A fresh twist on baseband bugs, a powerful defence against Rowhammer attacks and targeting overlooked automotive attack vectors are among the innovative presentation topics announced for the upcoming Hardwear.io event.
As usual, the line-up for Hardwear.io Netherlands 2023 features boundary-pushing research from some of the world’s foremost experts in hardware security.
The four-day conference, which also features trainings plus Capture-the-Flag (CTF) and bug bounty competitions, takes place between 30 October and 3 November 2023 at the Marriott Hotel in The Hague. Event sponsors include Google, Winbond and NXP.
We’ll kick off our rundown of groundbreaking presentations with a fascinating talk on electromagnetic fault injection (EMFI) attacks from automotive pen tester Enrico Pozzobon and automotive security researcher Nils Weiss.
The pair will “present a novel algorithm for automatically estimating position, intensity and timings parameters for EMFI attacks, as well as the exploits we could perform by applying it to different real world targets using different microcontroller architectures,” according to their presentation precis. “We will show how these architectures react differently to fault injection and how it is possible to obtain code execution and JTAG uncensoring within an hour on a black-box target, doing minimal hardware reverse engineering.”
Baseband bugs boosted
The content of mobile security expert Daniel Komaromy’s talk is no less impressive than its zeitgeisty title: ‘Basebanheimer: Now I Am Become Death, The Destroyer Of Chains’.
Baseband vulnerabilities have been popularised by Komaromy’s own work, as well as, he notes, trailblazers like RPW, Nico Golde, Amat Cama, Marco Grassi and Xingyu ‘Kira’ Chen.
“With the novelty of baseband-only vulns wearing off, is it time to take it up a notch?” he asks, rhetorically.
Komaromy, founder of security research at TASZK Security Labs, took the bug class up several notches it seems, by achieving “full chain exploitation and baseband RCE and baseband-to-android pivot vulnerabilities that could have been exploited by malicious actors to go from ‘zero click’ to ‘zero barriers against stealing user data’.”
Jonas Juffinger, a PhD student in the CoreSec group at the Graz University of Technology, will focus on tackling the decade-old Rowhammer vulnerability, which remains unresolved “with newer DDR generations being ever more vulnerable”.
Juffinger will showcase “CSI:Rowhammer, a principled hardware-software co-design Rowhammer mitigation with cryptographic security and integrity guarantees that does not focus on any specific properties of Rowhammer. Due to this generic design, CSI:Rowhammer protects against all Rowhammer attacks, even new ones that were unknown at the time of publication of the paper,” he says.
Fuzzing trusted applications on Android devices
Marcel Busch, a Post Doc at EPFL with the HexHive group, will walk attendees through the discovery of 13 vulnerabilities in the latest versions of OP-TEE trusted applications and 40 bugs on various popular Android phones.
For this task Busch and his team leveraged TEEzz, “the first TEE-aware fuzzing framework capable of effectively fuzzing TAs in situ on production smartphones”.
How so? “TEEzz overcomes key limitations of TEE fuzzing (e.g., lack of visibility into the executed TAs, proprietary exchange formats, and value dependencies of interactions) by automatically attempting to infer the field types and message dependencies of the TA API through its interactions, designing state- and type-aware fuzzing mutators, and creating an in situ, on-device fuzzer,” explains Busch.
Laser fault injection attacks
Having forced the deprecation of two Microchip devices – ATECC508A and ATECC608A – with successful laser fault injection attacks, Olivier Heriveaux will follow successive Black Hat USA talks about those exploits with a Hardwear talk on bypassing Microchip’s latest countermeasures.
On bypassing the ATECC608B circuit, he says: “We identified a new vulnerability allowing an attacker to extract internal EEPROM masking keys using a very long laser pulse while the circuit is running.” Pilfering these keys then enabled two new attacks: authentication and session key derivation hijacking.
More than three million homes worldwide have an Alisa smart speaker from Yandex, Russia’s answer to Google.
Hardwear.io attendees will hear how Sergei Volokitin, senior security analyst at Dutch cybersecurity firm Riscure, mounted “physical attacks on the device in order to get root by manipulating unauthenticated contents of the NAND flash”, and achieved persistence and recovered private keys for over-the-air updates.
Another attention-grabbing title – ‘Blue2thprinting (blue-[tooth)-printing]: answering the question of ‘WTF am I even looking at?!’ – pertains to OpenSecurityTraining founder Xeno Kovah’s presentation.
Kovah, who was instrumental in bringing secure boot to the Apple Mac, says the Blue2thprint project was established to collect the ‘toothprints’ of BT devices because “there is no universally-available method” for ascertaining “whether a Bluetooth (BT) device is vulnerable to unauthenticated remote over-the-air exploits”.
Summing up his talk, Kovah says: “This research will present a new state-of-the-art when it comes to exposing the known, the unknown, and the under-known of BT device identification.”
Attacking vehicle fleet management systems
Security consultants Yashin Mehaboobe (Xebia) and Ramiro Pareja (IOActive) will focus on “automotive components and systems that security experts – and car designers – usually overlook and that could be abused to launch scalable and massive attacks”.
Testing devices such as T-boxes, OBD2 dongles, 5G modems, MQTT servers and mobile apps, the pair managed to unearth “multiple vulnerability issues that can be exploited remotely to get full control of an entire fleet of vehicles, including cars, heavy-duty trucks and cranes”.
Trainings, HardPwn and CTF
Elsewhere at Hardwear.io Netherlands 2023, 12 trainings will cover topics such as ‘Practical Hardware Hacking Basics’, ‘x86-64 Intel Firmware Attack & Defense’, and ‘Automotive Security Testing and Automation’.
The fifth edition of HardPwn, meanwhile, will see the world’s leading hardware hackers attempt to hack a trio of Google devices – Pixel Tablet, Pixel Watch and Nest Wifi Pro – after the tech giant’s record-breaking haul of vulnerabilities at Hardpwn USA earlier this year.The CTF competition, again organized by Quarkslab, will give competitors hardware hacking tools such as soldering irons and logic analyzers as they attempt to solve challenges around topics such as RFID, Bluetooth and desoldering.