There are billions of ARM Cortex M based SOC being deployed in embedded systems. Most of these devices are Internet ready and definitely security is always the main concern. Vendors would always apply security measurements into the ARM Cortex M product for few major reasons: 1) People will not be able to copy and replicate the product; 2) License control for the hardware and software; 3) Prevent malicious code injection in to the firmware. Vendors normally rely on the security measurements built within the chip (unique ID number/signature) or security measurements built around the chip (secure boot).
In this talk, we will share the ARM Cortex M SOC vulnerability that we discovered and it will be two parts:
The first is security measurement build within the SOC and how we break it. We could gain control of changing the SOC unique ID and write the firmware or even turn the device into a trojan or bot.
The second is security measure built around the SOC and how we break the Secure Boot elements and write into the firmware.
Yuwei Zheng is a senior security researcher at Radio Security Department of 360 Technology, core member of UnicornTeam. He is the core researcher of decryption blackberry project, which manage to decrypt Blackberry BBM, PIN message, and BIS secure mail without keys. He is currently focusing on the security research of cellular network, IoT system, and mobile baseband. He had presented his research works at top level security conferences like BlackHat, DEF CON, HITB etc.
Shaokun Cao is a freelance Security researcher, a consultant of UnicornTeam. He is currently focusing on the chip-level security issues, such as microcode, ROM, bootloader, and firmware.
Yunding Jian is the co-founder of UnicornTeam. He is the leader of RocTeam in the Radio Security Research Department of 360 Technology. He is the designer of all pervious SyScan360 Conference badges. He also made serial presentations on Blackhat USA, Blackhat Europe & Asia (Arsenal) ,HITB about his hardware security research and design experience.
Mingchuang Qin is a senior security researcher at the Radio Security Research Department of 360 Technology,the core developer of Skyscan Wireless Intrusion and Prevention System,specializing in IoT and wireless device security. With rich experience in embedded system development, he is proficient in with WiFi and Bluetooth protocol analysis and vulnerability discovery.