NSA Playset: JTAG Implants

DEF CON 23

Presented by: Joe FitzPatrick, Matt King
Date: Saturday August 08, 2015
Time: 16:00 - 16:50
Location: Track Four

While the NSA ANT team has been busy building the next generation spy toy catalog for the next leak, the NSA Playset team has been busy catching up with more open hardware implementations. GODSURGE is a bit of software that helps to persist malware into a system. It runs on the FLUXBABBIT hardware implant that connects to the depopulated JTAG header of certain models of Dell servers.

This talk will introduce SAVIORBURST, our own implementation of a jtag-based malware delivery firmware that will work hand-in-hand with SOLDERPEEK, our custom hardware design for a standalone JTAG attack device. We will demonstrate how to this pair enables the persistent compromise of an implanted system as well as release all the hardware and software necessary to port SAVIORBURST and SOLDERPEEK to your jtag-equipped target of choice. Anyone curious to know more about JTAG, regardless of previous hardware experience, will learn something from this talk.

Joe FitzPatrick

Joe has spent a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He develops and delivers hardware security training at https://SecuringHardware.com, including Software Exploitation via Hardware Exploits and Applied Physical Attacks on x86 Systems. In between, he keeps busy with contributions to the NSA Playset and other misdirected hardware projects. Twitter: @securelyfitz

Matt King

Matt is a hardware designer and security researcher who has over a decade of experience designing, securing and exploiting hardware test and debug features on CPUs and SoCs. When not performing pointless hardware tricks Matt tries to help educate integrated circuit designers on the risks posed by hardware debug capabilities. Twitter: @syncsrc


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats