Exploitation of a Hardened MSP430-Based Device - Braden Thomas - Ekoparty Security Conference - 2014

Explore the reverse-engineering and exploitation of a hardened MSP430-based embedded device in this Ekoparty 2014 conference talk. Delve into techniques for exploiting devices with blown JTAG fuses, reviewing past attacks against the MSP's bootstrap loader (BSL) and addressing the challenges researchers face. Learn how to reliably extract firmware from an MSP430 with a blown JTAG fuse, gain insights into reverse-engineering MSP430 firmware, and discover a software-only attack that leverages BSL features to extract sensitive data from RAM. Follow along as the speaker dissects a real estate lockbox, examines its internals, and walks through the reverse-engineering process. Understand voltage glitching and timing attacks, their results, and limitations. Investigate MSP430 JTAG security, firmware reversing techniques, and the manufacturer's crypto architecture. Conclude with discussions on brute force attempts, hardware backdoors, and potential solutions for securing embedded devices.

Intro
Unnamed real estate lockbox
ekey Android app
Programmed auth flow
Must access firmware
Physical access
Board photos
Internals
Reverse-engineering steps
MSP430 firmware extraction
BSL Overview
Voltage glitching attack
Results of voltage glitching
BSL timing attack
Timing attack problems
Timing attack results
Modified attack results
Timing attack conclusions
MSP430 JTAG security
MSP430 1/2/4xx fuse
MSP430 firmware reversing
Firmware reversing finds
Manufacturer's crypto architecture
Syscode Key
Third authentication mode
Brute Force
Hardware backdoor
Flash write+erase attack
Conclusions/solutions