[Cryptography] You can't trust any of your hardware

Jim Gettys jg at freedesktop.org
Sat Aug 2 14:42:47 EDT 2014 

On Fri, Aug 1, 2014 at 4:34 PM, Jerry Leichter <leichter at lrw.com> wrote:

> On Aug 1, 2014, at 1:11 PM, Joe St Sauver <joe at oregon.uoregon.edu> wrote:
> > #I dunno how to fix this. The best I can come up with is to make more of
> > #these exploits happen - post anonymous bounties to get firmware and
> > #schematics leaked?
> >
> > Use of non-rewritable ROMs would obviously "fix" the vulnerability (for
> > some definition of "fix," but that assumes you can produce flawless code
> > that might never need to be patched or updated (or that you can live with
> > pitch-and-replace (rather than patch ) as an update/remediate
> strategy)....
> How many USB devices have ever been patched after sale?  I know of one
> example, which I mentioned in my original posting:  The Apple aluminum
> keyboard, introduced in August of 2007, has received exactly one update
> during its lifetime.
>
> I, personally, know of no other examples.  If anyone else does, I'd like
> to hear about them.
>
> USB devices are generally pretty cheap.  There's little motivation to
> publish patches - there's no general way to reach users, you have to worry
> about whether the users even have a system they could use to patch the
> device, and most will never bother anyway.  So for your expense you gain
> nothing in the market.  It's hard enough (effectively impossible) to get
> more complex, expensive devices like WiFi routers patched in the field -
> typical USB devices are just not worth thinking about.  (Apple could even
> *consider* doing a patch because it had an easy pathway to push patches out
> to all Apple systems, thus capturing most Apple keyboards.)
>
> Doing patching on devices still at the factory, or even in the supply
> chain, might be more realistic - but most organizations these days run such
> lean supply chains that the fraction of devices you could actually get to
> this way is tiny.  Hardly worth the effort except maybe at initial release.
>
> So, yes, for pretty much all USB devices, the code that was initially
> installed will be the code that's in the device until it's discarded.  It
> has to be "right enough".
>
> I suspect most "patchable" devices are that way because that was the
> interface used to upload their firmware to begin with, and it's not
> considered worth the cost to lock out later uploads, even if there's no
> realistic change there will ever be a need for them.
>
>                                                         -- Jerry
>

​This phenomena is not unique to USB, but applies to essentially any device
in which there is a embedded processor, which, besides the base system
firmware image in embedded devices, may include your disk drive, flash
drive, wireless module, keyboard modules, and so on. ​ Devices you think of
as "single chips" are often SOC's + flash + a bit of custom stuff these
days.

We did this mostly right at OLPC for the base firmware , where the boot
loader's write enable was/is protected by a D flop; the boot loader first
checks if there is a properly signed update for itself on boot, and
otherwise immediately locks the boot loader flash down hard (until reset at
next power up).  So a bad guy cannot put an implant into the boot loader
without access to the keys.

The bootloader is also able to check that the image being booted is signed
appropriately, and also has facilities for unlocking the bootloader and
system image for hacking and debugging (possibly after a delay to deter
theft, which is a serious issue in some parts of the world; a scenario most
do not have).  That such firmware be unlockable if you have possession of
the device is actually needed as you have no other way to ensure that the
system has not been tampered with in transit or via malware, or recovery
after disaster, where you may not have a network for updating.

Even flash chips with sector "protection" have typically ways to unlock
those sectors from software, so if you compromise the OS appropriately, you
can unlock those sectors, typically by poking a bit in a register some
place.  I recently chatted with a friend responsible for the later OLPC
systems who recently was unable to find flash with suitable one way write
protect features.  But a separate serial boot rom and D flop is around $.28
cents, and is probably easier to trust.  In principle though, the
additional cost should be zero, if you can trust the flash chips you use.

The NSA TAO catalog makes clear that such unprotected firmware is rife for
all sorts of mischief, persistent implants being some of the most
pernicious.

                                                   Sigh,
                                                            - Jim

"Friends don't let friends run factory firmware."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140802/9514d58d/attachment.html>

More information about the cryptography mailing list