Embedded devices open to new attack

Embedded devices open to new attack
Embedded devices open to new attack 

By Robert McMillan
IDG News Service
05 April 2007

A Juniper Networks security researcher says he's discovered a new type 
attack that can compromise embedded devices such as routers and mobile 

The vulnerability lies in the Arm and XScale microprocessors, two chips 
that are widely used in these devices. "There are interesting quirks in 
the ARM and XScale architectures that make things very easy for an 
attacker," said Juniper's Barnaby Jack. The technique he has developed 
is "100 percent reliable, and it results in code execution on the 
device," he said.

A successful attacker could run unauthorised software on a device 
connected to the network. In theory, criminals could use the attack to 
steal sensitive information from mobile phones or redirect Internet 
traffic on routers, say from a user's online bank account to a phishing 

It's an alternative to hacker techniques like buffer overflow attacks, 
which attempt to trick the processor into running code that is sneaked 
into the computer's memory.

Jack plans to disclose details on this attack - and the things that 
device makers can do to avoid it - at the CanSecWest security conference 
later this month in Vancouver.

He said he came up with the technique after spending several months 
cracking open and soldering test equipment onto a range of embedded 
devices. By taking advantage of a standard integrated circuit testing 
interface, called JTAG (Joint Test Action Group), Jack was able to sneak 
a peek at the systems' processors and get a close-up look at how they 

"With every hardware device, there has to be a way for developers to 
debug the code and all I did was take advantage of that," he said. "As I 
was digging deeper into the architecture, I saw a couple of subtleties 
which could allow for some interesting things.

JTAG is widely used because it gives engineers a way to debug software 
on embedded systems, but it presents a security risk as well, said Peter 
Glaskowsky, an analyst with the Envisioneering Group.

Though some companies are able to cut off the JTAG interface on their 
products, Jack said it was enabled in 90 percent of the devices he 

"It's definitely an issue," Glaskowsky said. "Some chips won't turn it 
off because they want it for later diagnostics if there's a problem with 

Often, it's simply too expensive for hardware makers to shut down JTAG 
access, said Joe Grand, a hardware hacker who is president of Grand Idea 
Studio, an electronics design firm.

There hasn't yet been a large amount of research into the kind of hands 
on hacking techniques being pioneered by people like Jack and Grand, but 
it appears that is set to change.

The tools and devices required to hack embedded systems are becoming 
less expensive and hardware hacking is developing a cachet in the 
security research community, Grand said. He will offer hardware hacking 
workshops at this year's Black Hat USA conference.

"It's exciting for the hacking community to say, 'I'm sick of software. 
Let's look at the hardware,'" he said.

Barnaby Jack has no plans to slow down his work.

"I'm looking at my microwave oven right now, but I don't think there's 
much I could do with that," he said.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods