35C3 - wallet.fail

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

The part about getting your private keys off Trezor is actually quite scary. It means you cannot afford to lose your trezor. Any insight if the same hack is possible via the ledger?

๐Ÿ‘๏ธŽ︎ 41 ๐Ÿ‘ค๏ธŽ︎ u/Onlogn2 ๐Ÿ“…๏ธŽ︎ Dec 28 2018 ๐Ÿ—ซ︎ replies

The ledger team has responded to the presented vulnerabilities: https://www.ledger.fr/2018/12/28/chaos-communication-congress-in-response-to-wallet-fails-presentation/

๐Ÿ‘๏ธŽ︎ 36 ๐Ÿ‘ค๏ธŽ︎ u/etherchain ๐Ÿ“…๏ธŽ︎ Dec 28 2018 ๐Ÿ—ซ︎ replies

So, if I buy a trezor from a hacker with exceptional knowledge and patience for doing these attacks and he finds me and hacks my computer, then all he needs to do is to sit in my garden for 24/7 with a huge antenna and a laptop and wait for me to plug the trezor into my hacked computer and he can steal all of my 0.0000001 USD in crypto?

Sounds reasonable. /s

๐Ÿ‘๏ธŽ︎ 24 ๐Ÿ‘ค๏ธŽ︎ u/Crick3ts ๐Ÿ“…๏ธŽ︎ Dec 28 2018 ๐Ÿ—ซ︎ replies

What I take from this is that nano s is safe.

It's impossible to protect against a supply chain attack, so presenting that as a vulnerability is misleading. The point of a secure chip is that without your pin, someone with a physical possession of your nano s can't steal your funds. An untampered device should also be 100% resistant to attacks from a connected hacked pc. That's it, nothing more is possible and should be expected.

Trezor only provides protection from a hacked pc due to lack of a secure element.

๐Ÿ‘๏ธŽ︎ 15 ๐Ÿ‘ค๏ธŽ︎ u/nootropicat ๐Ÿ“…๏ธŽ︎ Dec 28 2018 ๐Ÿ—ซ︎ replies

This is why i have memorized my private key

๐Ÿ‘๏ธŽ︎ 13 ๐Ÿ‘ค๏ธŽ︎ u/ThePrplPplEater ๐Ÿ“…๏ธŽ︎ Dec 28 2018 ๐Ÿ—ซ︎ replies

I have an important question for the ledger audience:

Has it become clear that the ledger nano S can be hacked, WITHOUT having physical acces to the device/chips?

I'm terribly sorry, I watched the segment 2x but I can't figure it out.

๐Ÿ‘๏ธŽ︎ 7 ๐Ÿ‘ค๏ธŽ︎ u/[deleted] ๐Ÿ“…๏ธŽ︎ Dec 28 2018 ๐Ÿ—ซ︎ replies

The ledger response on medium: https://medium.com/ledger-on-security-and-blockchain/chaos-communication-congress-in-response-to-wallet-fails-presentation-17bcd166a052

๐Ÿ‘๏ธŽ︎ 2 ๐Ÿ‘ค๏ธŽ︎ u/danno_mac999 ๐Ÿ“…๏ธŽ︎ Dec 28 2018 ๐Ÿ—ซ︎ replies

Letโ€™s not panic.... the work involved to carry out these attacks is enormous. First youโ€™ve got to find the right Nano or Trezor making it your worthwhile... these guys are specialists... average Tom isnโ€™t. Itโ€™s actually good that these people do this stuff... as now Ledger will close the loops... make the cases less accessible or roomy inside... Iโ€™m not panicking.

๐Ÿ‘๏ธŽ︎ 1 ๐Ÿ‘ค๏ธŽ︎ u/ZodiacManiac ๐Ÿ“…๏ธŽ︎ Dec 29 2018 ๐Ÿ—ซ︎ replies

Never liked hardware wallets.

I use a separate air gapped SSD with bit locker encryption with my Pvt keys inside ...

๐Ÿ‘๏ธŽ︎ 1 ๐Ÿ‘ค๏ธŽ︎ u/mohtasham22 ๐Ÿ“…๏ธŽ︎ Dec 30 2018 ๐Ÿ—ซ︎ replies
Captions
[Music] welcome everybody to our next talk it's the talk wallet fail as you all know when you have something valuable you put it somewhere safe but as we as hackers also know there is no place that is really safe in our three speakers tomas Dimitri and Josh are now going to demonstrate in the next hour the art of completely breaking something apart so please give a big round of applause for Thomas Dimitri and Josh and have a lot of fun so just just the start I'm curious how many people here actually own crypto currency raise your hand and how many of you store it on Hardware wallet so we're very sorry to everyone who who has their their hand up okay so it's not just me it's me Josh and Thomas so we're all hardware people we do low-level Hardware stuff in varying degrees and we got into crypto currency and so I can recommend to everyone sitting in this room if you're a security person there's not a lot of people doing security and cryptocurrency as much as that's painful to hear so yeah I mean a lot of this is based on reverse engineering we love cryptocurrency I mean for us crypto also stands for cryptography not just crypto currency but no offense to anyone with this talk it's just something that it's a category that we looked at and so the results kind of speak for themselves and again this wouldn't be possible alone so we have a lot of people to think I'm not gonna go through all of them individually just be known that we're thankful to everyone on this on this slide so yeah so we started this about six months ago so we wanted to take a look at crypto currency because we own some crypto currency ourselves and we saw that everyone's using crypto currency wallets it's more and more the thing that you do so we started a group chat as you do nowadays and we have 50,000 messages now and 1,100 images and I had my first I had my son in the meantime as well so it's a really long time that we spent looking at this etc okay so what do we want to achieve though because people don't give the kinds of attacks so you can actually perform against a cryptocurrency Wold cent of credit so first attack is supply chain attacks where you are able to manipulate the devices before they get to the end customer for more vulnerabilities where you find a vulnerability in the firm rank and somehow either in fact or do something something else with the device side-channel attacks of course I think that's one of the more obvious ones that people are familiar with and also chip level vulnerability so we were able to find one of each of these and so that's the talk that we're going to talk about each one of these individually so but first what's a what's a wallet just in case you are not 100% familiar with them so a wallet and in general cryptocurrency how do you do this it's just asymmetric cryptography so you have a private key and a public key the public key basically it gives you the address you can derive the address from this the address is nothing other than the public key of the wallet and you have the private key and you need this to send transactions so to actually operate with the cryptocurrency so this the private key is what needs to be kept secret the public key is something that everyone can know so that they can send cryptocurrency to you but it kind of sucks to have separate for each cryptocurrency pair or for each wallet maybe you want multiple wallets it sucks to generate a new new new cryptographic pair for each one of them so the people the wonderful people behind Bitcoin have thought of something for this and it's called BIP 32-bit 44 and so what it is is you have a cryptographic seed and you can actually derive the accounts from from a single seed so you basically store one seed and you're able to implement and do unlimited amount of wallets okay so basically you do key derivation you add some data do key derivation and you can have an unlimited amount of wallets while storing a single so and this is what you're using when you're using a hardware wallet so and of course for each key derivation there will be a new private key and a public key but it'll be generated in a predictable manner and you only need to store one secret seed so you only have to store the seed you can write it down and that's the advantage but it's difficult to write down because it's binary data so come bit 39 which is what you're most used to which is a format in which you can take that cryptographic seed that binary data and actually convert it to a set of dictionary words that you can then easily write down on a piece of paper and store it at your mother's house or store half of it at your mother's house and half of it at your grandmother's house and that way somebody would have to go into both houses simultaneously to get your words so yeah so what's a hardware wallet so we just talked about what's a wallet so why do you even need a hardware wallet well the problem is of course computers can get backdoored have malware running on them and this is what you want to prevent against how do you do this you have a security device you store your seeds externally usually this is a USB connected device that you store your your crypto on and so you can trust this even if you can't trust your computer is the idea so what happens is the computer sends the transaction to the device the device gets the transaction it can actually confirm or deny the transaction it also displays the transaction so before you do any cryptographic signing you can see is that actually what I was doing or was my computer owned and is it initiating the transaction for me so you sign the transaction and yet also yeah the seed never leaves the transaction but the hardware science a transaction for you you send it back to the computer and the computer can actually take that and send it to the Internet okay so that's the quick rundown of how crypto or sorry how Hardware wallets work so the first thing that we looked at was supply chain attacks which is where Josh is gonna pick up you have a Mike things I want to leave you with as we go through the supply chain attacks our stickers are for laptops there for security so we're gonna be talking about stickers today they're there for laptop decorations they're not for security supply chain tags are easy to perform but they're quite hard to perform at scale and the last takeaway that I hope you leave you with is that the vendors threat model may not actually be your threat model so security stickers so some of the wallet vendors are using them I have seen them on other products they seem to be quite popular I have a friend and colleague named Joe Fitzpatrick he also likes stickers so the the stickers that he makes are the same as we'd find on a security product they have Holograms they have unique serial numbers and they leave you with that nice warm fuzzy security feeling and so Joe makes some funny ones you can get a FIPS 140-2 proof stickers you don't have to pay all the money for the FIPS one just get the Fitz one so the first device that I looked at was the Tresser one and so the treasurer one actually has two levels of protection on the packaging there's the hologram sticker then the actual box is enclosed with a with a Mickey civ so it's supposed to be that you actually have to rip open the box to get into it but if you use a hot-air gun or a hairdryer it's actually quite easy to remove and so if you see on the left there that's the original package and on the right this is a box that I opened and put everything back into and if you look closely there is a little bit of gap there the sticker has a little bit of great but this was a first try and it's pretty close so trust me taking a sticker off is not very