YoVDO

Reverse-Engineering the Supra iBox - Exploitation of a Hardened MSP430-Based Device

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cryptography Courses Reverse Engineering Courses Timing Attacks Courses Embedded Device Security Courses Firmware Extraction Courses

Course Description

Overview

Explore reverse engineering and exploitation techniques for hardened embedded devices through a detailed examination of the Supra iBox BT, a bluetooth and IR-based physical key storage device used by real estate professionals. Delve into the challenges of extracting firmware from an MSP430 microcontroller with a blown JTAG fuse, and learn about various attack methods, including voltage glitching and timing attacks. Discover the complex crypto key management scheme employed by Supra and understand how it handles synchronization without direct internet access. Gain insights into the internals of the iBox firmware, including an exploit demonstration that can open any iBox. Examine the physical access required, board layout, and internal components of the device. Follow the step-by-step reverse-engineering process, from initial analysis to successful firmware extraction. Investigate the Bootstrap Loader (BSL) overview, existing attacks, and their limitations. Learn about MSP430 JTAG security measures and the "Paparazzi" attack. Uncover findings from firmware reversing, including the IrDA protocol implementation and Supra's crypto architecture. Explore various authentication modes, brute force attempts, and potential hardware backdoors. Conclude with an analysis of flash write/erase attacks and discuss potential solutions for improving embedded device security.

Syllabus

Intro
Supra iBox
ekey Android app
Programmed auth flow
Must access firmware
Physical access
Board photos
Internals
Reverse-engineering steps
MSP430 firmware extraction
BSL Overview
Existing BSL attacks
Voltage glitching attack
Results of voltage glitching
BSL timing attack
Timing attack problems
Timing attack game plan
Timing attack results
Modified attack results
Timing attack conclusions
MSP430 JTAG security
MSP430 1/2/4xx fuse
"Paparazzi" attack: Why?
MSP430 firmware reversing
IrDA
Firmware reversing finds
Supra crypto architecture
Syscode Key
Third authentication mode
Brute Force
Hardware backdoor
Flash write terase attack
Conclusions/solutions


Taught by

Black Hat

Related Courses

Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security Chip
Black Hat via YouTube Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube