35C3 preroll music
Herald angel: Welcome everybody to our
next Talk. It's the talk “Wallet.fail”.
As you all know, when you have something
valuable you put it somewhere safe. But as
we as hackers also know there is no place
that is really safe and our three speakers
Thomas, Dmitry and Josh are now going to
demonstrate in the next hour the art of
completely breaking something apart. So
please give a big round of applause for
Thomas, Dmitry and Josh and have a lot of
fun.
Applause
Dmitry: So just just to start, I'm
curious how many people here actually own
cryptocurrency. Raise your hand. And how
many of you store it on a hardware wallet?
So we're very sorry to everyone who has
their hand up. OK. So it's not just me.
It's me, Josh and Thomas. So we're all
hardware people. We do low level hardware
stuff in varying degrees and we got into
cryptocurrency and so I can recommend to
everyone sitting in this room if you're a
security person. There's not a lot of
people doing security and cryptocurrency
as much as that's painful to hear. So yeah
I mean a lot of this is based on reverse
engineering. We love cryptocurrency.
I mean for us crypto also stands for
cryptography not just crypto currency, but
no offense to anyone with this talk. It's
just something that it's a category that
we looked at. And so the results kind of
speak for themselves. And again this
wouldn't be possible alone. So we have a
lot of people to thank. I'm not going to
go through all of them individually. Just
be knowing that we're thankful to everyone
on this, on the slide. So yes, so we
started this about six months ago. So we
wanted to take a look at cryptocurrency
because we own some cryptocurrency
ourselves and we saw that everyone's using
cryptocurrency wallets. It's more and more
the thing that you do. So we started a
group chat as you do nowadays. And we have
50000 messages now and 1100 images. And I
had my first, I had my son in the meantime
as well. So it's a really long time that
we been looking at this, etc.
Applause
OK, so what do we want to achieve
though? Because people don't give
the kinds of attacks so you can
actually perform against
cryptocurrency wallets enough credit.
So first attack is supply chain attacks
where you are able to manipulate the
devices before they get
to the end customer.
Firmware vulnerabilities, where you find a
vulnerability in the firmware and can
somehow either infect or do something else
with the device. Side-channel attacks of
course. I think that's one of the more
obvious ones that people are familiar
with. And also chip-level vulnerabilities.
So we were able to find one of each of
these. And so that's the talk that we're
going to talk about each one of these
individually. But first, what's a wallet?
Just in case you are not 100 percent
familiar with them. So a wallet, and in
general cryptocurrency how do you do this,
it's just asymmetric cryptography. So you
have a private key and a public key. The
public key, basically, it gives you the
address. You can derive the address from
this. The address is nothing other than
the public key of the wallet and you have
the private key and you need this to send
transactions, so to actually operate with
the cryptocurrency. So this, the private
key, is what needs to be kept secret. The
public key is something that everyone can
know so that they can send cryptocurrency
to you. But it kind of sucks to have a
separate for each cryptocurrency-pair or
for each wallet maybe even multiple
wallets. It sucks to generate a new
cryptographic pair for each one of them.
So the people, the wonderful people,
behind bitcoin have thought of something
for this and it's called BIP32/BIP44. And,
so, what it is is you have a cryptographic
seed and you can actually derive the
accounts from a single seed. So you
basically store one seed and you're able
to implement and do unlimited amount of
wallets. Okay. So basically you do key
derivation, you add some data, do key
derivation and you can have an unlimited
amount of wallets while storing a single
seed. And this is what you're using when
you're using a hardware wallet. So and of
course for each key derivation there will
be a new private key and a public key, but
it will be generated in a predictable
manner and you only need a store one
secret seed. So you only have to store the
seed. You can write it down, and that's
the advantage. But it's difficult to write
down because it's binary data. So come
BIP39, which is what you're most used to,
which is a format in which you can take
that cryptographic seed, that binary data,
and actually convert it to a set of
dictionary words that you can then easily
write down on a piece of paper and store
it at your mother's house, or store half
of it at your mother's house and half of
it at your grandmother's house. And that
way somebody would have to go into both
houses simultaneously to get your words.
