<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hardwarehacking on Colin O'Flynn</title><link>https://colinoflynn.com/category/hardwarehacking/</link><description>Recent content in Hardwarehacking on Colin O'Flynn</description><generator>Hugo</generator><language>en-ca</language><lastBuildDate>Mon, 15 Apr 2024 10:51:37 +0000</lastBuildDate><atom:link href="https://colinoflynn.com/category/hardwarehacking/index.xml" rel="self" type="application/rss+xml"/><item><title>Dumping Parallel NAND with Glasgow</title><link>https://colinoflynn.com/2024/04/dumping-parallel-nand-with-glasgow/</link><pubDate>Sun, 14 Apr 2024 23:00:05 +0000</pubDate><guid>https://colinoflynn.com/2024/04/dumping-parallel-nand-with-glasgow/</guid><description>&lt;p&gt;I recently got my Glasgow device, which is a rather impressive piece of tech. I followed the Windows installation instructions and it &amp;ldquo;Just Worked&amp;rdquo;, including installing the toolchain! On one computer I needed to use Zadig to force the driver to be &lt;strong&gt;libusbK&lt;/strong&gt;, but on another Windows computer it wasn&amp;rsquo;t needed. In this blog post, I&amp;rsquo;m going to explore a parallel NAND device that I wanted to dump, and find out how well Glasgow works.&lt;/p&gt;</description></item><item><title>RECON 2023: Adventures of My Oven (Pinocchio) with ChipWhisperer</title><link>https://colinoflynn.com/2023/06/recon-2023-adventures-of-my-oven-pinocchio-with-chipwhisperer/</link><pubDate>Fri, 09 Jun 2023 14:40:27 +0000</pubDate><guid>https://colinoflynn.com/2023/06/recon-2023-adventures-of-my-oven-pinocchio-with-chipwhisperer/</guid><description>&lt;p&gt;&lt;!-- wp:paragraph --&gt;&lt;br /&gt;
&lt;p&gt;At &lt;a rel="noreferrer noopener" href="https://cfp.recon.cx/2023/talk/PNCTLT" target="_blank"&gt;RECON2023 I gave a talk about reverse engineering my Samsung Oven&lt;/a&gt;. This blog post has slides &amp;amp; links to information, with more to come! You can get a copy of the slides below:&lt;/p&gt;&lt;br /&gt;
&lt;!-- /wp:paragraph --&gt;&lt;/p&gt;
&lt;p&gt;&lt;!-- wp:file {"id":1086,"href":"https://colinoflynn.com/wp-content/uploads/2023/06/OFLYNN-RECON2023.pdf","displayPreview":true} --&gt;&lt;br /&gt;
&lt;div class="wp-block-file"&gt;&lt;object class="wp-block-file__embed" data="https://colinoflynn.com/wp-content/uploads/2023/06/OFLYNN-RECON2023.pdf" type="application/pdf" style="width:100%;height:600px" aria-label="OFLYNN-RECON2023"&gt;&lt;/object&gt;&lt;a id="wp-block-file--media-9b103ca6-f0df-45ad-af7e-ab5e9adde67c" href="https://colinoflynn.com/wp-content/uploads/2023/06/OFLYNN-RECON2023.pdf"&gt;OFLYNN-RECON2023&lt;/a&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2023/06/OFLYNN-RECON2023.pdf" class="wp-block-file__button wp-element-button" download aria-describedby="wp-block-file--media-9b103ca6-f0df-45ad-af7e-ab5e9adde67c"&gt;Download&lt;/a&gt;&lt;/div&gt;&lt;br /&gt;
&lt;!-- /wp:file --&gt;&lt;/p&gt;
&lt;p&gt;&lt;!-- wp:paragraph --&gt;&lt;br /&gt;
&lt;p&gt;&lt;/p&gt;&lt;br /&gt;
&lt;!-- /wp:paragraph --&gt;&lt;/p&gt;
&lt;p&gt;&lt;!-- wp:paragraph --&gt;&lt;br /&gt;
&lt;p&gt;Oven-Specific Stuff: &lt;a href="https://github.com/colinoflynn/samsung-ovens-deconstructed"&gt;https://github.com/colinoflynn/samsung-ovens-deconstructed&lt;/a&gt;&lt;br&gt;Python Loader for TMP91 Series: &lt;a href="https://github.com/colinoflynn/pytoshload"&gt;https://github.com/colinoflynn/pytoshload&lt;/a&gt;&lt;br&gt;Resource CD for TLCS900: &lt;a href="https://github.com/colinoflynn/Toshiba-TLCS-900-L-Resources"&gt;https://github.com/colinoflynn/Toshiba-TLCS-900-L-Resources&lt;/a&gt;&lt;br&gt;&lt;br&gt;&lt;/p&gt;</description></item><item><title>New England Hardware Security Day 2022 Talk</title><link>https://colinoflynn.com/2022/04/new-england-hardware-security-day-2022-talk/</link><pubDate>Fri, 01 Apr 2022 11:50:25 +0000</pubDate><guid>https://colinoflynn.com/2022/04/new-england-hardware-security-day-2022-talk/</guid><description>&lt;p&gt;On April 1st, 2022 I gave a &amp;ldquo;workshop&amp;rdquo; at &lt;a href="http://vernam.wpi.edu/nehws22/"&gt;New England Hardware Security Day&lt;/a&gt;. This blog post is a quick summary of some of the links to recreate my demos from that talk. Here is a copy of the slides if you&amp;rsquo;d like them:&lt;/p&gt;
&lt;p&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2022/04/New-England-Hardware-Security-Day-2022.pdf"&gt;New-England-Hardware-Security-Day-2022&lt;/a&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2022/04/New-England-Hardware-Security-Day-2022.pdf"&gt;Download&lt;/a&gt;&lt;/p&gt;
&lt;h2 id="dfa-on-raspberry-pi-with-picoemp"&gt;DFA on Raspberry Pi with PicoEMP&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2022/04/image.png"&gt;&lt;img src="https://colinoflynn.com/wp-content/uploads/2022/04/image.png" alt=""&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Pi on Pi Violence&lt;/p&gt;
&lt;p&gt;This demo is pretty simple - it recreates the classic DFA attack on RSA (I find &lt;a href="https://www.cryptologie.net/article/371/fault-attacks-on-rsas-signatures/"&gt;David&amp;rsquo;s description great here&lt;/a&gt;, or you can see my &lt;a href="https://nostarch.com/hardwarehacking"&gt;Hardware Hacking Handbook&lt;/a&gt; which includes another derivation of it using a different method).&lt;/p&gt;</description></item><item><title>Apple AirTag Teardown &amp; Test Point Mapping</title><link>https://colinoflynn.com/2021/05/apple-airtag-teardown-test-point-mapping/</link><pubDate>Sat, 08 May 2021 18:24:32 +0000</pubDate><guid>https://colinoflynn.com/2021/05/apple-airtag-teardown-test-point-mapping/</guid><description>&lt;p&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2021/05/IMG_3064.jpeg"&gt;&lt;img src="https://colinoflynn.com/wp-content/uploads/2021/05/IMG_3064.jpeg" alt=""&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;What&amp;rsquo;s inside of Apple&amp;rsquo;s new AirTag? There was already an &lt;a href="https://www.ifixit.com/News/50145/airtag-teardown-part-one-yeah-this-tracks"&gt;iFixIt teardown&lt;/a&gt; (which I swear was missing a few items that are there now), but of course was curious to see what sort of protection was enabled. Notably the nRF chip used is likely vulnerable to a &lt;a href="https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/"&gt;known bypass of security&lt;/a&gt; as well. With that in mind, I set out to see how we could dump some data from this thing - the good news is you can access a lot of interesting stuff (including the SPI flash) right from the backside, which requires you to simply pop the first plastic cover off. This is super-easy to do without damaging anything. Going further than that is tricky to keep it all intact.&lt;/p&gt;</description></item><item><title>BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks</title><link>https://colinoflynn.com/2020/11/bam-bam-on-reliability-of-emfi-for-in-situ-automotive-ecu-attacks/</link><pubDate>Sun, 08 Nov 2020 21:50:11 +0000</pubDate><guid>https://colinoflynn.com/2020/11/bam-bam-on-reliability-of-emfi-for-in-situ-automotive-ecu-attacks/</guid><description>&lt;p&gt;This post is a summary of some work on an accepted paper for ESCAR EU 2020. This work was demonstration on certain NXP chips &amp;amp; GM ECUs, but the idea of both the attack &amp;amp; understanding how portable results are is applicable across the entire domain.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;&lt;strong&gt;NOTE TO CAR TUNERS: I won&amp;rsquo;t perform this for hire on your ECU,&lt;/strong&gt;&lt;/em&gt; &lt;em&gt;please don&amp;rsquo;t email me asking this.&lt;/em&gt; &lt;em&gt;&lt;strong&gt;The cost for me to do this type of work under hire would also be many times the HPTuners fee,&lt;/strong&gt;&lt;/em&gt; &lt;em&gt;and without any of of the actual tuning interface (I&amp;rsquo;m only attacking the bootloader, I never ever built a reflash tool that would be needed, yet alone the mapping work etc).&lt;/em&gt;&lt;/p&gt;</description></item><item><title>Square Terminal Teardown</title><link>https://colinoflynn.com/2020/04/square-terminal-teardown/</link><pubDate>Mon, 06 Apr 2020 13:30:57 +0000</pubDate><guid>https://colinoflynn.com/2020/04/square-terminal-teardown/</guid><description>&lt;p&gt;&lt;img src="https://colinoflynn.com/wp-content/uploads/2020/04/overview_from_video.jpg" alt=""&gt;&lt;/p&gt;
&lt;p&gt;Part-way through the Square Terminal Teardown&lt;/p&gt;
&lt;p&gt;I recently tore down a square terminal (the one with the LCD screen) and wanted to share some of these results. I haven&amp;rsquo;t photographed everything as was mostly interested in how the secure areas of it are down. You can see an overview in the following video if you want to see how the whole thing fits together.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.youtube.com/watch?v=pB8T5wZJLcM"&gt;https://www.youtube.com/watch?v=pB8T5wZJLcM&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Teardown of Square Terminal Video&lt;/p&gt;</description></item><item><title>Amazon Echo Dot Gen 3 - Microphone Disable Circuitry</title><link>https://colinoflynn.com/2020/01/amazon-echo-dot-gen-3-microphone-disable-circuitry/</link><pubDate>Sat, 18 Jan 2020 17:36:11 +0000</pubDate><guid>https://colinoflynn.com/2020/01/amazon-echo-dot-gen-3-microphone-disable-circuitry/</guid><description>&lt;p&gt;Have you been interested in the Echo Dot device? One feature they mention is that there is a microphone off button. I spent a few hours reverse engineering this, and recorded (in un-edited glory) the process:&lt;/p&gt;
&lt;p&gt;&lt;a href="https://youtu.be/xH8LnK9hh6w"&gt;https://youtu.be/xH8LnK9hh6w&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;The resulting schematic is shown below:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://colinoflynn.com/wp-content/uploads/2020/01/schematic-1024x534.png" alt=""&gt;&lt;/p&gt;
&lt;p&gt;The astute reader will note the only pin under direct control allows the disabling of the microphone, it cannot re-enable it. However - there is one more loophole to check.&lt;/p&gt;</description></item><item><title>A Call for Time Travel Resistant Cryptography (TTRC)</title><link>https://colinoflynn.com/2019/09/a-call-for-time-travel-resistant-cryptography-ttrc/</link><pubDate>Thu, 19 Sep 2019 02:16:08 +0000</pubDate><guid>https://colinoflynn.com/2019/09/a-call-for-time-travel-resistant-cryptography-ttrc/</guid><description>&lt;p&gt;At CHES 2019 [rump session], I presented my revolutionary talk on Time Travel Resistant Cryptography (TTRC). This is a hugely important area of research that has been widely ignored in academic work, and it&amp;rsquo;s time to finally make this right.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://colinoflynn.com/wp-content/uploads/2019/09/image-2-1024x573.png" alt=""&gt;&lt;/p&gt;
&lt;p&gt;Why is this so critical? While Post Quantum Cryptography (PQC) gets NIST contests, and invested companies, nobody is considering TTRC. The general thought-process of PQC is that the existence of sufficiently powerful quantum computers is an open problem with no clear solution. BUT - if someone solves that problem (that is unclear is even physically possible to solve), it&amp;rsquo;s going to be hell on Earth for crypto implementations. Better safe than sorry.&lt;/p&gt;</description></item><item><title>USB Triggering &amp; Hacking</title><link>https://colinoflynn.com/2019/09/usb-triggering-hacking/</link><pubDate>Mon, 02 Sep 2019 01:50:39 +0000</pubDate><guid>https://colinoflynn.com/2019/09/usb-triggering-hacking/</guid><description>&lt;p&gt;This blog post covers several topics that I should have made independent posts about&amp;hellip; but anyway. Here we are. It&amp;rsquo;s September and I should have done this months ago.&lt;/p&gt;
&lt;h2 id="trezor--usb-hacking-updates-black-hat--woot"&gt;Trezor / USB Hacking Updates (Black Hat + WOOT)&lt;/h2&gt;
&lt;p&gt;I had an earlier blog post with details of the Trezor attack. It turns out this is more generic type of attack than I realized, so I extended this work into a WOOT paper as well. Quickly I thought I should update on that&amp;hellip;&lt;/p&gt;</description></item><item><title>FICHSA ChipWhisperer Tutorial Requirements</title><link>https://colinoflynn.com/2019/05/fichsa-chipwhisperer-tutorial-requirements/</link><pubDate>Mon, 06 May 2019 11:31:39 +0000</pubDate><guid>https://colinoflynn.com/2019/05/fichsa-chipwhisperer-tutorial-requirements/</guid><description>&lt;p&gt;At the FICHSA Conference (&lt;br&gt;
&lt;a href="https://fichsa.sise.bgu.ac.il/"&gt;https://fichsa.sise.bgu.ac.il&lt;/a&gt; ) I will be running a short workshop on ChipWhisperer using the ChipWhisperer-Nano.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;A direct link to a Google Doc with the most up to date information is available here:&lt;/strong&gt; &lt;a href="https://docs.google.com/document/d/1IgDeGZ6d0FEYJbaF4a-KsBhdIHlMZg04-wQYUSZgnks/edit?usp=sharing"&gt;&lt;strong&gt;https://docs.google.com/document/d/1IgDeGZ6d0FEYJbaF4a-KsBhdIHlMZg04-wQYUSZgnks/edit?usp=sharing&lt;/strong&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;If you want to fully play along, please bring a laptop with the following installed and setup:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;VirtualBox 5.x (5.2.28 is latest supported). You CANNOT use VirtualBox 6 due to some unknown incompatibility.&lt;/li&gt;
&lt;li&gt;VirtualBox Extension pack for version you installed (&lt;a href="https://download.virtualbox.org/virtualbox/5.2.28/Oracle_VM_VirtualBox_Extension_Pack-5.2.28.vbox-extpack"&gt;direct link&lt;/a&gt; to 5.2.28, does not depend on the host OS).&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;I will be (hopefully) posting a VirtualBox image once one is fully updated.&lt;/p&gt;</description></item><item><title>Glitching Trezor using EMFI Through The Enclosure</title><link>https://colinoflynn.com/2019/03/glitching-trezor-using-emfi-through-the-enclosure/</link><pubDate>Wed, 06 Mar 2019 15:13:45 +0000</pubDate><guid>https://colinoflynn.com/2019/03/glitching-trezor-using-emfi-through-the-enclosure/</guid><description>&lt;p&gt;As mentioned on the &lt;a href="https://blog.trezor.io/details-of-security-updates-for-trezor-one-firmware-1-8-0-and-trezor-model-t-firmware-2-1-0-408e59dc012"&gt;Trezor blog post&lt;/a&gt;, their latest security patch fixes a flaw I disclosed to them in Jan 2019. This flaw meant an attacker with physical access to the wallet can find the recovery seed stored in FLASH, and leave no evidence of tampering.&lt;/p&gt;
&lt;p&gt;This work was heavily inspired by the &lt;a href="http://wallet.fail"&gt;wallet.fail&lt;/a&gt; disclosure - I&amp;rsquo;m directly dumping FLASH instead of forcing the flash erase then dumping from SRAM, so the results are the same but with a different path. It also has the same limitations - if you used a password protected recovery seed you can&amp;rsquo;t dump that.&lt;/p&gt;</description></item><item><title>Embedded World 2019 Conference Talk</title><link>https://colinoflynn.com/2019/02/embedded-world-2019-conference-talk/</link><pubDate>Thu, 28 Feb 2019 21:43:50 +0000</pubDate><guid>https://colinoflynn.com/2019/02/embedded-world-2019-conference-talk/</guid><description>&lt;p&gt;At Embedded World I gave a talk on embedded security. There was also an associated paper, and I&amp;rsquo;m now making those available. I&amp;rsquo;ve also duplicated the paper contents in this blog post for your ease of access.&lt;/p&gt;
&lt;p&gt;Download Slides (PPTX):&lt;/p&gt;
&lt;p&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2019/03/Session_4.3I_OFlynn.pptx"&gt;&lt;img src="https://colinoflynn.com/wp-content/uploads/2019/03/image-8-1024x575.png" alt=""&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Click the above to download PPTX&lt;/p&gt;
&lt;p&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2019/03/Session_4.3I_OFlynn.pptx"&gt;Download Powerpoint Slides:&lt;/a&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2019/03/Session_4.3I_OFlynn.pptx"&gt;Download&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2019/03/Session_4.3I_OFlynn-1.pdf"&gt;Download PDF of Paper (reproduced below)&lt;/a&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2019/03/Session_4.3I_OFlynn-1.pdf"&gt;Download&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;ABSTRACT:&lt;/strong&gt; &lt;em&gt;As interconnected devices proliferate, security of those devices becomes more important. Two critical attacks can bypass many standard security mechanisms. These attacks are broadly known as side-channel attacks &amp;amp; fault injection attacks. This paper will introduce side-channel power analysis and fault injection attacks and their relevance to embedded systems. Examples of attacks are given, along with a short discussion of countermeasures and effectiveness. The use of open-source tools is highlighted, allowing the reader the chance to better understand these attacks with hands-on examples.&lt;/em&gt;&lt;/p&gt;</description></item><item><title>More Research, More Fun - I'm now an Assistant Professor</title><link>https://colinoflynn.com/2018/06/more-research-more-fun-im-now-an-assistant-professor/</link><pubDate>Fri, 01 Jun 2018 14:52:59 +0000</pubDate><guid>https://colinoflynn.com/2018/06/more-research-more-fun-im-now-an-assistant-professor/</guid><description>&lt;p&gt;Are you interested in this area of research? If you&amp;rsquo;ve followed some of my work you know I enjoy a combination of fundamental research &amp;amp; hands-on practical experiences.
It led me to co-found NewAE Technology Inc out of my PhD, with the objective of taking some of the research I was doing and pushing it ever further out into the world. I&amp;rsquo;m going to be continuing that work as C.T.O., but at the same time taking a leap forward in building up a larger research group under an academic affiliation.
I&amp;rsquo;ve joined Dalhousie University as an assistant professor in the electrical &amp;amp; computer engineering department. This is a bit of a unique position as I&amp;rsquo;m also going to be helping with some of the new innovation work being done in the &amp;ldquo;IDEA Building&amp;rdquo;, which means I&amp;rsquo;ll be mandated (and thus have time) to work with companies interested in cyber-security (emphasizing the sort of cyberphysical work I do, like IoT and automotive).
I&amp;rsquo;ll be shortly looking for students as well - if you are interested in a MASc or PhD in this area, I&amp;rsquo;d love to hear from you! Get in touch with my Dalhousie email (COFLYNN - AT - DAL.CA), if you don&amp;rsquo;t hear back sometimes I&amp;rsquo;m travelling quite a bit so may be slow, so please follow up to make sure I didn&amp;rsquo;t drop it. Or say hello at a conference - I&amp;rsquo;ll be at RECON and Black Hat in the next few months.
More details &amp;amp; update on this to come, but it&amp;rsquo;s an exciting chance for me to continue pushing the fundamental research I love, while engaging the local start-up community and helping encourage students that starting a business out of research isn&amp;rsquo;t such a bad idea.&lt;/p&gt;</description></item><item><title>Breaking Electronic Door Locks Like You're on CSI: Cyber - Black Hat 2017 Talk</title><link>https://colinoflynn.com/2017/07/breaking-electronic-door-locks-like-youre-on-csi-cyber-black-hat-2017-talk/</link><pubDate>Wed, 26 Jul 2017 02:00:55 +0000</pubDate><guid>https://colinoflynn.com/2017/07/breaking-electronic-door-locks-like-youre-on-csi-cyber-black-hat-2017-talk/</guid><description>&lt;p&gt;This year at Black Hat I&amp;rsquo;m presenting some short work on breaking electronic door locks. This talk focuses on one particular residential door lock. There was a bit of a flaw in the design, where the front panel/keypad can be removed from the outside.
Once the keypad is off, you have access to a connector that goes into the rear side of the device. You can then make a cool &amp;ldquo;brute force&amp;rdquo; board, which was basically the point of this presentation. Finally you can have something that looks like your movie electronic lock hacking mechanism, completed with 7-segment LED displays:
&lt;a href="https://colinoflynn.com/wp-content/uploads/2017/07/lockbreak.png"&gt;&lt;img src="https://colinoflynn.com/wp-content/uploads/2017/07/lockbreak-294x300.png" alt=""&gt;&lt;/a&gt;
This little device does the following:&lt;/p&gt;</description></item><item><title>PhD Thesis Finally Done</title><link>https://colinoflynn.com/2017/07/phd-thesis-finally-done/</link><pubDate>Wed, 12 Jul 2017 12:44:47 +0000</pubDate><guid>https://colinoflynn.com/2017/07/phd-thesis-finally-done/</guid><description>&lt;p&gt;If you&amp;rsquo;ve seen my presentations anytime over the past few years, you&amp;rsquo;ll know the introduction about &amp;ldquo;PhD Student at Dalhousie University finishing &amp;lsquo;soon&amp;rsquo;&amp;rdquo; has been the claim for the past several years. Finally &amp;lsquo;soon&amp;rsquo; actually happened!
You can see my complete thesis entitled &amp;ldquo;A Framework for Embedded Hardware Security Analysis&amp;rdquo; on the &lt;a href="http://dalspace.library.dal.ca/handle/10222/73002"&gt;DalSpace website&lt;/a&gt;. It&amp;rsquo;s been a ton of fun doing the PhD, and I&amp;rsquo;ve had a lot of help over the years which I&amp;rsquo;ve very grateful for. For the foreseeable future I&amp;rsquo;ll be continuing to spin up &lt;a href="http://newae.com"&gt;NewAE Technology Inc.&lt;/a&gt;, and keeping my ChipWhisperer project alive.&lt;/p&gt;</description></item><item><title>Philips Hue, AES-CCM, and more!</title><link>https://colinoflynn.com/2016/11/philips-hue-aes-ccm-and-more/</link><pubDate>Thu, 03 Nov 2016 00:55:25 +0000</pubDate><guid>https://colinoflynn.com/2016/11/philips-hue-aes-ccm-and-more/</guid><description>&lt;p&gt;This is just a quick blog post to update you on some rather interesting research that will be coming out led by &lt;a href="http://eyalro.net"&gt;Eyal Ronen&lt;/a&gt;. At Black Hat USA 2016 I did some teardown of the Philips Hue system, and described the &lt;em&gt;possibility&lt;/em&gt; of a lightbulb worm.
