Category Archives: Security Research
What IoT device manufacturers should learn from the “IoT worm”
WESS 2012: Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems
Any channel crossing the perimeter of a system provides an attack surface to the adversary. Standard network interfaces, such as TCP/IP stacks, constitute one such channel, and security researchers and exploit developers have invested much effort into exploring the attack surfaces and defenses there. However, channels such as USB have been overlooked, even though such code is at least as complexly layered as a network stack, and handles even more complex structures; drivers are notorious as a breeding ground of bugs copy-pasted from boilerplate sample code.
This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that eective and ecient injection of trac into the buses is real and easily aordable. Further, it presents a simple and inexpensive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.
S. Bratus, T. Goodspeed, P. Johnson, S.W. Smith, R. Speers. “Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems.” 7th Workshop on Embedded Systems Security (WESS 2012). October 2012. To appear.
Api-Mote (IEEE 802.15.4/ZigBee Radio Interface)
So why a new device? Almost three years after beginning to work with IEEE 802.15.4 and ZigBee research and security assessments, I’ve gotten tired of the hardware available to interact with these protocols. There are a number of tools out there — but none that I’ve worked with support a few core criteria.
Scapy Support for USB Protocol on Facedancer Boards, MAX2420, etc.
The initial code released in the GoodFET repository by Travis has some great examples, one of which is using the Facedancer to emulate a device using the USB HID (human-interface-device) specification. However, when looking at modifying the code to extend it, or use it for fuzzing, a major issue is determining the meaning of fields and the legitimate (and illegitimate) values for them, as well as the relationships between fields. This information is crucial to both specification-compliant use, or fuzzing. Continue reading
Wireless Security Excuse Bingo
I’d like to gather input from those of you who work or have interaction with this field, and I bet an interesting list may result. I’ll post my suggestions in comments as well, and a running list can be started. Continue reading
USENIX WOOT ’11 Paper: Packets-in-Packets
GoodFET Development on Tmote Sky/TelosB (CC2420 Radio)
Journal Article Published
A sanitized form of our paper has been published in the Fall 2009 issue of the Dartmouth Undergraduate Journal of Science, and you can read it online here. For ease of reading, I have also posted it in the original PDF format.