YoVDO

Reverse-Engineering the Supra iBox - Exploitation of a Hardened MSP430-Based Device

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cryptography Courses Reverse Engineering Courses Timing Attacks Courses Embedded Device Security Courses Firmware Extraction Courses

Course Description

Overview

Explore reverse engineering and exploitation techniques for hardened embedded devices through a detailed examination of the Supra iBox BT, a bluetooth and IR-based physical key storage device used by real estate professionals. Delve into the challenges of extracting firmware from an MSP430 microcontroller with a blown JTAG fuse, and learn about various attack methods, including voltage glitching and timing attacks. Discover the complex crypto key management scheme employed by Supra and understand how it handles synchronization without direct internet access. Gain insights into the internals of the iBox firmware, including an exploit demonstration that can open any iBox. Examine the physical access required, board layout, and internal components of the device. Follow the step-by-step reverse-engineering process, from initial analysis to successful firmware extraction. Investigate the Bootstrap Loader (BSL) overview, existing attacks, and their limitations. Learn about MSP430 JTAG security measures and the "Paparazzi" attack. Uncover findings from firmware reversing, including the IrDA protocol implementation and Supra's crypto architecture. Explore various authentication modes, brute force attempts, and potential hardware backdoors. Conclude with an analysis of flash write/erase attacks and discuss potential solutions for improving embedded device security.

Syllabus

Intro
Supra iBox
ekey Android app
Programmed auth flow
Must access firmware
Physical access
Board photos
Internals
Reverse-engineering steps
MSP430 firmware extraction
BSL Overview
Existing BSL attacks
Voltage glitching attack
Results of voltage glitching
BSL timing attack
Timing attack problems
Timing attack game plan
Timing attack results
Modified attack results
Timing attack conclusions
MSP430 JTAG security
MSP430 1/2/4xx fuse
"Paparazzi" attack: Why?
MSP430 firmware reversing
IrDA
Firmware reversing finds
Supra crypto architecture
Syscode Key
Third authentication mode
Brute Force
Hardware backdoor
Flash write terase attack
Conclusions/solutions


Taught by

Black Hat

Related Courses

Side-Channel Attacks
TheIACR via YouTube TPM-FAIL - TPM Meetings Timing and Lattice Attacks
TheIACR via YouTube FPGA Glitching & Side Channel Attacks
Hackaday via YouTube Timeless Timing Attacks
Black Hat via YouTube How the Best Hackers Learn Their Craft
RSA Conference via YouTube