Embedded-WINKHUB edge channel attack (NAND Glitch)

Embedded-WINKHUB edge channel attack (NAND Glitch)
0x00 Preface

With the rapid development of IOT, research on the security of various embedded devices and routers is becoming increasingly popular. however, unlike previous software-only security research, this type of research often needs to combine the corresponding hardware knowledge. many friends are confused about how to start, and even stuck on the tool to be selected. therefore, Wang will share some practical cases and corresponding tools in the series of articles. it is expected to play a role in embedded security research.

In the WINKHUB case, we will use several simple entry tools, such as A multimeter, UART adapter, and wire. at the same time, we will introduce an attack method to obtain the ROOT permission of the system through CHIP blocking. this method is the easiest way to get started with edge channel attacks. wang hopes to use this article to let everyone experience the fact that not all side channel attacks are so unattainable.

0x01 essential artifact UART Adapter

As we call it, we must first sharpen our tools and have handy auxiliary tools to improve the security of embedded devices. however, whether it is development, debugging, or security research, embedded devices will use the UART adapter.

UART interface is a universal serial data bus. we can use it to debug the target device. UART ports are generally divided into Vcc, GND, TX, and RX ports on the PCB. the UART adapter is used for transfer between USB ports of the computer.

The configuration of UART adapter is very simple. you only need to find the correct UART port on the target PCB and set parameters such as baud rate to use programs such as Minicom to communicate with the target. anyone who has configured a CISCO router will be familiar with this interface.

However, the UART port used for debugging is usually hidden on the PCB or multiple UART ports exist. how to find the correct UART port on the target PCB is also a topic to be discussed. however, the destination WINKHUB has clearly identified the UART port location.

 

 

The correct baud rate parameter is also worth noting. for example, 9600 or 115200. if this parameter is set incorrectly, we cannot see the correct debugging information. in this case, we can use the baudrate program used to determine the baud rate of the unknown serial row device to find the correct parameters. the working principle is to try to repeat all baudrate until clear debugging information is displayed on the screen.

0x02 WINKHUB Iot Gateway

Finally, today, the main character is playing. The target of this attack is the WINKHUB Iot gateway. Are you curious why you need such a gateway device? If you have been using IOT devices, you will find that the existing IOT products support only one or two interconnection modes at the same time. for example, Philips HUE smart lights use Zigbee as the connection technology. if you want to connect HUE with a Bluetooth Smart door lock, you need to add additional devices. this is inconvenient from the perspective of user experience. the advantage of WINKHUB gateway is that it supports WIFI, ipvth4.0, Zigbee, Z-Wave, RF, and other mainstream IOT connection methods. in other words, users only need to buy such a gateway, so they do not have to worry about compatibility between different IOT products.

However, success and failure are also great. WINKHUB's functional advantages also provide attackers with more attack vectors. as a smart gateway, the security risks that often occur on home routers still exist. for example, the Command execution Vulnerability (set_dev_value.php) exists in earlier versions of firmware ). the SQL Injection vulnerability was found in the new version officially fixed.

The figure shows the PHP code segment containing the Command execution vulnerability. With this vulnerability, we can run any system Command with root privileges, such as reading the shadow file.

0x03 side channel (NAND Glitch)

In embedded systems, NAND Flash is usually used to store firmware, Bootloader, kernel, and root files. is the most important in the system. at the same time, it is also one of the targets most desired by attackers. the size and number of interfaces of NAND Flash are different from those of chips. you can check datasheet. after the code vulnerability is exposed. WINKHUB vendors can quickly fix the vulnerability by upgrading the software. but for the vendor, there is another attack method that is not so easy to fix. this uses the NAND chip as the starting point to obtain the ROOT permission through edge channel attacks. this is also one of the ways to successfully win the XBOX console that year.

(Figure: XBOX game host NAND Flash)

A lot of friends think it is a very high level when talking about edge channel attacks. in fact, edge channel attacks are also divided into several methods. in addition to common information leaks, Fault Glitch is also a common attack method. different from information leakage measurement, error injection attacks often aim to change the running process of programs, especially in the security authentication mechanism. you can also force the system to enter the U-boot shell mode by blocking the normal reading of the kernel.

Error injection attacks generally use lasers, heat energy, and noise as transmission sources for error injection. however, the attack can also be completed simply by connecting a data line to GND. however, it must be noted that Fault Glitch is difficult to predict the results. especially in timing's control. during the actual test, Wang damaged two winkhubs due to improper operations.

0x04 NAND Glitch practices

The error injection attack in this article is to force the WINKHUB system to enter the U-boot shell mode to obtain the root permission by blocking the kernel from being normally read. by reading datasheet, we can find that the 29th PIN of WINKHUB's NAND Flash is the data input and output port.

We first use A multimeter to find the GND port, then use a common data line to start the system, and try to read the kernel and other information in the NAND chip instantly to achieve the purpose of data blocking (NAND Glitch.

 

 

However, you must be careful when completing this process. The reason is that you can see the actual size of PIN 29th in the figure.

However, after a few more exercises, it will be easy to use. After the system enters the U-boot Shell, we can get the ROOT Shell by modifying the kernel parameters. You can watch the following video throughout the process.

 

0X05 Summary

Through this case, I believe you have learned more about embedded attack methods. sometimes, when the pure software step cannot achieve the goal, you can consider the hardware, such as the edge channel method. at the same time, when designing an embedded device, Wang Jue's developers can also consider it from the attacker's perspective. "Think like an attacker" is more than just saying it. the Sword leads the road. attackers often act as attack points from unexpected points.