Para visualizar el sitio de manera óptima actualice el navegador. ×

Backdooring Hardware Devices by Injecting Malicious Payloads on Microcontrollers

Throughout the years, many studies have been published addressing different ways of backdooring devices by leveraging on their own hardware components. However, most of the existing work focuses on backdooring devices based on powerful microprocessors – such as ARM, Intel or AMD – instead of microcontrollers.

Is targeting microcontrollers worth the effort? Nowadays, they are responsible for controlling a wide range of interesting systems, e.g., physical security systems, car’s ECUs, semaphores, elevators, sensors, critical components of industrial systems, some home appliances and even robots.

In this talk, it will be explained how microcontrollers can be backdoored too. After a quick review of basic knowledge about uC, we will dive into three different approaches to achieve payload injection, from basic to advanced techniques. The first method consists of locating the entry point of the firmware and inject our payload there, this is an easy way to execute it at least once. As a second, and more complex technique, we will backdoor the EUSART communication injecting a malicious payload at the code routine of that hardware peripheral; we will be able to get the right memory address by inspecting the GIE, PEIE and polling process at the uC interrupt vector. Finally, the third technique allow us to take control of the microcontroller’s program flow by manipulating the stack writing memory addresses at the TOS; with this we can execute a payload made with instructions already written in the original program, performing it just like a ROP-chain technique.

Sobre Sheila A. Berta

Sheila Ayelen Berta es una especialista en seguridad informática y desarrolladora, que comenzó a los 12 años de forma autodidacta. A la edad de 15 años, escribió su primer libro sobre Web Hacking, publicado por la editorial RedUSERS en varios países. Con el paso de los años, ha descubierto vulnerabilidades en programas y aplicaciones web muy populares. También ha brindado cursos de técnicas de hacking en universidades e institutos privados de Argentina. Sheila actualmente trabaja como security researcher especializada en técnicas ofensivas. También es desarrolladora en ASM (microcontroladores y procesadores x86/x64), C/C++, Go y Python. Sheila es speaker internacional y ha participado como oradora en importantes conferencias de seguridad como Black Hat Briefings, DEF CON, HITB, PHDays, HackInParis, Hack.Lu, Ekoparty, IEEE ArgenCon, entre otras.