I t z i k K o t l e r | M a y 2 0 11

Let Me Stuxnet You

Itzik Kotler C TO , S e c u r i t y A r t

All rights reserved to Security Art Ltd. 2002 - 2010

www.security-art.com

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Goodbye World!
S t u x n e t a n d C y b e r W a r f a r e a r e e x p l o i t i n g t h e ( i t s complicated) relationship between Software and Hardware to cause damage and sabotage!
To d a y i t s a c o u n t r y t h a t s e e k s t o d e s t r o y a n o t h e r n a t i o n a n d t o m o r r o w i t s a c o m m e r c i a l c o m p a n y t h at seeks to ma ke a r iva l co mp a ny go o u t o f b u si n es s . A n a c t o f I n d u st r i a l Cy b er Wa r fa re .

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Can Software Damage Hardware? Yes!

So ft wa re co nt ro l s h a rd wa re, a n d it ca n ma ke it perform damaging operation s Software can damage another software that runs or operates an hardware So ft wa re co nt ro l s h a rd wa re, a n d it ca n ma ke it perform operation that will be damaging to another hardware

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Industrial Cyber Warfare Attack?

Cy b er Wa r fa r e i s n o t l i mi ted to, o r d esi g n e d exclusi ve ly for nations or critical infrastr u ctu re s A su c c e s s fu l l y d el i ve r ed I n d u st r i a l Cy b er Wa r fa r e attack causes financia l loss, operation loss, or both to t h e atta cked co mp a ny !
I n d u st r i a l Cy b er Wa r fa r e i n c l u d e s L o g i c B o mb s, Perman ent Denial -o f-Ser vice, APT and more

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Meet Permanent Denial-of-Service

Perman ent Denial -o f-Ser vice is an attack that damages hardware so badly that it requires replacem ent or reinstallation of hardware.
The damage potential is on a grand scale, almost anything and everything is controlled by software t h at ca n b e mo d ified o r atta cked

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Industrial Cyber Warfare: Why & Who?

Industrial Espionage
Rival Companies Foreign Countries

Te r r o r i s m
Political/ So cial Agenda

Revenge

Blackmailing
Greed, Power and etc.
All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Permanent Denial-of-Service 101

Phlashing: Overwriting the firmware of the component and makingit useless (i.e. Bricked ) Overclocking: Increasing the working frequency of the co mp o n en t a n d ma ke it u n sta b le a n d o ver h ea t

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Permanent Denial-of-Service (Cont.)

Overvolting: Increasing the input voltage of the component and zap it or cause it to overheat Overusing: Repetiti ve ly using a mechani ca l feature of the co mp o n en t a n d ca u se it to wea r q u icker

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Permanent Denial-of-Service (Cont.)

Power Cycling Repetitively turn on and off the power supply to t h e co mp o n ent a n d ca u se it to wea r q u icker (d u e to temp e rat u r e flex io n a n d sp ike s )

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Local Attacks
Does anyone smell smoke?

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Computer Fans
Not a target, per se.
Disablin g or slowing down the fan RPM speed can result in increased temperature Lengthy exposure to high temperature (due to lack of cooling) can lead to Electromigration that in turn will cause a Perman ent Denial -o f-Ser vice

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

CPU
Overheating Overheating Overheating Overheating Bricking due due to Stressing due to Overclocking due to Overvolting d u e to ( a l way s o n ) P 0 @ A P M /AC A P I to Phlashing (via Microcode Flashing)

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

CPU: Infinite Loop

x86 Assembly Code:
jmp short 0x0 Description: Infinite loop that jump to self

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

CPU: Microcode Flashing

Not your typical firmware update M i c r o c o d e g o e s i n t o t h e p r o c e s s o r, p r o v i d i n g a slightly higher level or more complex commands based on the processor's basic ("hard-wired") commands Microprogramming can be used to abuse or to damage the microprogram within the processor

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

RAM
Overheating due to Overclocking Overheating due to Overvolting Burnout due to Overvolting

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

GPU (Graphics Processing Unit)

Overheating Overheating Bricking due Utilities due to Overclocking due to Overvolting to Phlashing ( e . g . n v f l a s h , N i B i To r, e t c . )

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Hard disk drive

Tr a d i t i o n a l ( i . e . M e c h a n i c a l ) Overheating due to Excessive Write & Read Wea r i n g o u t d u e to E xc es si v e H ea d Pa r k i n g Bricking due to Phlashing Solid-state drive Wea r i n g o u t d u e to E xc es si v e Wr i te