So yeah. So what's a hardware wallet?
So we just talked about what's a wallet.
So why do you even need a hardware wallet?
Well, the problem is, of course, computers
can get backdoored, have malware running
on them and this is what you want to pre-
vent against. How do you do this? You have
a secure device, you store your seeds
externally. Usually, this is a USB-
connected device that you store your
crypto on and so you can trust this even
if you can't trust your computer. This is
the idea. So what happens is the computer
sends the transaction to the device. The
device gets the transaction, it can
actually confirm or deny the transaction.
It also displays the transaction. So
before you do any cryptographic signing,
you can see is that actually what I was
doing or was my computer owned and is it
initiating the transaction for me? So you
sign the transaction and also, yeah, the
seed never leaves the transaction, but the
hardware signs a transaction for you. You
send it back to the computer and the
computer can actually take that and send
it to the Internet. OK? So that's a quick
rundown of how crypto or, sorry, how
hardware wallets work. So the first thing
that we looked at was supply chain attacks
which is where Josh gonna pick up. You
have a mic. Oh sorry.
Josh: Ok, so the three big things I want
to leave you with as we go through the
supply chain attacks are, stickers for
laptops, they are not for security. So
we're going to be talking about stickers
today. They're there for laptop
decorations, they are not for security.
Supply chain attacks are easy to perform,
but they're quite hard to perform at
scale. And the last takeaway that I will
leave you with is that, the vendor's
threat model may not actually be your
threat model. So security stickers, some
of the wallet vendors are using them. I
have seen them on other products, they
seem to be quite popular. I have a friend
and colleague named Joe Fitzpatrick, he
also likes stickers. So the stickers that
he makes are the same as we find on his
security product. They have holograms.
They have unique serial numbers. And they
leave you with that nice warm fuzzy
security feeling. Joe makes some funny
ones. You can get a Fitz 140-2 approved
stickers. You don't have to pay the money
for the FIPS one, just get the Fitz one.
So the first device I looked at was the
Trezor One. The Trezor One actually has
two levels of protection on the packaging.
There's the hologram sticker than the
actual box is enclosed with an adhesive.
So it's supposed to be that you actually
have to rip open the box to get into it.
But if you use a hot air gun or a
hairdryer it's actually quite easy to
remove. And so if you see on the left
there that's the original package and on
the right this is a box that I opened and
put everything back into. And if you look
closely there is a little bit of gap
there. The sticker has a little bit of
break but this was the first try. And it's
pretty close. So trust me taking a sticker
off is not very hard. Now if you remember
this picture of the sticker cause we're
going to come back to it. So but for the
vendor this is actually a real problem so
Trezor did put a blog post out that one of
the challenges they face is that they're
facing counterfeiting of their devices. So
this is from their blog post. They say hey
you know we've noticed that there's
counterfeit devices. You have to look at
the stickers to see that they are legit.
So I said remember look at that sticker.
So I bought that case about a year and a
half ago for my previous DevCon talk and
it's the same sticker that they're saying
is fake here. So then on their wiki it's
very confusing because there's three sets
of stickers so basically, yeah, stickers
are very confusing. They cause problems
for end users. And I was not even sure if
I bought a real Trezor or a cloned one. So
this morning I got out a new case. And
just to make sure I took off the sticker
using very sophisticated equipment
including a very expensive Dyson hairdryer
that was included in the AirBnB and I was
able to remove the sticker.
So it comes off
with zero residue. So yes stickers do
not provide any security. On the Trezor T
they switched it from the box and now the
box can be opened easily. But now there's
a sticker on the USB-C port. Again as you
would expect use hot air and you can
easily remove it. Pro tip: don't set the
hot air rework that high I had it set for
lead free reworking and I actually melted
the enclosure. So if you're going to do
this kind of supply chain attack, maybe,
no, set the heat a little lower but if you
just google how to remove stickers the
same attack methods work. So this causes
a bit of confusion because the ledger
device has a very, I will say, in your
face a piece of paper when you open the
box it says there are no stickers in this
box. However I combed through about 250
1-star Amazon reviews and a lot of them
have to do with confusion about the
stickers. So some of them are actually
quite funny. So this this one started out
"Note to wallet hackers", so I was really
into this. So I was like, OK, pro tip
what's this guy have to say? And basically
he was complaining that there's
fingerprints on the device. That's how he
knew it was hacked. Another one complained
that the fingerprints were on the wallet
and there was a hair underneath. So if
you're doing supply chain attacks be sure
to remove any evidence of your
fingerprints or hair. So anyway stickers
don't work. That's all I want to say about
that. Once you get through this enclosure
though you then have to have the challenge
of actually opening the enclosure. These
are three different wallet devices: Ledger
Nano on the left, the Trezor One and the
Trezor T on the bottom all of which
actually open pretty easily. So the Trezor
One, even, so, I'm still not sure if
that's the counterfeit or the real one,
but I get on the on the real one today. I
was able to pop open enclosure. So it is
ultra sonically welded but you can pry it
in there and open it. The Ledger Nano
opens very easily, like, without any
equipment. But once you do this, you know
what do you do once it's opened? So the
attack basically is you take the
microcontroller and you rework it. So you
remove the microcontroller from the
printed circuit board and you put on a new
one that you bought from a distributor.
Once you've done that on the Trezor
devices you can put your compromised
bootloader on there. So this is, I did not
go as far to make the compromised
bootloader, but I did confirm that once I
switched the microcontroller, I could
connect with a debugger over SWD and I
have free access to the chip. So some of
the parts got blown off when I was
reworking but the SDM works fine. So yeah.
So you just rework, reflash and then you
put everything back together. So next I
want to talk about hardware implants. So
you may remember the story that came out
there was this big hack by Bloomberg about
hardware implants. I wanted to make a
hardware implant. I also wanted to have a
little bit of fun with this. So, we, in
honor of the Bloomberg story which has
some, you may have some issues with it.
We're about to talk about the BloomBurglar
which is a super micro fun implant. So the
goals for this implant is I wanted this
implant to happen after receipt. So it is
both a supply chain attack and a physical
one like a red team can perform this. A
malicious insider could also perform this
attack. Zero firmware, because more fun.
It has to fit inside of a hardware wallet,
so it has to be small it has to also
bypass the core security function,
otherwise it's not an implant. Very few
components. I have a thousand of them with
me. So I wanted to be able to offer Makers
and DIYers to participate in the hardware
implant fun. So what kind of implant did I
end up with. Well, I decided to do a
basically, an RF-triggered switch and so
the idea is on these devices there's a
button and the button is the last line of
defense. So all the vendors assume that
the host is going to be compromised. They
just assume that's going to be easy
because that's software. And so once you
have a compromised host you have to send
it to the device and then the human -- so
humans are still needed -- humans have to
look at it and say "Is this the right
transaction or not?" They have to say yes
or no. So now with this implant I can,
through RF, I can trigger the yes button.
So a human is not required to send
transactions, I can remotely trigger it.
Basically the RF comes in through the
antenna it goes through a single
transistor which is the main component and
it pulls the button low. And I'm sorry to
say that the bill of materials is quite
expensive at three dollars and 16 cents.
Two dollars and 61 cents of that is this
potentiometer I had to use. So it is a
little bit expensive. I'm sorry. Also, why
is this so big. I mean this is an American
Dime I can fit two on them. What's the
deal. Why is it so big. Well I optimized
it for hand assembly. So it would be, you
know, more fun to use, but basically you
put the antenna in and then there's an out
button and, like I said, I have a thousand
with me. So just for scale. This is how it
fits on the Ledger Nano. This is how it
fits on the Trezor. It is also because
breadboard-friendly is a thing. So we made
it breadboard-friendly. So you can also
play along very easily at home. So then
the last challenge with an RF implant is
how do you design antenna to fit in there.