hard now if you remember this picture of the stickers we're going to come back to it so but for the vendor is this is actually a real problem so treszura did put a blog post out that one of the challenges they face is that they're facing counterfeiting of their devices so this is from their blog posts they say hey you know we've noticed that there's counterfeit devices you have to look at the stickers to see that they're legit so I said remember a look at that sticker so I bought that case I bought a year and though for my previous stuff Conn talk and it's the same sticker that they're saying is speak here so I've been on their wiki it's very confusing because there's three sets of stickers so basically yeah stickers are very confusing they cause problems for end users and I was not even sure if I bought a real transer right clone one so this morning I got out a new case and just to make sure I took off the sticker using very sophisticated of equipment including a very expensive Dyson hairdryer that was included in the air B&B and I was able to remove the sticker so it comes off without any zero resident out with zero residue so yes stickers do not provide any security on the treasure T they switched it from the box and now the Box can be open easily but now there's a sticker on the USBC port again as you would expect you use hot air and you can easily remove it protip don't set the hot air rework that high i had a set for lead-free reworking and i actually melted the enclosure so if you're going to do this kind of supply team attack maybe you know set the heat a little lower but if you just google how to remove stickers the same attack methods work so so this causes a bit of confusion because the ledger device has a very I will say in-your-face piece of paper when you open the box that says there are no stickers in this box however I combed through about 250 one-star amazon reviews and a lot of them have to do with confusion about the stickers so some of them are actually quite funny so this is was this one started out note to wallet hacker so I was really into this so it's like okay I pro tip what's this guy have to say and basically he was complaining that there's fingerprints on the device so that's how he knew that was hacked another one complained that the fingerprints were on the wallet end was a hair underneath so if you're doing supply chain attacks be sure to remove any evidence of via fingerprints or her hair so anyway stickers don't work that's all I want to say about that once you get through this enclosure though you then have to have the challenge of actually opening the enclosure these are three different wallet devices leisure nano on the left the Kaiser one and the treasure T on the bottom all of which actually opened pretty easily so the treasure one even so this I'm still not sure if that's the counter to the real one but I get on the on the real one today I was able to pop open the enclosure so it is ultrasonically welded but you can pry it in there and open it the ledger nano opens very easily like without any equipment but once you do this you know what do you do once it's opened so the attack basically is you take the microcontroller and you rework it so you've removed the microcontroller from the printed circuit board and you put on a new one that you bought from a distributor once you've done that on the treasurer devices you can put your compromised bootloader on there so this is I did not go as far to make the compromise but loader but I did confirm that once I switch the microcontroller I can connect with a debugger over a swd and I have free access to the chip so some of the parts got blown off when I was we working but the SDM runs fine so yeah so you just rework free flash and then you put everything back together so next I want to talk about Hardware implants so well you may remember the story that came out there was this big fight Bloomberg about Hardware implants I want to make a hardware implant I also want to have a little bit of fun with this so we are in honor of the Bloomberg story we just have some you know may have some issues with it I were about to talk about the Bloomberg allure which is a Super Micro fun impact so the goals for this implant is I wanted this implant to happen after receipt so it's both a supply chain attack and a physical one like a red team can perform this a malicious insider could also perform this attack zero for wear because more fun it has the fit inside of a hardware wallet so it has to be small it has to also bypass a for security function otherwise it's not in the plan very few components I what I have a thousand of them with me so I wanted to be able to for the makers and the DIY RS that participate in the hardware implant fund so what kind of implant did I end up with well I decided to do it basically an RF triggered switch and so the idea is on these devices there's a button and the button is the last line of defense so all the vendors assume that the host is going to be compromised they just assume that's going to be easy because that software and so once you have a compromised host you have to send it to the device and then the human so humans are still needed humans have to look at it and say is this the right transaction or not they have to say yes or no so now with this implant I can through RF I can trigger the yes button so a human is not required to send transactions I can remotely trigger it basically the RF comes in through the antenna it goes through a single transistor which is the main component and it pulls the button load and I'm sorry to say that the Bill of Materials is quite expensive at three dollars and sixteen cents two dollars and 61 cents of that is this potentiometer I had to use so it's a little bit expensive I'm sorry also why is this so big I mean this is an American time I can fit two on them what's the deal why is it so big well I opt amaizing it for hand assembly so it would be more fun to use but you basically put the antenna in and then there's an out button and whatever thousand with me so just for scale this is how it fits on the alleged nano this is how it fits on the Tresser it is also because breadboard friendly is the thing so we've made it breadboard friendly so you can also play along very easily so then the last challenge with an RF implant is how do you design an antenna to fit in there and so the big thing there with an SMA connector is the first prototype I did experimented with a few antenna designs but remember it all has to fit inside the legend so that's actually quite easy because the ledger manoa has plenty of room to insert extra circuitry and so it quite fits easily in the legend annamund and then so I did the implant and then I started to go through the wallet process I got to his check that said these might you know is the ledger device genuine and here I actually got a little bit nervous because it wasn't working and so it wasn't working I was like how maybe that maybe they're checking this you know how how did they detect it don't worry it was only Linux so it just doesn't work on Linux so that was no problem I didn't this on Windows and no problems device is genuine I was able to move on so the thing is this is a very crude receiver but the attacker can always use more power so here I have this is my antenna setup in the basement and with a 50 watt transmitter I could remotely trigger the button at 11 meters and at this point I'm just limited by my basement size I'm pretty I'm very confident that I'd be able to remotely trigger this thing further yeah so here we're going to see a demo of what it looks like and so the other problem you have with Hardware implants is how do you know you have the implanted device so you have to label it some way ledger has this kind of Latin phrase that Scrolls I wanted my own Latin phrase and so this is how I know this is my implanted device so what you're going to see is that the transaction screen is going to show up this is and I'm and basically I'm going to trigger this remotely so I'm going to show the radio come in and then it's going to approve the transaction without any hands so this is the transaction there's the screen going this is the way you're supposed to verify there's the radio coming at 443 megahertz and then it's going to proceed to the next screen without me touching the button there you go so this is remotely triggered and that would have sent a transaction so if you think about the context that you have a malicious software implant that sent it to a wrong address the attacker now can remotely accept that and bypass the security model [Applause] [Music] [Applause] [Music] [Applause] oh yeah on the recaps securities are first stickers are for laptops not for security supply chain packs are very easy to do at a hardware level but they're quite hard to do at scale and when the vendor says that the device is genuine that may mean different things so that's something that I found kind of funny and it's almost correct if you put funny constants in your code they will end up on DEFCON slides and they won't be laughing with you small mistake they won't end up at DEFCON there will be at CCC and so introducing the food pipe vulnerability it's a bootloader vulnerability and the legend on OS we did not come up with this constant it's literally in the code as well see later so the name was not ours but we liked it so we also bought the domain food baby The Legend on OS is a very simple wallet it simply has a small display it has a USB port and two buttons that's really all there is and if you take it apart you see it's just some pieces of plastic the display and the PCB and looking at the PCB it kind of has an interesting architecture where you have an stm32 which is just a general-purpose microcontroller and an SD 31 which is a secure element that is for example used in pay TV and so on and is regarded as a very high security chip basically and if you turn the PCB around you see that they were nice enough to leave the programming part for the stm32 opened to us enabled and this has been suspected by other people we verified it but you know you have to go through it and obviously ledger is aware of this and so let's look at the security model that the legend on OSS the basic idea is that if we look at this device we we kind of have this schematic of the stm32 being on the left and the SC 31 on the right and as you can see all peripherals are connected to the stm32 that is because the st 31 does not have enough pins to connect peripherals it literally only has a one pin interface which is for the smart card protocols basically and so all the heavy lifting is done by the stm32 and ledger splits this up into the unsecured part and the secure part and the idea is that the stm32 acts as a proxy so it's basically the hardware driver for the button for the display for the USB similar to a North Bridge in your standard computer and when you take a computer and want to make a transaction you create your transaction on the computer it goes through USB to the stm32 and the stm32 then forwards it to the St 31 the st 31 then says oh a new transaction I want to ask the user to confirm it so it sends a display command to the stm32 which in turn displays it on the screen and then you press the yes button again it goes the same route to the St 31 which then internally signs the transaction so the seat never leaves the device and our signed transaction goes back through the STM through USB to the computer to us this means if this chip is compromised we can send malicious transactions to the SD 31 and confirm them ourselves or we can even go and show a different transaction on the screen then we're actually sending to the SD 31 and letter is aware of this and we'll talk about how they try to mitigate this later but first we have to find an exploit because while we do have debugging access to the chip hardware access is sometimes kind of buggy no offense so we we wanted to have a software bug and so we started reverse engineering the firmware upgrade process and when you look at the at the bootloader the bootloader for the letter used to be open-source and back then they didn't have any verification of the firmware so if you you could basically boot the device into bootloader mode flash whatever from where you want and then it would run it after someone Salima in this case wrote about this they changed it and they changed it to do some cryptographic measure and we were too lazy to reverse engineer that cryptographic measure because it's very time consuming very hard so we looked more at the part surrounding it and how we can maybe find a back in the bootloader to break it and it turns out then when you when you when you try to opt when you try to upgrade your letter you it accepts four different commands one is select segment which allows you to select the address space at which your firmware will be flashed one is the load command which allows you to write data to flash then you have the flash command which is basically like F sync on Linux and writes your changes to the non-volatile memory and you have the boot command which verifies the flash the flash code and starts booting it so to us the boot command is the most interesting because it provides all the verification and attempts to ensure that no malicious image is booted and it turns out that if you issue the boot command it compares the whole image to whatever cryptographic little function they use and if it's successfully verified they write a constant to the address 0 X 800 3000 and that constant is food paper and so to not have to verify the entire flash on each boot they just do this once so only after firmware upgrade so basically if you boot up the ledger it boots it weights 500 milliseconds it checks if you have a button pressed if yes it goes to bootloader otherwise it lowest notes the constant at 0 X 800 3000 and if it's food babe it boots the firmware so our goal is to write food babe to that at address first attempt we just issue a select segment command to exactly that address we just write food paper to it flush and reset the device didn't work unfortunately so we have to do more reverse engineering it turns out that they use an interesting approach to ensure that you don't accidentally flash over the bootloader so they basically blacklist a whole memory region so if you try to flash from 0 X 800 for x 0 up to 0 X 800 3000 it returns an error if you try to directly write to food babe they thought about it and they have a very specific code path to prevent that so they mem set it to 0 and you're screwed again and then finally it writes assuming you didn't error out but it turns out that the stm32 has kind of an interesting memory map and on a lot of chips you can not only map your flash to one address but you can also have it mapped to another address and in this case the flash is indeed also mapped to the address 0 and so the bootloader uses a blacklisting approach so it only excludes certain memory areas but it doesn't use whitelisting where you could only explicitly write to this memory region so they do not like writing to 0 X 0 profit second attempt we just select the segment at 3,000 which maps to 0 X 800 3000 we right foot babe to it we flush reset and we can flush custom firmware awesome so what do you do when you have a device that where the display is not big enough to run doom with a custom firmware so in this case it's an original ledger press the button put it into bootloader mode which is part of the normal operation and if you want to play a bit of snake come by later so how are they protecting against this I've mentioned before Leger is aware that you can reflash this stm32 and they are they put in some measures to prevent you and doing malicious stuff and basically what they do and this is very simplified and we did not bother to fully reverse-engineered because we didn't need to basically when when the chip boots it sends its entire firmware to the ste 31 which then performs some kind of hashing also verifies that the firmware is authentic and it also measures the time it takes to Center firmware this is to prevent you from just running a compression algorithm on the stm32 and send it very slowly how do we bypass this so our idea was because we don't only have flash we also have run so what if we create a compromised and compressed firmware that copies itself to ram we jump to it and then it writes its entire compressed firmware to flash and compress in that case and then we just call the original code on a secure element it will verify the firmware it will run with a real timing and boots irregularly and so we attempted this it took quite quite a while to achieve because basically you can't do zip you can't do lzma because even if you compress the image you don't have enough space for complex compressor so you our attempt was to find duplicate bytes squeeze them together and make space for our custom payload and basically we just have a table that says ok now you will have six zeros or something and our each table entry only takes a single byte so and it's only like 10 instructions in a sampler to run this decompressor so you don't have a large code base it's very easy to use and it turns out that even with a very simple detector like in this case we rerun the script to find the longest applicate data and you can see on the first try we get like 260 bytes of space for payload which is enough for a lot of things let's say and we have a working proof of concept of this and we would go into a lot of details but if we we only got an hour and so we we will release after this talk and non-offensive an example of this that you can look at how does it work what can you do even if you're from where is attempting to be verified and we also and this is very exciting we are working with youtuber Life overflow and he created a 20 minute video on walking through this entire foot pipe vulnerability how the verification works and how to bypass it to a certain degree we don't want to weaponize it so we did not we will not release the first there the full thing but yeah very excited for this stay tuned on our Twitter and we'll link it for sure as part of this we also have a lot of software that we will release so public release will release the snake firmware so hopefully this evening you'll be able to play snake on your letter if you bought with some Bitcoin at 20,000 an hour bankrupt you can at least play snake we will open source the compressor and the extractor we build logic analyzer plugin for the smart cut protocol and we build a software that analyzes the communication between the stm32 and the st 31 on the ledger specific data and you can just dump it so if you guys are interested in for example trying to break into the st 31 please have a go and letter has a second device which is called the ledger blue we assume the reason it's called the ledger blue is because it contains bluetooth but they never enabled bluetooth so it's basically just a regular letter with a color display and a big battery in it and we call this part fantastic signals and how to find them because when we open up this device and we were chatting we have this nice telegram chat room where we are chatting 24/7 while doing this and we open up the device and the first thing like literally five minutes after opening it I saw that you have the secure element on the left and the stm32 on the right you have some other stuff like the Bluetooth module and so on the trace between the secure element and the microcontroller is pretty long and contains a pretty fast signal so what is the long conductor with a fast changing current anyone got a clue correct it's an antenna so I pulled out my hack RF software-defined radio this is just a very more sophisticated RTL SDR so you can just sniff arbitrary signals with it I got a random city telescope antenna on Amazon and I have my ledger blue and so on this screen you can see the blue thing is the radio spectrum around 169 megahertz and if we start entering our pin we can see that there is a weak signal you guys see where this is going on the on the radio unfortunately that signal is pretty weak luckily they included in antenna okay they call it USB cable but I'm not so sure about it so this time with USB connected and we do the same thing again you can see like crazy radio spikes and this is right next to each other but even if you go a couple of meters I was limited as Josh by my living room space you get a couple of meters of decent reception so our goal was to find out what is this signal and if we just look at the recorded amplitude of the signal we get this and if you do a lot of probing and so on you immediately see okay there are spikes and there are 11 of them and then there's a pause and then there's more spikes so this is probably some kind of protocol that first sends 11 bytes of data then pauses and then sends more data so we looked at the back of the device started probing every single connection and try to figure out is this the secure element is this whatever and they turned out to be the display bus so we can sniff information on what is sent to the display remotely and if you if we look at the signal that gets sent in blue is the signal that gets sent when you press the letter zero on the pin pad and in orange when you press the letter seven so we can see a very clear difference at certain points on the signal which confirmed our suspicions but building software for this is kind of boring like digital signal processing is not really my thing so what do we do and we wanted to increase the password load in our talk a bit and so we are hacking blockchain IOT devices using artificial intelligence in the clouds so our idea was we record training signals we use some kind of pre-filtering we train an AI on it profit literally problem is getting training data really sucks because you don't want to sit there for 10 hours pressing the same key on a pin pad it really doesn't sound like fun and so this needs automation so we took an Arduino we took a roll of masking tape a piece of acrylic glass a piece of advice and this is a who have a pen for the extra amount of Chinese back door and we let this run for a couple of hours and you can actually see that every time it presses down you can see that the digit that you pressed is highlighted and the difference in the signal we saw earlier is probably the x and y-coordinate of where it highlights the button and that's the difference we can see in the train and in the in the trace and so we had a lot of recorded data now we create a training set we created a test set pre processing tens of flow AI model it's really easy surprisingly and we tried our test set did a prediction and so the big question how accurate is it and it turns out so this is the the result of a cut of the test set and if we zoom in on this this basically tells you we have the the signal this gray thing is just a picture representation of the signal and it tells you how sure it is what digit is in this case it's seven with ninety-eight percent likelihood so pretty good in our test set we only have one wrong result and overall we get around 90 percent accuracy and to move this in the cloud we are hosting this on the Google cloud as the