4 &command id byte, R12 mov.b seg001:0000A7F8 #switch statement helper seg001:0000A7F8 seg001:0000A7FC .short loc AA44 ; default seg001:0000A7FE .short 25 seg001:0000A800 .byte 48 .short handle connection start seg001:0000A801 seq001:0000A803 seg001:0000A804 .short handle send identity seq001:0000A806 .byte 50 seg001:0000A807 .short handle send configuration seg001:0000A809 .byte 51 seg001:0000A80A .short handle crypto key update seq001:0000A80C seg001:0000A80D .short handle base challenge response seq001:0000A80F .byte 53 ``` #### **IrDA** - Surprisingly large (~25%) amount of firmware dedicated to IrDA - Bit-banged serial-ish with short pulse width - Can be sniffed from test pad on board and decoded with custom Logic plugin • Export from Logic, post-process with python into pcap, and Wireshark does the rest ## Firmware reversing finds - 1. How Supra crypto *really* works - 2. Actually *three* authentication modes - 3. Hardware backdoor! - 4. Memory read/write command permits reading/ writing flash using hidden mode ## Supra crypto architecture All crypto keys used are derived from or encrypted with two keys (AES128) #### Device Key Rarely used in the field, used to get high authentication level (i.e. for "deprogramming" a device to use it in another syscode region) #### Syscode Key - Root of trust for all normal operations (e.g. opening the key container) - Shared by entire geographical region - Neither are ever accessible to the eKey app or readable via remote commands ## Syscode Key - Provisioned during unknown process at local MLS office - Device must be in deprogrammed mode - They must have some authenticated channel to obtain the syscode key for their region - A MAC key and an Encryption key are derived from syscode key, and used to validate cookie integrity and decrypt other ephemeral keys - Compromising this key permits attacker to generate fake "authentication cookies" - Can open any lock in geographical region without leaving a trace #### Third authentication mode - Permits access to visitor log in EEPROM - Useful if the lock has been unlocked before - Requires <u>no</u> authentication cookies for access - Visitor log contains the serial number/syscode of connecting eKeys - This solves one of our earlier problems, but still need PIN to use #### **Brute Force** - PIN only 4 digits - However device has PIN brute-force protection - eKey will get "locked out" and cannot communicate for 10m - Exhaustive PIN brute force would take about 1 week waiting for lockouts - However, lockout counter stored in EEPROM and can be erased with physical access #### Hardware backdoor - Deprogrammed authentication - Android app only uses this method when device is deprogrammed - Can actually be used when device is programmed if you know the Device Key - Highest access mode, permits overwriting keys - Likely used by MLS office, they must have a secure channel to get Device Keys for their devices - Implementation contains hardware backdoor #### Hardware backdoor - P3.1 goes high - Immediately test P3.2 - If low, backdoor is in effect ``` seg001:0000D342 bis.b #BIT1, &P3OUT seg001:0000D346 bit.b #BIT2, &P3IN seq001:0000D34A jnz p32 is high seg001:0000D34C #1, R13 mov. w seq001:0000D34E finished testing backdoor seg001:0000D350 seg001:0000D350 seg001:0000D350 p32 is high: CODE XREF: handle base challenge+1E'j seq001:0000D350 clr.w seg001:0000D352 seg001:0000D352 finished testing backdoor: ; CODE XREF: handle base challenge+22'j seq001:0000D352 R13, R12 seg001:0000D354 bic.b #BIT1, &P3OUT ``` #### Hardware backdoor - P3.1 and P3.2 are connected to each other (through a resistor) - Desolder the resistor and you can bypass per-device authentication - Destroy the resistor with a single drill hole in back of closed iBox and you can open it up with deprogrammed auth #### Flash write+erase attack - Way to extract Syscode Key without decapping? - Keys are in "Information Memory" which is erased by BSL mass-erase - Generally, must erase flash between writes - iBox has Memory Write command that permits writing to same information memory segment where keys are stored - Entire segment is copied to stack buffer, Flash segment is erased, modified, and then written back - Stack is in RAM... which is not erased by BSL mass-erase #### Flash write+erase attack - First use hardware backdoor to "authenticate" - Initiate a Memory Write command to information page (at an unused location) - Information page will be copied to stack buffer, modified, and written back to flash - Quickly reset device and perform mass-erase of flash via BSL - Read RAM using BSL (using default password) #### Flash write+erase attack - Great success! - Special GoodFet application that counts clock cycles - Run application right before sending iBox Memory Write command - Send Memory Write command - Application will reset chip and put into BSL mode - Subsequently can mass-erase and read RAM - Attack can only be performed once, but Syscode Key is obtained ## Demo ## Conclusions/solutions - Supra - Discussed issues with them in June - Very receptive, started working on fixes - Starting to deploy solution in <60 days</li> - Other applications: - Avoid storing cryptographic secrets in general purpose microcontrollers flash memory #### **Greetz** - Hardware socket by Aaron Kobayashi - Thanks to Nathan Keltner and Kevin Finisterre - Thanks to Travis Goodspeed for prior work # Questions