And so the big thing there with an
SMA connector is the first prototype
I did. Experimented with a few antenna
designs but that remember it, it all has
to fit inside the Ledger. So that's
actually quite easy because a Ledger Nano
has a plenty of room to insert extra
circuitry and so it quite fits easily in
the Ledger Nano. And then I did the
implant and then I started to go through
the wallet process. I got to a
check that said is might, you know, is the
Ledger device genuine. And here I actually
got a little bit nervous because it wasn't
working, and so it wasn't working. I was
like, maybe they were checking this, you
know how did they detect it. Don't worry,
it's only Linux. So it just doesn't work
on Linux. So that was no problem. I did it
on windows and no problems. The device was
genuine, I was able to move on. So the
thing is, this is a very crude receiver,
but the attacker can always use more
power. So here I have this is my antenna
setup in the basement, and with a 50W
transmitter I can remotely trigger the
button at 11 meters, and at this point I'm
just limited by my basement size. I'm
pretty very confident that I'd be able to
remotely trigger this thing further. Yeah.
So here we're going to see a demo of what
it looks like and for the other problem
you have with hardware implants is how do
you know you have the implanted device. So
you have to label it some way. Ledger has
this kind of Latin phrase that scrolls " I
wanted my own Latin phrase" And so this is
how I know this is my implanted device. So
what we're going to see is that the
transaction screens is gonna show up. This
is, and I'm basically going to trigger
this remotely, so I'm going to show that
radio come in and then it's going to
approve the transaction without any hands.
So this is the transaction. There is the
screen going. This is the way it supposed
to verify. There's the radio coming in at
433 MHz and then it's going to proceed to
the next screen without me touching the
button. There you go. So this is remotely
triggered, and that would have sent
transactions. So if you think about the
context that you have a malicious software
implant that sent it to a wrong address,
the attacker now can remotely accept that
and bypass the security module.
Applause
So, yeah, on the recaps, stickers are for
laptops, not for security. Supply chain
attacks are very easy to do at a hardware
level, but they're quite hard to do at
scale. And when the vendor says the device
is genuine, that may mean different
things.
Thomas: to segue to the next part, so six
months ago, Josh Datko said something that
I found kind of funny and it's almost
correct: "If you put funny constants in
your code, they will end up on DEFCON
slides, and they won't be laughing with
you." Small mistake, they won't end up at
DEF CON, they will be at CCC. and so
introducing the fOOdbabe vulnerability,
it's a bootloader vulnerability in a
Ledger Nano S. We did not come up with
this constant. It's literally in the code
as we'll see later. So the name was not
ours, but we like it. So we also bought
the domain foodba.be.
Laughter
Ledger Nano S is a very simple wallet. It
simply has a small display, it has a USB
port and two buttons. That's really all
there is. And you should take it apart.
You see it's just some pieces of plastic,
the display and the PCB. And looking at
the PCB, it kind of has an interesting
architecture where you have a STM32, which
is just a general purpose microcontroller,
and a ST31, which is a secret element that
is for example used in pay-TV and so on.
And is regarded as a very high security
chip, basically. And if you turn the PCB
around, you'll see that they were nice
enough to leave the programming port for
the STM32 open to us, ENABLED.
Laughter
And this has been suspected by other
people that we verified it. But you know,
you have to go through it. And obviously
Ledger is aware of this. And so let's look
at the security model that the Ledger Nano
S has. The basic idea is that if we look
at this device, we kind of have this
schematic of the STM32 being on the left
and the ST31 on the right. And as you can
see, all peripherals are connected to the
STM32. That is because the ST31 does not
have enough pins to connect peripherals.
