By Robert McMillan
IDG News Service
05 April 2007
A Juniper Networks security researcher says he's discovered a new type
attack that can compromise embedded devices such as routers and mobile
The vulnerability lies in the Arm and XScale microprocessors, two chips
that are widely used in these devices. "There are interesting quirks in
the ARM and XScale architectures that make things very easy for an
attacker," said Juniper's Barnaby Jack. The technique he has developed
is "100 percent reliable, and it results in code execution on the
device," he said.
A successful attacker could run unauthorised software on a device
connected to the network. In theory, criminals could use the attack to
steal sensitive information from mobile phones or redirect Internet
traffic on routers, say from a user's online bank account to a phishing
It's an alternative to hacker techniques like buffer overflow attacks,
which attempt to trick the processor into running code that is sneaked
into the computer's memory.
Jack plans to disclose details on this attack - and the things that
device makers can do to avoid it - at the CanSecWest security conference
later this month in Vancouver.
He said he came up with the technique after spending several months
cracking open and soldering test equipment onto a range of embedded
devices. By taking advantage of a standard integrated circuit testing
interface, called JTAG (Joint Test Action Group), Jack was able to sneak
a peek at the systems' processors and get a close-up look at how they
"With every hardware device, there has to be a way for developers to
debug the code and all I did was take advantage of that," he said. "As I
was digging deeper into the architecture, I saw a couple of subtleties
which could allow for some interesting things.
JTAG is widely used because it gives engineers a way to debug software
on embedded systems, but it presents a security risk as well, said Peter
Glaskowsky, an analyst with the Envisioneering Group.
Though some companies are able to cut off the JTAG interface on their
products, Jack said it was enabled in 90 percent of the devices he
"It's definitely an issue," Glaskowsky said. "Some chips won't turn it
off because they want it for later diagnostics if there's a problem with
Often, it's simply too expensive for hardware makers to shut down JTAG
access, said Joe Grand, a hardware hacker who is president of Grand Idea
Studio, an electronics design firm.
There hasn't yet been a large amount of research into the kind of hands
on hacking techniques being pioneered by people like Jack and Grand, but
it appears that is set to change.
The tools and devices required to hack embedded systems are becoming
less expensive and hardware hacking is developing a cachet in the
security research community, Grand said. He will offer hardware hacking
workshops at this year's Black Hat USA conference.
"It's exciting for the hacking community to say, 'I'm sick of software.
Let's look at the hardware,'" he said.
Barnaby Jack has no plans to slow down his work.
"I'm looking at my microwave oven right now, but I don't think there's
much I could do with that," he said.
Subscribe to InfoSec News