Check this &lt;a href="http://iotworm.eyalro.net/"&gt;landing page which now has a draft PDF of what that became&lt;/a&gt;. This draft paper details how you can (1) recover the encryption keys used to encrypt the firmware updates, and thus encrypt/sign your own images, and (2) details a bug specific to a version of a range-checking protocol which allows reflashing of bulbs over longer distances. The end result is this basically solves all the roadblocks I had identified as stopping the lighbulb worm from actually happening [NB: the distance-check bug has been FIXED already in firmware updates which solves this specific spreading vector].
To me the most interesting part is a demonstration of side-channel power analysis being useful for breaking a &lt;em&gt;rather good encrypted bootloader&lt;/em&gt;. To be clear the Philips Hue does a great job of implementing a bootloader on an IoT device&amp;hellip; it&amp;rsquo;s one of the better I&amp;rsquo;ve seen, especially considering we are talking about a lightbulb. But it&amp;rsquo;s very very difficult to hide from side-channel power analysis and other &amp;ldquo;hands on&amp;rdquo; embedded hardware attacks, instead it&amp;rsquo;s better (but more expensive logistically) to push the solutions to the higher-level architecture. If each bulb had a unique encryption key (&lt;em&gt;maybe&lt;/em&gt; derived from the MAC address using an algorithm on a secure server if you don&amp;rsquo;t want to store all those keys) it would provide an excellent layer of defense.
I&amp;rsquo;m working on making a description of the AES-CCM attack, which will be posted to the &lt;a href="https://wiki.newae.com/AES-CCM_Attack"&gt;wiki page&lt;/a&gt;.&lt;strong&gt;Q: What does that mean to someone using Hue, is it safe?&lt;/strong&gt;
&lt;strong&gt;A:&lt;/strong&gt; Philips released a OTA update to fix the bug that allows spreading over longer distances (October 3rd update). This is a great example of a fast response by a company who takes this stuff seriously. Basically - if I was choosing a smart light platform, I&amp;rsquo;d probably use Hue (I have a few of them in my house too).
 
&lt;strong&gt;Q: What&amp;rsquo;s power analysis?&lt;/strong&gt;
**A:**This isn&amp;rsquo;t a FAQ type answer - but you can see an &lt;a href="https://www.youtube.com/watch?v=OlX-p4AGhWs"&gt;intro video&lt;/a&gt; I made. Basically we use tiny variations in power consumption of a device as it&amp;rsquo;s running to determine information about secrets held within the device.
 
&lt;strong&gt;Q: What if I want more information?&lt;/strong&gt;
**A:**Please contact Eyal for more details, if you want to discuss specific questions, etc. Note the Philips-specific details (such as scripts, keys, etc) will never be released, please don&amp;rsquo;t ask for them.
 
&lt;strong&gt;Q: Does a worm exist?&lt;/strong&gt;
&lt;strong&gt;A:&lt;/strong&gt; NO. It would be extremely reckless to make such a worm, as it would be VERY hard to contain the spread should you have a bunch of Hue devices around you. Instead that research paper demo&amp;rsquo;d all the pieces, but stopped short of putting them together (we wouldn&amp;rsquo;t want a criticality accident).&lt;/p&gt;</description></item><item><title>Philips Hue - R.E. Whitepaper from Black Hat 2016</title><link>https://colinoflynn.com/2016/08/philips-hue-r-e-whitepaper-from-black-hat-2016/</link><pubDate>Thu, 04 Aug 2016 14:37:33 +0000</pubDate><guid>https://colinoflynn.com/2016/08/philips-hue-r-e-whitepaper-from-black-hat-2016/</guid><description>&lt;p&gt;At Black Hat 2016 I presented on some reverse engineering of the Philips Hue (also see &lt;a href="https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/"&gt;my other post about getting root on it&lt;/a&gt;, which was part of that presentation).&lt;/p&gt;
&lt;p&gt;If you were at the talk, you would have also seen mention that you'll want to keep your eyes out for future publications by Eyal Ronen. You can see &lt;a href="http://www.wisdom.weizmann.ac.il/~eyalro/"&gt;his website for more research related to the Hue &lt;/a&gt;as well, and follow him on twitter @eyalr0. He's been doing some work in parallel that I think will do more than just R.E. the bulbs (as I did), and actually bring some of my `possible' attacks to become real proof-of-concepts.&lt;/p&gt;</description></item><item><title>Black Hat Slides - PIN-Protected HD Enclosure / MB86C311A Research</title><link>https://colinoflynn.com/2016/08/black-hat-slides-pin-protected-hd-enclosure-mb86c311a-research/</link><pubDate>Thu, 04 Aug 2016 14:30:07 +0000</pubDate><guid>https://colinoflynn.com/2016/08/black-hat-slides-pin-protected-hd-enclosure-mb86c311a-research/</guid><description>&lt;p&gt;This is a quick post to link to slides from my Black Hat USA 2016 work.
