New class of attack targets embedded devices

A security researcher at Juniper Networks says he plans to demonstrate a new class of attack that can be used to compromise electronic devices like routers or mobile phones.

The vulnerability lies in the ARM and XScale microprocessors, two chips that are widely used in these "embedded" devices. "There are interesting quirks in the ARM and XScale architectures that make things very easy for an attacker," said Juniper's Barnaby Jack. The technique he has developed is "100 percent reliable, and it results in code execution on the device," he said.

An attacker could launch this type of attack to run unauthorized software on a device connected to the network. In theory, criminals could use this kind of attack to steal sensitive information from mobile phones or redirect Internet traffic on routers, say from a user's online bank account to a hacker site set up to steal account and password information.

It's an alternative to hacker techniques like buffer overflow attacks, which attempt to trick the processor into running code that is snuck into the computer's memory.

Jack plans to disclose details on this attack -- and the things that device makers can do to avoid it -- at the CanSecWest security conference being held later this month in Vancouver.

He said he came up with the technique after spending several months cracking open and soldering test equipment onto a range of embedded devices. By taking advantage of a standard integrated circuit testing interface, called JTAG (Joint Test Action Group) Jack was able to sneak a peek at the systems' processors and get a close-up look at how they worked. "With every hardware device, there has to be a way for developers to debug the code and all I did was take advantage of that," he said. "As I was digging deeper into the architecture, I saw a couple of subtleties which could allow for some interesting things.

JTAG is widely used because it gives engineers a way to debug software on embedded systems, but it presents a security risk as well, said Peter Glaskowsky, an analyst with the Envisioneering Group.

Though some companies are able to cut off the JTAG interface on their products, Jack said it was enabled in 90 percent of the devices he examined.

"It's definitely an issue," Glaskowsky said. "Some chips won't turn it off because they want it for later diagnostics if there's a problem with them"

Often, it's simply too expensive for hardware makers to shut down JTAG access, said Joe Grand, a hardware hacker who is president of Grand Idea Studio Inc., an electronics design firm.

Though there hasn't yet been a large amount of research into the kind of hands on hacking techniques being pioneered by people like Jack and Grand, though it appears that is set to change.

The tools and devices required to hack embedded systems are becoming less expensive and hardware hacking is developing a cachet in the security research community, Grand said. He will offer hardware hacking workshops at this year's Black Hat USA conference.

"It's exciting for the hacking community to say, 'I'm sick of software. Let's look at the hardware,'" he said.

Barnaby Jack has no plans to slow down his work.

"I'm looking at my microwave oven right now, but I don't think there's much I could do with that," he said.