HitB2011AMS: Let met Stuxnet You

Bad day at the office a cc nc ND iamge from Roger Smith's Flick stream
By Itzik Kotler

Slides on the HitB Materials page.

Itzik start his presentation that writing StuxNet for a company is much less hard then writing one for a nuclear reactor. Stuxnet is interesting in that it is a purely software based attack that had a real hardware based effect.

So can software damage hardware? Yes it can:
  • Software controls hardware ad can make it perform damaging hardware
  • Software can damage software that runs hardware
  • Software runs hardware and can make this hardware take an action that damages other hardware

So what is PDOS (Permanent Denial of Service)? Damaging hardware so bad that it needs to be replace or reinstalled.

Users the brick their phone when they try to jailbreak it are basically causing a self inflicted PDoS.

So who would do it and why?

Possible scenario’s are:
  • Industrial espionage/sabotage
  • Rival companies
  • Foreign nations
  • Terrorism
  • Hacktivism
  • Revenge
  • Blackmailing

So what techniques can you use to cause PDoS:
  • Phlashing: malicious overwrite of firmware
  • Malicious overclocking. Overclocking hardware too much will break it, e.g. by overheating
  • Overvolting. Increasing the voltage of equipment
  • Overusing. Causing too much wear and tear on a mechanism
  • Power Cycling. most equipment does not handle frequent on-off switching very well

So lets look at some local attacks first:
  • Disabling or slowing down fans of computer or other equipment will cause temperature increases which may lead to other failures
  • CPU overheating by causing an infinite loop
  • Microcode flashed directly into the CPU can be used to cause a PDoS as well, e.g. by overwriting hard wired instruction with faulty instructions
  • The techniques for CPUs work for GPUs as well
  • Hard drives can  be overheated using excessive read and writes, worn out by excessive parking and phlashed
  • Solid state drives van be bricked by wearing out the flash memory by excessive writing

And example of a harddrive attack is a Pseudo format. E.g. by using the script:
# while true; do dd if=/dev/hda1 of=/dev/hda1 conv=notrunc; done

Another harddrive attack is a Spindown attack:
# hdparam –S 1 /dev/had # while true; sleep 60; dd if/dev/random of=foobar count=1; done

DVD/CD Rom attack:
# while true; do eject /dev/cdrom; eject –t /dev/cdrom; done

Flash memory wear attack:
# while true ; do dd if=/dev/urandom of=/dev/flash; done

But even older equipment can be PDoS-ed. e.g. a CRT monitored can be damaged by sending them the wrong requencies. E.g. the XFree86 configuration warns about this.

Also floppy drives can be damaged by, e.g. moving the head to a sector outside the drive enclosure.

But these updates are also possible remotely, e.g. many devices allow over the wire (OTW) or over the air (OTA) firmware updates.

There are some countermeasures that can be used:
  • Overclocking protection
  • Overvolting protection
  • Temperature protection
  • Digitally signed firmware

Itzik Kotler brings more than ten years of technical experience in the software, telecommunications and security industries. Early in his career, Itzik worked at several start-up companies as a Security Researcher. Prior to joining Security Art, Itzik worked for Radware (NASDQ: RDWR), where he managed the Security Operation Center (SOC), a vulnerability research center that develops update signatures and new techniques to defend known and undisclosed application vulnerabilities. Itzik has published several security research articles, and is a frequent speaker at industry events including Black Hat, RSA, and DEFCON.


Not Published

0/1000 characters
Go Top