This work stands directly on the work done by Joffrey Czarny &amp;amp; Raphaël Rigo presented at HardWear.io last year (2015). They discovered the issues w.r.t. the stream-mode cipher being used by all manufactures on the MB86C311A, and the fact that secrets are stored on the HD itself. Their work is available at:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.sstic.org/media/SSTIC2015/SSTIC-actes/hardware_re_for_software_reversers/SSTIC2015-Article-hardware_re_for_software_reversers-czarny_rigo.pdf"&gt;Whitepaper by Czarny &amp;amp; Rigo&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="http://hardwear.io/wp-content/uploads/2015/10/Slide-hardware_re_for_software_reversers-By-Czarny-Rigo.pdf"&gt;Presentation slides by Czarny &amp;amp; Rigo&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;They have some newer work coming out which looks to be &lt;em&gt;very&lt;/em&gt; interesting, so please keep your eyes out for that. Anyway onto my stuff. The following is a link to my slides:
&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/08/Brute-Forcing-Lockdown-Harddrive-PIN-Codes.pdf"&gt;Brute-Forcing Lockdown Harddrive PIN Codes [Slides]&lt;/a&gt;&lt;/p&gt;</description></item><item><title>Getting Root on Philips Hue Bridge 2.0</title><link>https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/</link><pubDate>Tue, 12 Jul 2016 16:00:00 +0000</pubDate><guid>https://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/</guid><description>&lt;p&gt;This post will briefly show you how to get a root console on the new Philips Hue Bridges (the square ones). It's rather easy, the only special tools you require are a USB-Serial cable &amp;amp; a torx screwdriver.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/07/P1080978.jpg"&gt;&lt;img class="alignnone size-medium wp-image-711" src="https://colinoflynn.com/wp-content/uploads/2016/07/P1080978-300x240.jpg" alt="P1080978" width="300" height="240"&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;There's a video with full details, this post is just the specifics if you don't want a very boring walk-through:&lt;/p&gt;
&lt;div class="embed embed--video"&gt;&lt;iframe src="https://www.youtube-nocookie.com/embed/hi2D2MnwiGM" title="YouTube video" loading="lazy" allowfullscreen frameborder="0"&gt;&lt;/iframe&gt;&lt;/div&gt;
&lt;ol&gt;
 	&lt;li&gt;For the serial cable (a standard 3.3V type one, DO NOT use a 5V cable), there is a 6-pin header along the bottom. Pin '1' has a square footprint, and counting from pin 1 the connections are:
&lt;pre&gt;Pin 1 = GND
Pin 4 = RX In (connect to TX Out of your serial cable)
Pin 5 = TX Out (connect to RX in of your serial cable).&lt;/pre&gt;
&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/07/P1080980.jpg"&gt;&lt;img class="alignnone size-medium wp-image-709" src="https://colinoflynn.com/wp-content/uploads/2016/07/P1080980-259x300.jpg" alt="P1080980" width="259" height="300"&gt;&lt;/a&gt;&lt;/li&gt;
 	&lt;li&gt;The bottom left-corner of the 2-row header is GND. You'll have to short that with a wire to the following test point:
&lt;figure&gt;&lt;a href="https://colinoflynn.com/wp-content/uploads/2016/07/P1080981.jpg"&gt;&lt;img class="wp-image-708 size-medium" src="https://colinoflynn.com/wp-content/uploads/2016/07/P1080981-300x261.jpg" alt="P1080981" width="300" height="261"&gt;&lt;/a&gt;&lt;figcaption&gt;This test-point is shorted to GND with a paper-clip or wire. Click image for full-sized to see in better detail.&lt;/figcaption&gt;&lt;/figure&gt;&lt;/li&gt;
 	&lt;li&gt;To get the system working, check you are getting boot messages. Now, restart the system and after you get a bit of output, short the pin. You might see some output like this:
&lt;pre&gt;U-Boot 1.1.4 (Sep&amp;nbsp; 8 2015 - 04:08:21)
&lt;p&gt;bsb002 - Honey Bee 2.0DRAM: &amp;nbsp;&lt;br /&gt;
sri&lt;br /&gt;
Honey Bee 2.0&lt;br /&gt;
ath_ddr_initial_config(195): (16bit) ddr2 init&lt;br /&gt;
tap = 0x00000003&lt;br /&gt;
Tap (low, high) = (0x8, 0x22)&lt;br /&gt;
Tap values = (0x15, 0x15, 0x15, 0x15)&lt;br /&gt;
64 MB&lt;br /&gt;
Top of RAM usable for U-Boot at: 84000000&lt;br /&gt;
Reserving 214k for U-Boot at: 83fc8000&lt;br /&gt;
Reserving 192k for malloc() at: 83f98000&lt;br /&gt;
Reserving 44 Bytes for Board Info at: 83f97fd4&lt;br /&gt;
Reserving 36 Bytes for Global Data at: 83f97fb0&lt;br /&gt;
Reserving 128k for boot params() at: 83f77fb0&lt;br /&gt;
Stack Pointer at: 83f77f98&lt;br /&gt;
Now running in RAM - U-Boot at: 83fc8000&lt;br /&gt;
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x13&lt;br /&gt;
flash size 0MB, sector count = 8&lt;br /&gt;
Flash: 512 kB&lt;br /&gt;
*** Warning *** : PCIe WLAN Module not found !!!&lt;br /&gt;
In:&amp;nbsp;&amp;nbsp;&amp;nbsp; serial&lt;br /&gt;
Out:&amp;nbsp;&amp;nbsp; serial&lt;br /&gt;
Err:&amp;nbsp;&amp;nbsp; serial&lt;br /&gt;
Net:&amp;nbsp;&amp;nbsp; ath_gmac_enet_initialize...&lt;br /&gt;
Fetching MAC Address from 0x83febe80&lt;br /&gt;
Fetching MAC Address from 0x83febe80&lt;br /&gt;
ath_gmac_enet_initialize: reset mask:c02200 &lt;br /&gt;
Scorpion ----&amp;gt;S27 PHY*&lt;br /&gt;
S27 reg init&lt;br /&gt;
: cfg1 0x800c0000 cfg2 0x7114&lt;br /&gt;
eth0: 00:03:7f:11:20:ce&lt;br /&gt;
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000&lt;br /&gt;
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10&lt;/pre&gt;&lt;br /&gt;
Which will then fall back to a prompt:&lt;br /&gt;
&lt;pre&gt;ath&amp;gt;&lt;/pre&gt;&lt;br /&gt;
Good news! We can now get everything working for you. You can print the existing variables if you wish:&lt;br /&gt;
&lt;pre&gt;ath&amp;gt; printenv&lt;/pre&gt;&lt;br /&gt;
&lt;/li&gt;&lt;br /&gt;
 	&lt;li&gt;Set a boot delay such we can enter the menu without the boot hack:&lt;br /&gt;
&lt;pre&gt;setenv bootdelay 3&lt;/pre&gt;&lt;br /&gt;
Check it works with&lt;br /&gt;
&lt;pre&gt;printenv bootdelay&lt;/pre&gt;&lt;br /&gt;
and confirm you get a line like this:&lt;br /&gt;
&lt;pre&gt;bootdelay=3&lt;/pre&gt;&lt;br /&gt;
Finally, save the setting with:&lt;br /&gt;
&lt;pre&gt;saveenv&lt;/pre&gt;&lt;br /&gt;
You can now reset the system (use the 'reset' command), and confirm there is a count-down that gives you time to hit "enter" and get this prompt again.&lt;/li&gt;&lt;br /&gt;
 	&lt;li&gt;Now let's fix the root password. Before doing this, I suggest you keep a copy of the old value:&lt;br /&gt;
&lt;pre&gt;printenv security&lt;/pre&gt;&lt;br /&gt;
This would let you restore things back to default. Then the following will set the root password to 'toor':&lt;br /&gt;
&lt;pre&gt;setenv security '$1$3vGNd7Q3$ISqFeo1VkmQV6nyriUV0V/'&lt;/pre&gt;&lt;br /&gt;
You may have to copy this into notepad first to ensure it all fits on one line! The quotes are critical here. Again check it works with printenv, then type saveenv to store things to disk.&lt;/p&gt;</description></item><item><title>SECT-2015 Talk Slides</title><link>https://colinoflynn.com/2015/09/sect-2015-talk-slides/</link><pubDate>Fri, 18 Sep 2015 08:48:26 +0000</pubDate><guid>https://colinoflynn.com/2015/09/sect-2015-talk-slides/</guid><description>&lt;p&gt;On Friday at 14:15 I&amp;rsquo;m giving a talk about my open-source power analysis and glitching projected called ChipWhisperer at SEC-T. Here is some useful links if you watched the presentation:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="http://www.newae.com/files/SECT2015_NOWHISPER.pdf"&gt;PDF of Presentation Slides [4MB]&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Link to &lt;a href="https://www.kickstarter.com/projects/coflynn/chipwhisperer-lite-a-new-era-of-hardware-security"&gt;Kickstarter&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Link to &lt;a href="http://newae.com/sidechannel/cwdocs/naecw1173_cwlite.html"&gt;Documentation for ChipWhisperer&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Link to &lt;a href="http://store.newae.com/chipwhisperer-lite-cw1173-assembled-board/"&gt;CW-Lite in Store&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;See information about the entire project at &lt;a href="http://www.ChipWhisperer.com"&gt;www.ChipWhisperer.com&lt;/a&gt; too! Video will be posted online at some point too.&lt;/p&gt;</description></item></channel></rss>