It literally only has a one pin interface,
which is for the smartcard protocols
basically. And so all the heavy lifting is
done by the STM32. And Ledger splits it up
into the unsecure part and the secure
part. And the idea is that the STM32 acts
as a proxy. So it's basically the hardware
driver for the button, for the display,
for the USB, similar to a northbridge in
your standard computer. And when you take
a computer and want to make a transaction,
you create your transaction on the
computer, it goes through USB to the
STM32, and the STM32 then forwards it to
the ST31. THe ST31 then says, Oh, a new
transaction, I want trust the user to
confirm it. So it sends a display command
to the STM32 which in turn displays that
on the screen. And then you press the
"yes" button again it goes the same route
to the ST31, which then internally signs
the transaction. So the seed never leaves
the device and our assigned transaction
goes back through the STM, through USB to
the computer. To us, this means if this
chip is compromised, we can send malicious
transactions to the ST31 and confirm them
ourselves. Or we can even go and show a
different transaction on the screen than
we are actually sending to the ST31. And
Ledger is aware of this and we'll talk
about how they try to mitigate this later.
But first we have to find an exploit,
because while we do have debugging access
to the chip, hardware access is sometimes
kind of buggy. No offence. So we wanted to
have a software bug. And so we started
reverse engineering the firmware upgrade
process. And when you look at the
bootloader, the bootloader for the Ledger
used to be open-source, and back then they
didn't have any verification of the
firmware. So you could basically boot the
device into bootloader mode, flash
whatever from where you want, and then it
would run it. After someone, Saleem in
this case, wrote about this, they changed
it, and they changed it to do some
cryptographic measure. And we were too
lazy to reverse engineer the cryptographic
measure because it's very time consuming,
very hard. So we looked more at the parts
surrounding it and how we can maybe find a
bug in the bootloader to break it. And it
turns out that when you try to upgrade
your Ledger, you accept four different
commands. One is select segment, which
allows you to select the address base at
which you're firmware will be flashed. One
is the load command, which allows you to
write data to flash. Then you have the
flush command, which is basically like
f-sync on Linux and writes your changes to
the non-volatile memory. And you have the
boot command, which verifies the flash
code and starts booting it. So to us the
boot command is the most interesting,
because it provides all verification and
it attempts to ensure that no malicious
image is booted. And it turns out that if
you issue the boot command, it compares
the whole image to whatever
cryptographically function they use, and
if it's successfully verified, they write
a constant to the address 0x0800 3000, and
that constant is OxF00DBABE. And so, to
not have to verify the entire flash on
each boot, they just do this once, so only
after firmware upgrade. So basically if
you boot up the ledger, it boots, it waits
500 milliseconds. It checks if you have a
button pressed. If yes, it goes to
bootloader. Otherwise it loads the
constant at 0x08003000. And if it's
0xF00DBABE, it boots the firmware. So our
goal is to write a 0xF00DBABE to that
address. First attempt, we just issue a
select segment command to exactly that
address. We just write 0xF00DBABE to it,
flush and reset the device. Didn't work
unfortunately. so we had to do more
reverse engineering. It turns out that
they use an interesting approach to ensure
that you don't accidentally flash over the
bootloader. So they basically blacklist a
whole memory region. So if you try to
flash from 0x0800_0000 up to 0x0800_3000.
It returns an error. If you try to
directly write to F00DBABE, They thought
about it, and they have a very specific
code path to prevent that. So they memset
it to zero and you're screwed again. And
then finally it writes assuming you didn't
error out. But it turns out that the STM32
has kind of an interesting memory map and
on a lot of chips, you cannot only map
your flash to one address, but you can
also have it mapped to another address.
And in this case the flash is indeed also
mapped to the address 0. And so the
bootloader uses a blacklisting approach,
so it only excludes certain memory areas.
But it doesn't use whitelisting where you
could only explicitly write to this memory
region. So they do not block writing to
0x0000_0000. Profit! Second attempt. We
just select the segment at 0x0000_3000,
which maps to 0x0800_3000, we write
0xF00DBABE to it, we flush, reset, and we
can flash custom firmware! Awesome!
