Hes2011 Ikolter Let Me Stuxnet You 110415064447 Phpapp02

8/7/2019 Hes2011 Ikolter Let Me Stuxnet You 110415064447 Phpapp02

1/37

All rights reserved to Security Art Ltd. 2002 - 2010 www.security-

art.com

I t z i k K o t l e r | A p r i l 2 0 1 1

Let Me Stuxnet You

Itzik Kotler

CTO, Security Art


2/37

All rights reserved to Security Art Ltd. 2002 - 2011

www.security-

art.com


Goodbye World!

Stuxnet and Cyber War fa re a re exp lo i t i ngthe ( i t s compl i ca ted) re la t ionsh ip be tween

Sof tware and Hardware to cause damageand sabotage!

Today i t s a c ount ry th at see ks to d est royanother na t ion and tomorrow i t s acommerc ia l company tha t seeks to make a

r i va l company go out o f bus iness . An ac t o f I ndus t r i a l Cyber War fa re .


3/37


www.security-

art.com


Can Software Damage Hardware? Yes!

Sof tware cont ro l s hardware , and i t canmake i t per fo rm damag ing operat ion

Sof tware can damage another so f twarethat runs o r operates an hardware

Sof tware cont ro l s hardware , and i t canmake i t per fo rm operat ion that w i l l bedamag ing to another hardware


4/37


www.security-

art.com


Industrial Cyber Warfare Attack?

Cyber War fa re i s no t l im i ted to , o r des igne dexc lus i ve l y f o r na t i o ns o r c r i t i ca l

i n f r a s t ruc tu res A s ucces s fu l l y de l i ve red I ndus t r i a l Cybe r

War fa re a t tack causes f i n anc ia l l o ss ,o pe ra t i o n l o s s , o r bo th t o t he a t t ack edco mpany !

I ndus t r i a l Cyber War fa re i s Log i c Bombs ,Pe rmanent Den ia l -o f -Se rv i ce , APT and more


5/37


www.security-

art.com


Meet Permanent Denial-of-Service

Permanent Den ia l -o f -Serv ice i s an a t tackthat damages hardware so bad ly that i t

requ i res rep laceme nt o r re ins ta l la t ion o f hardware .

The damage p otent ia l i s on a g rand sca le ,a lmost any th ing and every th ing i scont ro l led by so f tware that can be

mod i f ied o r a t tacked


6/37


www.security-

art.com


Industrial Cyber Warfare: Why & Who?

I ndus t r i a l Esp ionage R i v a l C o m p a n i es

F o re i g n C o u n t r i e s Terrorism

P o l i t i ca l / S o c i a l A g en d a

Revenge

B lackma i l i ng G reed , P o wer a n d e t c .


7/37


www.security-

art.com


Permanent Denial-of-Service 101

Phlashing : Overwr i t i ng the f i rmware o f the

component and make i t u se less ( i . e .Br i cked )

Overc lock ing : I n c reas ing the work ing f requency o f the

component and make i t uns tab le and

overheat


8/37


www.security-

art.com


Permanent Denial-of-Service (Cont.)

O v e r v o l t i n g :

I n c r e a s i ng t h e i n p u t v o l t a g e o f t h e c o m p o n e n ta n d z a p i t o r c a u s e i t t o o v e r h e a t

O v e r u s i n g :

R e p e t i t i v e l y u s i n g a m e c h a n i c a l f e a t u r e o f t h ec o m p o n e n t a n d c a u s e i t t o w e a r q u i c k e r


9/37


www.security-

art.com


Permanent Denial-of-Service (Cont.)

Power Cyc l ing Repet i t i ve ly tu rn on and o f f the power

supp ly to the component and cause i tto wear qu icker (due to temperaturef lec t ion and sp ikes )


10/37


www.security-

art.com


Local Attacks

Does anyone smell smoke?


11/37


www.security-

art.com


Computer Fans

Not a ta rget , per se . Disab l i ng o r s l ow ing down the fan RPM

speed can resu l t in inc reased temperature Lengthy exposure to h igh temperature (due

to lack o f coo l ing ) can lead toE lec t romigrat ion that in tu rn w i l l cause aPermanent Den ia l -o f -Serv ice


12/37


www.security-

art.com


CPU

Overheat ing due to S t ress ing Overheat ing due to Overc lock ing Overheat ing due to Overvo l t ing Overheat ing due to (a lways on) P0 @

APM/ACAP I Br i ck ing due to Ph lash ing (v ia M ic rocode

F lash ing)


13/37


www.security-

art.com


CPU: Infinite Loop

x86 Assembly Code:

jmp

Description:

Infinite loop that jump to self


14/37


www.security-

art.com


CPU: Microcode Flashing

Not your typ ica l f i rmware update Microcode goes in to the p rocessor ,

p rov id ing a s l igh t ly h igher leve l o r morecomplex commands based on theprocessor ' s bas ic ( "hard -w i red" ) commands

Microprogramming can be used to abuse o rto damage the mic roprogram wi th in the

processor


15/37


www.security-

art.com


RAM

Overheat ing due to Overc lock ing Overheat ing due to Overvo l t ing Burnout due to Overvo l t ing


16/37


www.security-

art.com


GPU (Graphics Processing Unit)

Overheat ing due to Overc lock ing Overheat ing due to Overvo l t ing Br ick ing due to Ph lash ing

Ut i l i t i es ( e .g . nv f lash , N iB iTor , e tc . )


17/37


www.security-

art.com


Hard disk drive

Trad i t ion a l ( i . e . Me chan ica l ) Overheat ing due to Excess ive Wr i te &

Read Wear ing out due t o Excess ive Head

Park ing Br i ck ing due to Ph lash ing

So l id - s ta te d r ive Wear ing out due to Excess ive Wr i te


18/37


www.security-

art.com


Hard Drive: Pseudo Format Attack

Command:

while true; do

Description:

Infinite loop of read and write requests to disk


19/37


www.security-

art.com


Hard Drive: Spindown Attack

Commands:

hdparm

Description:

Sets disk


20/37


www.security-

art.com


BIOS: Bricking/Firmware Flashing

Br ick ing due to Ph lash ing


21/37


www.security-

art.com


Rouge BIOS Firmware as Platform

Al lows automat ion o f : Overc lock ing o f CPU, RAM and etc . Overvo l t ing o f C PU, RAM and etc . Power Cyc l ing (o f the who le Sys tem)

Can inc lude a Se l f -des t ruc t fun ct ion


22/37


www.security-

art.com


CD-ROM/DVD-ROM

Wear ing out due to O verus ing the d r ivet ray



23/37


www.security-

art.com


CD-ROM: Mechanical Part Attack

Code:

while true; do eject; eject t; done

Description:

Infinite loop that opens and closes the CD-ROM tray


24/37


www.security-

art.com


Memory Wear

F l a s h m e m o r y h a s a f i n i t e n u m b e r o f p r o g r a m -e ra s e c y c l e s ( a k a . P / E c y c l e s ) .

M o s t c o m m e rc i a l l y a v a i l a b l e F l a s h p ro d u c t s a reg u a r a n t e e d t o w i t h s t a n d a r o u n d 1 0 0 , 0 0 0 P / Ec y c l e s , b e f o r e t h e w e a r b e g i n s t o d e t e r i o r a t et h e i n t e g r i t y o f t h e s t o r a g e

P o p u l a r p ro d u c t s t h a t a re b a s e d o n , o r u s i n gF l a s h m e m o ry : U S B D i s k O n K e y s , S o l i d - s t a t e

D r i v e s , T h i n C l i e n t s a n d R o u t e r s a n d m o re .


25/37


www.security-

art.com


Flash: Memory Wear Attack

Code:dd

Description:

Infinite loop that excessively writes pseudo-random to a flashmemory


26/37


www.security-

art.com


NIC (Network Interface Card)



27/37


www.security-

art.com


NIC: TCP Offload Engine

TC P O f f l o a d E n g i n e o r T O E i s a t e c h n o l o g y u s e di n n e t w o r k i n t e r f a c e c a r d s ( N I C ) t o o f f l o a dp r o c e s s i n g o f t h e e n t i r e TC P / I P s t a c k t o t h en e t w o r k c o n t r o l l e r.

T O E i s p r i m a r i l y u s e d w i t h h i g h - s p e e d n e t w o r ki n t e r f a c e s , s u c h a s g i g a b i t E t h e r n e t a n d 1 0G i g a b i t E t h e r n e t

T O E i s i m p l e m e n t e d i n h a r d w a r e s o p a t c h e s

m u s t b e a p p l i e d t o t h e T O E f i r m w a r e


28/37


www.security-

art.com


CRT Monitor:

There a re p rob lems a t scan ra tes w h ichexceed the mon i to r ' s spec i f i ca t ions ( low or

h igh) . Some mon i to rs can b low i f g iven atoo l ow scan ra te o r an absen t o rcor rupted s igna l input .


29/37


www.security-

art.com


XFree86 Screen Configuration:

H o r i z S y n c 2 8 . 0 - 7 8 . 0 # Wa r n i n g : T h i s m a y f r y v e r y o l d M o n i t o r s

H o r i z S y n c 2 8 . 0 - 9 6 . 0 # Wa r n i n g : T h i s m a y f r y o l d

M o n i t o r s

( t a k e n f r o m a r e a l l i f e , X Fr e e 8 6 C o n f i g f i l e )


30/37


31/37


www.security-

art.com


Legacy: Motorola 6800 & 6809

M o t o r o l a 6 8 0 0 w a s a 8 - b i t m i c r o p r oc e s s o r a n dw a s p a r t o f M 6 8 0 0 M i c r o c o m pu t e r S y s t e m

T h e M o t o ro l a 6 8 0 0 a n d 6 8 0 9 c a n d a m a g e t h ec o m p u t e r ' s b u s l i n e s b y t h e i n s t r u c t i o n ' H C F '( H a l t , t h e n C a t c h F i re ) .

H C F s u c c e s s i v e l y t o g g l e s e a c h o f t h e b u s l i n e s ,b u t i t d o e s i t s o f a s t t h a t i t c a n d a m a g e t h e m .I t w a s i n t e n d e d f o r m a n u f a c t u r er t e s t i n g .


32/37


www.security-

art.com


Summary

C o m p u t e r F a n s

C P U

G P U

R A M

H a r d D r i v e s

B I O S

C D - R O M / D V D - R O M

E x t e r n a l S t o r a g e ( e . g . D i s k O n K e y )

N e t w o r k C a r d s

C R T M o n i t o r ( L e g a c y )

F l o p p y D i s k ( L e g a c y )

N o n - x 8 6 C h i p


33/37


www.security-

art.com


Remote Attacks

The long arm of the Permanent Denial-of-Service


34/37


www.security-

art.com


Firmware Updates via Web

Network -a t tached S to rage (NAS) App l i ances Network App l ia nces (e .g . W i -Fi Access

Po in ts ) DSL /ADSL Cab le Modems Computer Per iphera l s (e .g . KVM) Vo ice O ver IP (Vo IP ) P hones And more


35/37


www.security-

art.com


Open Questions

How th i s a f fec ts C loud and V i r tua l i zedSys tem?


36/37


www.security-

art.com


Countermeasures?

Hardware : Over-c lock ing P ro tec t ion

Over-vo l tage P ro tec t ion Over- temperature P ro tec t ion

Sof tware : Dig i ta l l y s igne d Fi rmware B inar ies &

Updates


37/37


www.security-

art.com


Thanks!

Questions are guaranteed in life; Answers

aren't.

mailto: [email protected]
mailto:[email protected]:[email protected]

Hes2011 Ikolter Let Me Stuxnet You 110415064447 Phpapp02

Documents