got hw crypto-slides_hardwear
TRANSCRIPT
![Page 1: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/1.jpg)
got HW crypto?On the (in)security of a Self-Encrypting
Drive series
![Page 2: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/2.jpg)
Research motivation
is HW crypto more secure?
JMS538S SW6316 OXUF943SE INIC-1607Ex x x x
2
x xJMS569 INIC-3608
![Page 3: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/3.jpg)
Speakers intro
Gunnar Alendal:Master’s degree in Cryptography from the University of Bergen, UiB, Norway.
Reverse engineering anything with an opcode; x86, x64, ARM, MIPS, M68k, ARC, 8051, ..
Security researcher with 15 years of professional experience.
Christian Kison:Holds a Master's degree in Informations- Systemtechnik from the TU Braunschweig , Brunswick, Germany.
Started PhD December 2014.
Main research topic involve Side Channel Analysis, physical attacks, silicon and digital forensic and hardware reversing approaches.
3
![Page 4: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/4.jpg)
Western Digital My Passport / Book
● Self-encrypting external HDD series*
● crypto done in either:1. 1st-gen : USB/FW-to-SATA bridge2. 2nd-gen : HDD itself
● Can’t fit everything in talk ⇒ read full paper
* Some models don’t support encryption4
![Page 5: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/5.jpg)
Generic setup
5
![Page 6: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/6.jpg)
Different USB bridges researchedVendor Model (1st-gen/2nd-gen) Architecture
JMicron JMS538S Intel 8051
Symwave SW6316 Motorola M68k
PLX OXUF943SE ARM7
Initio INIC-1607E Intel 8051
Initio INIC-3608 ARC 600
JMicron JMS569 Intel 8051
6
![Page 7: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/7.jpg)
Overall security design
● User PW ⇒ Key-Encryption-Key (KEK):○ KDF(salt+PW) = KEK○ salt + KDF iterations are constant in SWices
● KEK protects Data-Encryption-Key (DEK)
● DEK = holy long-term HW AES Key
7
![Page 8: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/8.jpg)
1st-gen bridges w/AES
8
![Page 9: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/9.jpg)
Overall security design
9
![Page 10: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/10.jpg)
The protected DEK - eDEK
● a KEK-encrypted blob containing the raw DEK
● eDEK stored on disk + USB bridge EEPROM○ EEPROM is marked “U14” on most PCBs
● retrieve eDEK ⇒ off-device pw brute force
10
![Page 11: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/11.jpg)
Authentication - JMS538S/INIC-1607E
11
![Page 12: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/12.jpg)
Mandatory HW encryption
● No PW set ⇔ hardcoded KEK unlocks DEK
● Hardcoded KEK = “PI” AES-256 key
03 14 15 92 65 35 89 79 32 38 46 26 43 38 32 79FC EB EA 6D 9A CA 76 86 CD C7 B9 D9 BC C7 CD 86
12
![Page 13: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/13.jpg)
data recovery
● no pw + broken USB bridge? no problem:○ eDEK stored on HDD + EEPROM○ decrypt eDEK with “PI” KEK ⇒ DEK decrypts HDD
● pw set? off-device brute force○ Constant salt + KDF iteration counter○ GPU-impl. benchmark: ~1 mill pw/s (single card)○ Pre-calculated hash-table
13
![Page 14: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/14.jpg)
Retrieve the eDEK: “no eeprom for you”
● no EEPROM on boot..
● ⇒ raw USB-to-SATA
bridge or “DFU mode”
● ⇒ read eDEK from HDDVID/PID: 1058/0748Bridge: JMS538S
14
![Page 15: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/15.jpg)
Retrieve the eDEK● JMS538S - “no eeprom for you”
● SW6316 - PC-3k / “no eeprom for you”
● OXUF943SE - SATA + hidden eDEK sector
● INIC-1607E - “no eeprom for you” + 3-byte
FW patch to dump eDEK
15
![Page 16: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/16.jpg)
Attackers progress...Model no pw set,
recoverypw brute force break auth. crack DEK
JMS538S ✓ ✓
SW6316 ✓ ✓
OXUF943SE ✓ ✓
INIC-1607E ✓ ✓
16
![Page 17: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/17.jpg)
Breaking auth. - aka. backdoors
● Two 1st-gen chips fail on authentication
● SW6316 stores the KEK in EEPROM/HDD
○ Protection: Hardcoded key (0x29A2607A..)
● OXUF943SE saves a “PI” encrypted eDEK
○ Protection: Hardcoded key (0x03141592..)
17
![Page 18: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/18.jpg)
SW6316 authentication/backdoor
18
![Page 19: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/19.jpg)
Attackers progress...Model no pw set,
recoverypw brute force
break auth. crack DEK
JMS538S ✓ ✓
SW6316 ✓ ✓ ✓
OXUF943SE ✓ ✓ ✓
INIC-1607E ✓ ✓
19
![Page 20: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/20.jpg)
..but before we crack DEKs:
2nd-gen bridgeswith no AES
20
![Page 21: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/21.jpg)
Initio INIC-3608 / JMicron JMS 569
● no HW AES in USB bridge
● HDD does crypto:○ “ATA Security feature Set”; ATA 0xF1, 0xF2, ...
● VSC “status” (0xC045) reports only cipher mode 0x30 (FDE)
21
![Page 22: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/22.jpg)
INIC-3608 backdoor
● INIC-3608 does authentication, no crypto
● EEPROM, U14, contains the raw KEK(!)
● Dump EEPROM ⇒ Get KEK ⇒ authenticate
● ..or get KEK with secret VSC ⇒ authenticate
22
![Page 23: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/23.jpg)
INIC-3608 authentication
23
![Page 24: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/24.jpg)
INIC-3608 backdoor
24
![Page 25: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/25.jpg)
INIC-3608 BackdoorDEMO
25
![Page 26: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/26.jpg)
JMicron JMS569
● Connect to pc3k in kernel-mode○ Get privileges as always by bit shifting○ Erase ATA-module XX ○ HDD unlocks, decrypting everything on the fly
● By now, pc3k found their own way○ Details in the forums
26
![Page 27: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/27.jpg)
Attackers progress...Model no pw set, recovery pw brute force break auth. crack DEK
JMS538S ✓ ✓
SW6316 ✓ ✓ ✓
OXUF943SE ✓ ✓ ✓
INIC-1607E ✓ ✓
INIC-3608 ✓ ✓ ✓
JMS569 ✓ ✓
27
![Page 28: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/28.jpg)
JMS538S and INIC-1607Estill standing tall*
* From the devices available to the researchers28
![Page 29: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/29.jpg)
Recap: Authentication - JMS538S
brute force? :(
brute force??
29
![Page 30: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/30.jpg)
Crack DEK directly?
● How is the HW AES-256 DEK created?
● Entropy source?
● can we beat a 2256 complexity?
30
![Page 31: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/31.jpg)
DEK creation ⇒ device “erase”
● How is the DEK created on a device “erase”?○ aka. “I forgot my password”
● Entropy source(s)?
● Can we assume the factory uses this “erase” command?
31
![Page 32: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/32.jpg)
DEK creation by device “erase”
● “erase” VSC: CDB[0:1] = 0xC1E3
● 2 entropy sources: ○ host computer ⇒ Key material source 1○ on-board RNG ⇒ Key material source 2
32
![Page 33: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/33.jpg)
JMS538S “erase” VSC
33
![Page 34: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/34.jpg)
JMS538S on-board RNG
● Implemented in chip “somewhere”
● Gather samples and plot
● Gather by “status” (4 bytes) or “erase” (32 bytes) VSC
34
![Page 35: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/35.jpg)
/dev/urandom - 32-bit x 10 000
35
![Page 36: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/36.jpg)
JMS538S “status” unmask x 10 000
36
![Page 37: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/37.jpg)
JMS538S on-board RNG
● “status” command masks RNG output:○ xor with 0x271828af
● “erase” uses raw RNG - no mask
● RNG turns out to be a 8-bit LFSR with period 255
37
![Page 38: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/38.jpg)
JMS538S on-board RNG
● ..eh, a RNG with period of 255?!
● ..adding a poor ~28 to the complexity!
● ..so we have total 232 x ~28 = ~240 complexity!
38
![Page 39: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/39.jpg)
JMS538S “erase” attack
● You erase the drive + set sooper pw
● We recover the DEK with 240 complexity○ ~236 if set from a MAC
● ..done in “no time” on any computer
39
![Page 40: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/40.jpg)
JMS538S “erase” VSC
40
![Page 41: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/41.jpg)
JMS538S factory keys
● “most people don’t erase their drives”
● ..so what about the factory set DEKs?
● Does the factory use the “erase” command?
41
![Page 42: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/42.jpg)
JMS538S factory keys analysis
● Grab factory set DEK from an eDEK + reverse the “erase” command flow
● Generate 255 possible “Host provided key material” (source 1)
● Find the correct one by guessing…?
42
![Page 43: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/43.jpg)
JMS538S factory keys - RNG leak
● The default out-of-the-box eDEK leaks
● Decrypted eDEK leaks RNG status at creation time
● … which is the same time as DEK creation!
43
![Page 44: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/44.jpg)
decrypted factory eDEK - RNG leakMagic 0x00: "DEK1"CRC 0x04: 3f97Unknown 0x06: 0000random1 0x08: b1f065bekey 0x3ee2 128 bit 0x0c: dde91629a8f503a41847e9956386a5d3random2 0x1c: 2aa98576key 0x3ef2 128 bit 0x20: fea9c0d0ad395397772420a0563a604brandom3 0x30: 074195dbkey 0x3f02 256 bit 0x34: 3b00e300f7002700e1004d003800040069003e00d70048000c00bb0042006400random4 0x54: 8e832cf3key size (byte) 0x58: 20 => 256 bitsUnknown 0x59: 00000000000000
factory DEK
RNG status leak
44
![Page 45: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/45.jpg)
JMS538S factory keys - RNG leak
● The default out-of-the-box eDEK says it all
● It gives the raw DEK
● + the state of the RNG after DEK creation
● ⇒ We know the host provided key material!
45
![Page 46: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/46.jpg)
example host provided key materialRaw stream: 14 F9 DD 69 49 81 D4 63 CE 22 30 51 23 1B 2C 18 28 3B 3D 15 0F 3F 98 39 E4 C3 1F 4A 57 F3 9A 79
Little endian, 32-bit values: 69DDF914 63D48149 513022CE 182C1B23 153D3B28 39983F0F 4A1FC3E4 799AF357
srand(0x4fd45d3f) ⇐ Seed with this...rand() ⇒ 69DDF914 ⇐ ... and get these rand() ⇒ 63D48149 ⇐ ... ..rand() ⇒ 799AF357 ⇐ ...
46
![Page 47: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/47.jpg)
example host provided key material
● srand(0x4fd45d3f) is the entropy source
● 0x4fd45d3f⇒ UNIX time
● 0x4fd45d3f⇒ 2012-06-10 08:39:27 UTC
● It was on a Sunday ..and it was sunny
47
![Page 48: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/48.jpg)
DEK created: 10 JUN 2012 08:39:27 UTC
Ouch!
HDDs have a printed production date..
48
![Page 49: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/49.jpg)
JMS538S factory DEK attack
● a single 128-bit known-plaintext AES block needed from HDD ⇒e.g. EDEK(00..00)
● Recover the 256-bit DEK with 236 complexity:○ Brute force creation time (2007 - 2015) + RNG state
49
![Page 50: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/50.jpg)
JMS538S factory DEK attack
● ..done in “no time” on any computer
● ..or instant with a 1.2 TB lookup-table!○ pre-gen all 236 possible factory DEKs
○ store EDEK(00..00) + seed + RNG idx
50
![Page 51: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/51.jpg)
JMS538S factory DEK attackDEMO
51
![Page 52: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/52.jpg)
Attackers progress...Model no pw set, recovery pw brute force break auth. crack DEK
JMS538S ✓ ✓ ✓
SW6316 ✓ ✓ ✓
OXUF943SE ✓ ✓ ✓
INIC-1607E ✓ ✓ (✓)
INIC-3608 ✓ ✓ ✓
JMS569 ✓ ✓
52
![Page 53: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/53.jpg)
badUSB and evil-maid?
53
![Page 54: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/54.jpg)
No FW signing ⇒ security problems
● can patch FW devices, pre authentication ⇒ bad, bad USB
● ..resulting in spreading of evilness○ malware in 8051, M68k and ARC. Infect-on-the-fly.○ no easy clean (self-protecting evil FW)○ add crypto backdoor○ nullifying poor auth. schemes
54
![Page 55: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/55.jpg)
Summary
● All 6 bridges analyzed had serious security vulnerabilities
● 3 bridges have backdoors, 2 weak key setup, 1 broken auth.
● All 6 vulnerable to unauthorized FW patching ⇒ badUSB, evil-maid, ..
55
![Page 56: got HW crypto-slides_hardwear](https://reader034.vdocuments.net/reader034/viewer/2022042907/5871537e1a28ab8e5b8b4b29/html5/thumbnails/56.jpg)
Thank You, WD and EFF
Questions?
56