HitB2011AMS: Let met Stuxnet YouFrank Breedijk
Slides on the HitB Materials page.
Itzik start his presentation that writing StuxNet for a company is much less hard then writing one for a nuclear reactor. Stuxnet is interesting in that it is a purely software based attack that had a real hardware based effect.
So can software damage hardware? Yes it can:
- Software controls hardware ad can make it perform damaging hardware
- Software can damage software that runs hardware
- Software runs hardware and can make this hardware take an action that damages other hardware
So what is PDOS (Permanent Denial of Service)? Damaging hardware so bad that it needs to be replace or reinstalled.
Users the brick their phone when they try to jailbreak it are basically causing a self inflicted PDoS.
So who would do it and why?
Possible scenario’s are:
- Industrial espionage/sabotage
- Rival companies
- Foreign nations
So what techniques can you use to cause PDoS:
- Phlashing: malicious overwrite of firmware
- Malicious overclocking. Overclocking hardware too much will break it, e.g. by overheating
- Overvolting. Increasing the voltage of equipment
- Overusing. Causing too much wear and tear on a mechanism
- Power Cycling. most equipment does not handle frequent on-off switching very well
So lets look at some local attacks first:
- Disabling or slowing down fans of computer or other equipment will cause temperature increases which may lead to other failures
- CPU overheating by causing an infinite loop
- Microcode flashed directly into the CPU can be used to cause a PDoS as well, e.g. by overwriting hard wired instruction with faulty instructions
- The techniques for CPUs work for GPUs as well
- Hard drives can be overheated using excessive read and writes, worn out by excessive parking and phlashed
- Solid state drives van be bricked by wearing out the flash memory by excessive writing
And example of a harddrive attack is a Pseudo format. E.g. by using the script:
# while true; do dd if=/dev/hda1 of=/dev/hda1 conv=notrunc; done
Another harddrive attack is a Spindown attack:
# hdparam –S 1 /dev/had # while true; sleep 60; dd if/dev/random of=foobar count=1; done
DVD/CD Rom attack:
# while true; do eject /dev/cdrom; eject –t /dev/cdrom; done
Flash memory wear attack:
# while true ; do dd if=/dev/urandom of=/dev/flash; done
But even older equipment can be PDoS-ed. e.g. a CRT monitored can be damaged by sending them the wrong requencies. E.g. the XFree86 configuration warns about this.
Also floppy drives can be damaged by, e.g. moving the head to a sector outside the drive enclosure.
But these updates are also possible remotely, e.g. many devices allow over the wire (OTW) or over the air (OTA) firmware updates.
There are some countermeasures that can be used:
- Overclocking protection
- Overvolting protection
- Temperature protection
- Digitally signed firmware
Itzik Kotler brings more than ten years of technical experience in the software, telecommunications and security industries. Early in his career, Itzik worked at several start-up companies as a Security Researcher. Prior to joining Security Art, Itzik worked for Radware (NASDQ: RDWR), where he managed the Security Operation Center (SOC), a vulnerability research center that develops update signatures and new techniques to defend known and undisclosed application vulnerabilities. Itzik has published several security research articles, and is a frequent speaker at industry events including Black Hat, RSA, and DEFCON.