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Hard Drive: Pseudo Format Attack

Command:
while true; do dd if=/dev/xxx of=/dev/xxx conv=notrunc; done Description: Infinite loop of read and write requests to disk

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Hard Drive: Spindown Attack

Commands: hdparm S 1 /dev/xxx

while true; sleep 60; dd if=/dev/random of=foobar count=1; done

Description: Sets disk spindown after 1 minute of inactivity and goes into infinite loop of write requests to disk with 1 minute of sleeping in-between

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

BIOS: Bricking/Firmware Flashing

Bricking due to Phlashing

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Rouge BIOS Firmware as Platform

Allows automation of:
Overclocking of CPU, RAM and etc. Overvolting of CPU, RAM and etc.

Power Cycling (of the whole System)

Can include a Self-destruct function

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

CD-ROM/DVD-ROM
Wea r i n g o u t d u e to O ver u si n g t h e d r i ve t ray Bricking due to Phlashing

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

CD-ROM: Mechanical Part Attack

Code:
while true; do eject; eject t; done Description: Infinite loop that opens and closes the CD-ROM tray

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Memory Wear
Flash memory has a finite number of program -era se c y c l e s ( a k a . P/ E c y c l e s ) . Most commercially available Flash products are g u a r a n t e e d t o w i t h s t a n d a r o u n d 1 0 0 , 0 0 0 P/ E c y c l e s , before the wear begins to deterio rate the integri ty of the storage Popular products that are based on, or using Flash memory : USB Disk On Keys, Solid -state Drives, Thin Client s and Routers and more.

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Flash: Memory Wear Attack

Code:

dd if=/dev/urandom of=/dev/xxx
Description: Infinite loop that excessively writes pseudo-random to a flash memory

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

NIC (Network Interface Card)

Bricking due to Phlashing

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

NIC: TCP Offload Engine

TCP Offload E ngine or TOE is a technology used in network inter fa c e cards (NIC) to offload processi ng o f t h e e n t i r e T C P/ I P s t a c k t o t h e n e t w o r k c o n t r o l l e r . TOE is p rimari ly u sed with h igh -sp e ed n etwork interfa c es, such as gigabit Ethernet and 10 Gigabi t Ethernet TOE is implem e nted in hardware so patches must be ap p lied to th e TOE firmwa re

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

CRT Monitor:
There are problems at scan rates which exceed the monitor's specifications (low or high). Some monitors can blow if given a too low scan rate or an absent or corrupted signal input.

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

XFree86 Screen Configuration:

HorizSync HorizSync 28.0 - 78.0 # Warning: This may fry very old Monitors 28.0 - 96.0 # Warning: This may fry old Monitors

(taken from a real life, XFree86Config file)

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Floppy Drive:
Wea r i n g o u t d u e to E xc es si v e H ea d Ro tat i o n On some floppy drives there are no validity checking on sector / t ra ck values, and so the floppy head might get hit repetit i vely against the stopper (See: NYB Virus)

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Legacy: Motorola 6800 & 6809

Motorola 6800 was a 8-bit microprocessor and was part of M6800 Microcomputer System The Motorola 6800 and 6809 can damage the computer's bus lines by the instruction 'HCF' (Halt, then Catch Fire). HCF successively toggles each of the bus lines, but it does it so fast that it can damage them. It was intended for manufac ture r testin g .

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Summary
Computer Fans CPU GPU RAM Hard Drives BIOS CD-ROM/DVD-ROM External Storage (e.g. Disk On Key) Network Cards CRT Monitor (Legacy) Floppy Drive (Legacy) Non-x86 Chip

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Remote Attacks
The long arm of the Permanent Denial-of-Service

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Firmware Updates via Web

Network -attach ed Storage (NAS) Appliances Network Appliances (e.g. Wi -Fi Access Points) D S L /A D S L C a b l e M o d e m s Computer Periphera ls (e. g. KVM ) Vo i c e O v e r I P ( Vo I P ) P h o n e s And more

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Open Questions
How this affect s Cloud and Virtual ized System ?

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Countermeasures?
Hardware: Over-clocking Protection Over-voltage Protection Over-te mperature Protection Software: Digitally signed Firmware Binaries & Updates

All rights reserved to Security Art Ltd. 2002 - 2011

I t z i k K o t l e r | M a y 2 0 11

www.security-art.com

Thanks! Questions are guaranteed in life; Answers aren't.

mailto: itzik.kotler@security-art.com Tw i t t e r : @ i t z i k k o t l e r

All rights reserved to Security Art Ltd. 2002 - 2011