Home / Blog / Hardware Hacking in Industrial Control Systems

Hardware Hacking in Industrial Control Systems

Posted on 06/29/2017, by INCIBE
Hardware Hacking

One of the things we must not forget when designing devices and carrying out their security audits is the fact that someone may open the device to analyse it and obtain information, such as the firmware or software embedded or the memory data values at certain times of the execution.

This technique is known as "Hardware Hacking", and it requires knowledge on electronics, communications among components of circuit boards, operating systems and reverse software engineering, which makes its execution more difficult.

Within the industry, it is common to find multi-purpose chips, with general use designs and used in different specific devices. This means an advantage for the manufacturer when producing them, but it is also an advantage when analysing them. The technical specifications for operation, connections or number of pins of the chip, as well as the type of inputs and outputs accepted, are usually public and easy to find on the internet. This facilitates their study and the monitoring of discoveries by the people involved in "Hardware Hacking".

But hardware is just a part of it; the embedded software contains a lot of information, such as algorithms to create keys, embedded keys (malpractice but widely used), encryption functions, certificates, etc. Knowledge on the structure of the memory and its addressing is essential when searching valuable data in it, as well as to facilitate the dump for subsequent static analysis of values of function arguments, variables, configurations, etc.

Knowing and controlling digital and analogue inputs and outputs which accept a chip allows to modify the normal performance of the device, simulate reset processes, force restart processes, etc. Dynamic and static analyses of all functions involved allow to find out the arguments used, as well as the existence or absence of output or input validations. These analyses, together with the dump of data from the memory at a certain time and with the use of specific tools may help to detect buffer overflows and other vulnerabilities not considered by the manufacturer which may be used to obtain information or take control of the device.

hardware hacking

Essential tools in a "Hardware Hacking" laboratory

The most popular tools used in hardware hacking are the following:

Physical tools kit:

  • Screwdrivers and precision screwdrivers: They are necessary to open the cases of the devices analysed or to disassemble internal parts or boards.
  • Soldering equipment: It is necessary to solder or desolder components, such as chips or memories, and analyse them under certain conditions or separately.
  • Magnifying glass or digital microscope: The different components have screen-printed information on their surface (numbers of components, manufacturer...) that, due to its size, is difficult to read. It also enhances precision when working with the soldering equipment.
  • Signal analyser: It is important to use a signal analyser if we are going to carry out tests with flags and know the binary operation of some specific pins of the chip.
  • Multimeter: Voltage meters (multimeters) are very useful to carry out specific tests, although the analyser often includes this possibility.
  • Oscilloscope: It is essential to interpret a digital or analogue signal accurately.
  • Memory programmer and microcontrollers: It can read and programme different types of Flash memories, EPROMs, chips, etc.
  • Precision tweezers for connection and converters: UART converters/Serial Port to USB, connection tweezers, etc. allow us to read directly from the communication bus.
  • Communication interface, such as JTAG: it is usual to have it in order to connect the analyst's computer with the devices, for example Buspirate, The Shikra, Jtagulator, etc.

Software tools kit:

  • OpenOCD (Open On-Chip Debugger): It allows to connect our computer and the chip to be analysed by means of an interface device. The interaction is carried out by using a telnet interface through the 4444/TCP port or with the GDB in the 3333/TCP port by default.
  • GDB: Free debugger for Linux systems which will help us to understand the operation of on-chips executions.
  • OllyDbg: Disassembler used to analyse binaries in Windows.
  • IDA PRO: Code disassembler similar to OllyDbg.
  • Binwalk: It is a tool to analyse and scan firmware images and binaries, and it quickly shows the different partitions, size, encryption, file system used, etc.
  • Radare2: Portable framework to practice reverse engineering and analysis of binaries comprising several tools, with support for several architectures.
  • Fritzing: For the development of circuits or design of electronic diagrams.

Issues and preventive measures within the industry

The manufacturer, from the initial stage of the design, is responsible for building a robust product. The view of the final client must be included in the production cycle or, at least, taken into account to add requests and improvements. The protection measures implemented by the manufacturer must include the boot system, password check and integrity check, operating system (Kernel) encrypted and not subject to modification, as well as the user space (Applications), user management, roles and licences; without forgetting the physical aspect and the Anti-Tampering mechanisms.

In terms of hardware, the manufacturer of the device has means to avoid certain hardware hacking techniques. The direct reading of signals in the pins of a chip may be avoided by covering said pins with epoxy resin; if an attacker tries to remove the resin, the board is damaged thus preventing communications. The existence of test ports (debug), JTAG, SPI, I2C UART, in production boards could be used by specialists in hardware hacking: if they are not necessary or they are not going to be used at the final client, they must be removed. Additional protection mechanisms in order to prevent the reading of these ports may include the change of functionality of the pins, making them different from the standard one, and the deletion of the firmware if voltage is detected in a specific pin.

Conclusions

One of the attack vectors which we must consider when carrying out our risk analysis is hardware hacking. We must know the type of critical information which may be discovered; to do this, we may directly ask the manufacturers, obtain it by means of own methods or with specialised audit firms. We must also carry out a technical analysis to assess the security of the devices, encryption system, if any, how the keys are managed, algorithms to create keys or embedded keys, services open by default, etc. Finally, creating a metrics with these parameters will be very useful when choosing a device. Just as these assessments are used to choose a software technology, we must follow a methodology to asses which device we must use to give a solution to our industrial need.