letter AI for you guys to play with and we'll publish it online with a limited data set that is trained on a very closed space you cannot do something super malicious with it but it's nice to play around and see how this was done and this brings us to the next part glitch me if you can thank you so now we're going to talk about the silicon level vulnerability glitching attacks objection so to review we'll be talking about the treasure one and so I just want to go over very quickly what the architecture is of the treasure one and some previous work that was done so the treasure one is a quite a simple embedded device it consists of only a few components it has a OLED display it has some buttons and has a USB connector that are all externally facing internally it's has its main brain if you will as the spm 32f 205 microcontroller which controls all the other operations on the Tresser the display the USB and the two buttons so last year we gave a talk at Def Con breaking Bitcoin hardware wallets here we use the chip Whisperer to mainly do the glitching attacks the conclusions from last year is that the eff 205 was vulnerable to fault injection but we it was inconclusive if we could do a exploit via the fault so this year we have a different result but the output of that work was this board was called the breaking Bitcoin board basically it was a treasure clone that just made it easy to attach wires and probes and so we meet this board the design schematics are all online it's open source hardware now this is the chip whisper setup that we were using so we made the board specifically to fit on the chip list for a target board and this is just what it looks like when you use the chip whisper GUI to perform MacLeish and here we were doing Apple application level code so it was very different but I gave that talk and then I met Dimitri tons yeah so fortunately we had Josh to do the talk last year and to kind of exhaust a lot of the firmware vulnerabilities that were actually hardware vulnerabilities in the firmware that might have been there so we immediately knew that we could exclude this and so you can start looking at the underlying microcontroller so in this case it's the stm32 microcontroller that they use inside of it and it controls everything so compromising to stm32 microcontroller means that you can compromise you can compromise the device so the I mean so there's a couple of papers that have covered some of the vulnerabilities in the stm32 specifically there's one which describes a UV attack which lets you down grade the security on the stm32 so we determined that paper unfortunately does not apply to to our result because the traceur is smart enough when it boots to check the value stored in flash and if it has been altered in any way to set it correctly so they actually even protect that against this kind of attack but nevertheless you can see that there are some vulnerabilities so there's another paper which unfortunately has not been published yet and we couldn't get in touch with the authors yet that should be coming out in January hopefully which describes glitches against the stm32 f1 and the stm32f4 the f1 and f3 and so basically here's the product matrix so three of them are already vulnerable so but we're looking at the stm32 f2 and potentially the stm32f4 if we're talking about the trees or model-t so those we do not have vulnerabilities for yet so let's take a look at how how it works really quickly so the way that STM implements security on the stm32 is that they store an option bite and the option bite the thing to remember is on on a cortex m3 or m4 microcontroller that you don't have anything other than flash so even though they call it option bite or refer to this as fusing or being permanent and hardware it's still stored in flash just like the user application is stored in flash so it's the same exact same non-volatile memory that's otherwise used so basically the when you get a new stm32 it's shipped in state where you have full access so that's how Josh was able to rework a board and flash up with new firmware and there's the ultimate securities what's called our db2 so there you have no access but you can see that basically if you have a value other than a or CC which correspond to our DP 0 and our db2 respectfully then you have what's called our DP 1 and this is interesting because it doesn't give you access to the flash which is actually where the cryptographic seed is stored on the traceur but it gives you access to ram Egizi access to the registers but it doesn't give you a flash access like I said and it doesn't even give you single stepping as well so connecting a debugger in this mode will actually cause the hardware too hard fault which we'll see in a second so basically what we want to try to do is to downgrade our DP 2 which is what the trace or is set to and we want to be able to access the device at our DP 1 which is somewhat vulnerable state so this so I should say that this is this is the correct way to approach this and it's great for doing an educational talk but in all honesty there's three of us and so we did this completely in the dark over up over three months trying different parameters on our glitch setups which I'll show later and we're able to find this but I'm here to explain it to all of you so that it's easy to reproduce so if you actually watch the stm32 f2 boot you'll see that it's relatively slow and it's only this slow after you power cycle the board so it takes approximately 1.8 milliseconds to boot which is in microcontroller terms pretty slow so you can see there's the power supply there's the eye open and that's approximately how long it takes to boot the firmware so you can see that's where the i/o actually toggles so 1.8 milliseconds later so we just wrote some firmware to basically turn toggle one of the pins measured it with an oscilloscope now we have the timing of how long that takes so that's not super interesting because that's not really a trigger and each one of these microcontrollers internally it has a boot rum so it has some some ROM read-only memory right it's not non-volatile memory it's not the flash it's literally a ROM which is inside the chip itself it's it's hard coded it cannot be fixed or patched that gets executed first so we wanted to actually attack that because anything else is the user application and that's what Josh said last year so you can kind of start to fiddle this down so you see that one point four milliseconds of the reboot nothing actually happens because this is now the reset line and so the reset line goes high after one point four in milliseconds so you can ignore the first one point four in milliseconds after you cycle the power so now the next step that you can actually do is you can connect what's called a shunt resistor so in the U you I mean so oscilloscopes are there to measure voltage and so you want to actually measure current to be able to know how much power consumption I mean how much power is being consumed by device so you do what's called a shunt measurement and that's what I have on this slide right here so you have the blue signal is now actually the power consumption and so now you can actually look and see what's happening so the first thing that happens is we have the execution of the boot ROM so you can see the in the power consumption curve you can clearly see this moment in time then you have basically where the flash and option bytes actually get read somewhat at least within the boot ROM and finally the third distinctive moment in time is where the application actually begins to execute so now we've taken this 1.8 milliseconds which is a relatively long time and reduced it to 200 microseconds that we're actually interested in and not only that the we know that we're actually interested in having slightly higher power consumption than the normal execution of the bootloader or of the boot ROM rather and this is somewhere between let's say 170 microseconds and 200 microseconds so this is the time at which we actually need to glitch and this is also reasonable parameters if you're trying to reproduce this at home so what do you need to reproduce this thing so I the greatest thing that came out in the last couple of years is the these cheap Chinese power supplies where you take a cheap you know old wall wart from one of your old Linksys routers you plug it in and then you actually have a controllable power supply with with voltage and current and you can adjust this and control this and so that's what we're using here the second thing that I have on the I mean the second thing that I have to actually control the timing is an FPGA I mean I use that PGA's for everything and this is something that was easiest to put together with an FPGA because FPGAs have constant timing so finally we have a multiplexer there as well and the multiplexer is actually switching between two voltages between ground so completely cutting the voltage off and the normal operating voltage of the microcontroller and finally we have a debugger the j-link which is highly advised if you want to ever do JTAG stuff so it's just a JTAG debugger and basically what happens is you let this run for a while and it looks like this it's not really super super eventful so you can see that that the voltage the yellow signal is actually the voltage and you can see we're just dipping the voltage at different points in time and simultaneously we have a Python script checking if we have JTAG access or not and some pro tip to all the new dads if you do this at home you can turn your oscilloscope towards the door so that you when you get up at night because the baby's crying you can see if it's still running or not so it's it's very it's highly advised so now Thomas is gonna tell us how how to get the seed into into RAM so we had this thing running for three months roughly across three continents because josh is in America Dimitri is in Russia and I'm in Germany and so it took us three months to get a successful glitch and even then we didn't believe it at first because we exhausted everything basically and the only reason we finally got it working is that we did a mistake where we mistook 17 microseconds with 170 microseconds and had it run for a longer time and that's how we found out that the boot rom is actually super slow to boot on this device but and so once we have this downgrade from our db2 to our ep-1 we were able to read the RAM but we cannot read the flash which actually contains the seed and so how do we find this and our idea was we start reviewing the upgrade procedure because on the tracer the way the bootloader works is it doesn't require your PIN or anything to upgrade the firmware which makes sense because let's say you have a buck and the pin function you want to somehow be able to get rid of it right and the other thing is if you flash a fully valid firmware it retains the data it retains your seat if you flash and non-genuine one it actually will erase your seat and so on and the big and they do a really good job on the firmware verification we reviewed it for days and days and days and didn't find anything but so how does this upgrade procedure work how is the seat retained and so when you review the relevant code you see that there's a call to back up metadata which sounds like you're just going to retain somehow your data and indeed you can see that it's literally a mem copy from the data on flash we're interested in into rum and so our basic procedure was we go into a boot loader we started firmware upgrade and we we stopped it before the run gets cleared because if you finish the upgrade procedure the treasurer actually clears its memory again which is a very decent way to do it but we found a way to retain it and run so it turns out that when you start the firmware upgrade process it eventually asks you to verify the checksum of what you just flashed and it turns out that at this point in time the seed is still in RAM and we can read it out we are RDP - and this is relatively simple simple to you once you actually managed to glitch the device you basically just run open OCD dump image you get an image of the SRAM and you have the whole Ram contents and so how what are we gonna do Thomas what what high-tech hacking tool will we be using today to extract the C so we actually before we were successful we had hours of talks on how do we how is this heat stored and so on and we found this super sophisticated heat extraction tool that only runs on POSIX and POSIX like systems it's called strings right and so basically it turns out then when you have a firmware dump as sweet if you have a random as we do now and we go to we just run strings on the dump we get a couple of really nice words and I don't know if you remember the intro but this is your seat and you might be wondering what what this little number is this is your PIN to the device that was a great day and so Josh or one of Josh employees took all this mess we created on our desks and made it into this nice device which is basically a socket where you put in your chip and then we can read out the seed and so on including the board design the fpga codes for the very locker that we used I mean if somebody wants to they can apply it and do the same thing with one of the ice sticks or one of the more open-source friendly fpga boards this just happens to be the one that we all had lying around and could reproduce the work with you can go ahead and do it I mean we suspect I think Thomas said we suspect you might be able to do with an Arduino as well because the actual glitch pulse is only approximately 60 microseconds or sorry six six microseconds and in time so it's a relatively slow signal as well so it should be relatively repeatable even with even with something cheaper than this but this is a way to automate this even better and to not have dangling wires or any of the small soldering that was required to do it in C dough in the device which we had on the previous slide so all that we're gonna have on github and so I think the the final the final thing what's one more thing before we are sorry one more thing so this breaks a lot of the the treasure security but there is a way to protect your seat against this so if you use a passphrase on your device the way we understood it it basically doesn't allow somebody with hardware access to steal all your funds so if you add a passphrase to your treasure a good passphrase and your machine has not already owned you can somehow you can somewhat protect against this but a lot of people don't so we are really sorry we didn't mean any harm so I mean yeah that's the conclusion I would say so so yeah I mean we so all this stuff we're gonna put online I guess I said so you can follow us for the links on the online so wallet not fail it's a domain name it believe it or not fail is a TLD so you can go to github.com well let that fail Twitter go calm while it fail you can follow me Thomas and Josh on Twitter as well and like I said we'll be releasing all this stuff so it'll go up slowly just cuz I think when we set out six months ago we did not expect us to have 100% success in everything that we were planning to do so that's a first for me this has us part is that we have more vulnerabilities to other wallet to add only one hour and so we also have some stuff to give out so we have the hardware implant PCBs we have a thousand of them if you want to get some money - yeah we even have components for them for like 100 devices so hit us up and we can do something thank you [Music] amazing talk I feel really inspired to break things apart in a very creative way we have some time left for questions so if you have questions please line up at the microphones we're going to start with a question from the internet so maybe let's start with bit fee so we only talked about somewhat secured wallets we didn't want to use the Chinese phone in this talk so we love pretty hard and we ordered some but yeah yeah and I mean this was covered extensively so so another guy who you should follow on Twitter cyber Gibbons gave a talk at Hardware do on on the topic of the bit fight he was summarizing research that he did in conjunction with a bunch of other people as well so if you're interested in the bid file you should go look at them so the second question was about ARM based controllers I mean all of these were ARM based every single chip as far as I know that we looked at was was ARM based in one way or another yeah and there's so if you're interested in this look at glitching the Nintendo switch where they glitch the Tegra used in the Nintendo switch which is very interesting and will give a lot of inspiration in that regard basically thank you a question for microphone for please city of you first thank you for the issues as soon as I recollected rocks and if anyone is interested in affecting other words which you really Thursday it working me to write an article cooperated and we have a responsive of disclosure program you mentioned supply chain effects but real solutions so let me give you my like there's a regional resource and it can be a source and this kind of attacks but my question is is there any other solution except for building so maybe first off thank you one thing we should mention is that when we looked at the treasure code the reason we had to end up glitching this ship for three months is that we couldn't break the firmware otherwise so they do a great job and it's really awesome so I mean yes the the firmware on the treasure is is something to look at I mean I recommend that I mean we all do consulting work as well and so it's something that I recommend that people who are interested in looking at how to prevent certain do mitigations and hardware it's an excellent project to look at and so treasure should be commended on that but at the end of the day it doesn't mean that the chip that the treasurer uses is secure against these kinds of attacks and that's where we had a fallback to looking for silicon vulnerabilities against against a triplet or Sario wallet like the treasure another question from microphone 3 actually I have a suggestion I make it short though because usually you just take questions one sentence a few MC use actually have JTAC connected hardware fuses yeah so this might be used to at least slow down which Inc attacks I think I agree but these are not cortex-m microcontrollers I can tell you that with 100% certainty yeah it has the new a lot with the fact that the the microcontrollers that are being used in these devices they're built to spec to the spec that arms specified that arm thinks would be a good set of features for this class of device or rather for the for the CPUs for the class of device that they ended up getting put in so anything cortex-m is gonna have boner abilities that are more or less like the silicon vulnerabilities that we have it's just a I mean if you ask me I think it's a matter of time just to sit there I mean fortunately we had something like three months of just fletching to be able to find find these bugs but if you can apply that much to find a silicon attack you might be able to find this kind of vulnerability as well in other cortex-m products only if three minutes oh good another question from microphone for please so love these devices did you find that Deborah was in any way obfuscated or inverted so basically you on these chips you cannot really encrypt the firmware on the st 31 you can encrypt it but we didn't have to look at it because the sts-31 is not something you have to break but so no there was no real obfuscation that we could see but we also don't have the code in the case of letter so I just stared at Ida Pro for hours and yeah the next person a microphone for I mean so we already covered how the treasurer works so there is only one chip and it's the stm32 so I know that there was a known issue with treszura back in the day where they weren't seeding the basically the RNG correctly but this was fixed but for our attacks this wasn't this wasn't an issue I mean if you were concerned about how strong these are how strong the random number generators are for creating a seed you could actually create a bit 39 wallet outside of of any one of these and then just use them for their hardware features and yeah I mean get get get the seed from outside and if you have a question do move to the microphone if you're able to but first we have another question from the internet thank you you know but if you send it to us we are happy to look at it you know sorry oh you did I mean maybe on that note I would say that in terms of looking at the what wallets are actually being used you'll find that the I mean so the legend is of a very popular wallet the true source a very popular wallet but since the Tresor is open-source there's a lot of clones and forks of the Tresor and when I say that not all of them run the latest security patches that have been applied to the truce or code base so that's also something that you can do is basically dip the project's and see which one of them which ones are staying up to date in which art your question is to be the very last one today to speak directly through the microphone even closer to the light seeing as this is the first CCC for many of us and some of us might not have making that much experience in hardware hacking do you have any tips for beginners yeah lots of them so by now do we know you're learn what mistakes you do with it and what learn learn how Hardware works basically watch a lot of online videos and I think you gave presentations you gave presentations I gave some presentations so just watch talks watch Life overflow Life overflow great great YouTube channel on exactly this stuff and yeah and also don't hesitate to reach out to us if you have a question always contact us info at wallet fail on Twitter wherever we are happy to talk to you it might take a while but yeah [Music] but I'll say I started with Arduino - I mean I've hidden me buddy alright thank you guys so much for the very nice question and you guys for the amazing and inspiring job thank you so much [Music] [Applause] [Music] [Music]
Info
Channel: media.ccc.de
Views: 34,370
Rating: undefined out of 5
Keywords: tuwat, leipzig, congress, chaos, 2018, Security, Day 1, Borg, 35c3 ov, 35c3 eng, Thomas Roth, Dmitry Nedospasov, Josh Datko, 35c3
Id: Y1OBIGslgGM
Channel Id: undefined
Length: 61min 57sec (3717 seconds)
Published: Thu Dec 27 2018
Related Videos
35C3 - The Ghost in the Machine
media.ccc.de
54K
35C3 - Inside the Fake Science Factories (german)
media.ccc.de
69K
35C3 ChaosWest - wirtschaft hacken!
media.ccc.de
26K
34C3 - Der PC-Wahl-Hack
media.ccc.de
109K
34C3 - Holography of Wi-Fi radiation
media.ccc.de
9.2K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
35C3 - SiliVaccine: North Korea's Weapon of Mass Detection
media.ccc.de
8.7K
34C3 - Die fabelhafte Welt des Mobilebankings
media.ccc.de
182K
Die 5G-รœberwachungsstandards
media.ccc.de
59K
36C3 - "Hacker hin oder her": Die elektronische Patientenakte kommt!
media.ccc.de
121K
Philippe Laulheret - Intro to Hardware Hacking - DEF CON 27 Conference
DEFCONConference
39K
35C3 - The Layman's Guide to Zero-Day Engineering
media.ccc.de
21K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.