Applause
So what do you do when you have a device
that, where the display is not big enough
to run DOM with a custom firmware. So in
this case it's an original letter, press
the button, put it into bootloader mode,
which is part of the normal operation, and
Laughtes and Applause
If you want to play a bit of snake, come
by later. How are they protecting against
this? I've mentioned before Ledger is
aware that you can reflash this STM32. And
they are, they put in some measures to
prevent you from doing malicious stuff.
And basically what they do and this is
very simplified, and we did not bother to
fully reverse engineer because we didn't
need to, basically. When the chip boots,
it sends its entire firmware to the ST31,
which then performs some kind of hashing
also, verifies that the firmware as
authentic. And it also measures the time
it takes to send the firmware. This is to
prevent you from just running a
compression algorithm on the STM32 and
send it very slowly. How do we bypass
this? So our idea was, because we not only
have flash, we also have RAM. So what if
we create a compromised and compressed
firmware that copies itself to RAM? We
jump to it and then it writes its entire
compressed firmware to flash,
uncompressed in that case, and then we
just call the original code on the secure
element. It would verify the firmware, it
would run with a real timing and boots up
regularly. And so we attempted this. It
took quite a while to achieve.
Because basically, you can't do ZIP, you
can't do LZMA, because even if you
compress the image you don't have enough
space for complex compressor. So our
attempt was to find duplicate bytes,
squeeze them together and make space for a
custom payload. And basically we just have
a table that says, okay, now you will have
six zeros or something. And our each table
entry only takes a single byte. So, and
it's only like 10 instructions in
assembler to run this decompressor, so you
don't have the large code base. It's very
easy to use. And it turns out that even
with a very simple detector, like in this
case we rerun the script to find the
longest duplicate data, and you can see on
the first try, we get like 260 bytes of
space for our payload, which is enough for
a lot of things, let's say. And we have a
working PoC of concept of this and we
would go into a lot of details, but if we
only got an hour. And so we will release
after this talk and on non-offensive
example of this that you can look at how
does it work, what can you do even if
you're firmware is attempting to be
verified. And we also and this is very
exciting we are working with the YouTube
LiveOverflow and he created a 20 minute
video on walking through this entire
F00DBABE vulnerability, how did the
verification works and how to bypass it to
a certain degree. We don't want to
weaponize it. So we did not, we will not
release the first the full thing, but
yeah, very excited for this. Stay tuned on
our Twitter and we'll link it for sure. As
part of this, we also have a lot of
software that we will release. So public
release, we'll release the snake firmware.
So hopefully this evening you'll be able
to play snake on your Ledger. If you
bought some bitcoin at twenty thousand now
you're bankrupt, you can at least play
snake. We will opensource the compressor
and the extractor. We built a logic
analyzer plugin for this markup protocol
and we built software that analyzes the
communication between the STM32 and the
ST31 on the Ledger specific data, and you
can just dump it. So if you guys are
interested in for example trying to break
into the ST31, please have a go. And
Ledger has a second device, which is
called the Ledger Blue. We assume the
reason it's called the Ledger Blue is
because it contains Bluetooth. But they
never enable Bluetooth. So it's basically
just a regular Ledger with a color display
and a big battery in it. And we call this
part "Fantastic Signals and how to find
them".
Laughter
Because when we opened up this device and
we were chatting, we have this nice
telegram chat room where we're chatting
24/7 while doing this. And we opened up
the device and the first thing,like
literally five minutes after opening it, I
saw that you have the secure element on
the left and the STM32 on the right. You
have some other stuff like the Bluetooth
module and so on. The trace between the
secure element and the microcontroller is
pretty long and contains a pretty fast
signal. So what is a long conductor with a
fast changing current? Anyone got a clue?
Interjection
Correct. It's an antenna.
So I pulled out my HackRF
software defined radio, this
is just a very, a more sophisticated RTL-
SDR, so you can just sniff arbitrary
signals with it. I got a random shitty
telescope antenna on Amazon and they have
my Ledger blue. So on this screen, you can
see the blue thing is the radio spectrum
around 169 MHz and if we start entering
our pin we can see that there's a weak
signal.
Laughter
You guys see where this is going. On the
radio. Unfortunately that signal is pretty
weak. Luckily they included an antenna.
They call it a USB cable, but I'm not so
sure about it. So this time with USB
connected, and we do the same thing again.
You can see like crazy radio spikes and
this is right next to each other. But even
if you go a couple of meters. I was
limited as Josh by my living room space.
You get a couple of meters of decent
reception. So our goal was to find out
what is this signal and if we just look at
the recorded amplitude of the signal, we
get this. And if you do a lot of probing
and so on, you immediately see, ok, there
are spikes and there are 11 of them and
then there's a pause and then are small
spikes. So this is probably some kind of
protocol that first sends 11 bytes of data
then pauses, and then sends more data. So
we looked at the back of the device,
started probing every single connection
and tried to figure out is this the secure
element? Is this whatever? And it turned
out to be the display bus. So we can sniff
information on what is sent to the display
remotely. And if you, if we look at the
signal that gets sent in blue, it's the
signal that gets sent when you press the
letter zero on the pin pad and an orange
when you press the letter seven. So we can
see a very clear difference at certain
points on the signal which confirmed our
suspicion. But building software for this
is kind of boring, like digital signal
processing is not really my thing. So what
do we do? And we wanted to increase the
buzzword load in our talk a bit. And so we
are hacking blockchain IoT devices, using
artificial intelligence, in the cloud.
Applause and Laughter
So our ideal was we record training
signals, we use some kind of prefiltering,
we train AI on it. Profit! Literally.
Problem is, getting training data really
sucks, because you don't want to sit there
for 10 hours pressing the same key on a
pin pad. It really doesn't sound like fun.
And so this needs automation. So,
Laughter
So we took in Arduino, we took a roll of
masking tape, a piece of acrylic glass, a
PCB vice and this is a HUAWEI-pen for the
extra amount of Chinese backdoor. And we
let this run for a couple of hours. And
you can actually see that every time it
presses down, you can see that the digit
that you pressed is highlighted and the
difference in the signal we saw earlier is
probably the x and y coordinate, of where
it highlights the button. And that's the
difference. We can see in the trace. And
so we had a lot of recorded data. Now we
created a training set. We created a test
set, preprocessing Tensorflow ai model.
It's really easy surprisingly. And we
tried our test set did a prediction. And
so the big question how accurate is it.
And it turns out. So this is the the
result of a cut of the test set. And if we
zoom in on this this basically tells you
we have the signal of this great thing
it's just a picture representation of the
signal and it tells you how sure it is,
what digit it is. In this case it's 7 with
98 percent likelihood. So pretty good. In
our test set we only have one wrong result
and overall we get it wrong 90 percent
accuracy and to move this in the cloud we
are hosting this on the Google cloud. As
the LedgerAI for you guys to play with and
we'll publish it online with a limited
dataset that is trained on a very close
space. You cannot do something super
malicious with it but it's nice to play
around and see how this was done. And this
brings us to the next part, glitch me if
you can. Thank you.
Applause
Josh: So now we're going to talk about the
silicon level vulnerability with glitching
attacks fault injectio so to review.
So to review I will be talking about the
trezor one. And so I just want to go over
very quickly what the architecture is of
the trezor one and some previous work that
is done. So the Trezor One is quite a
simple embedded device. It consists of
only a few components. It has an OLED
display it has some buttons and has a USB
connector that are all externally facing.
Internally it has its main brain if you
will the STM32F205 microcontroller which
controls all the other operations on the
Trezor, that display, the USB, and the two
buttons. So last year we gave a talk at
DEFCON "Breaking Bitcoin Hardware Wallets"
here we use the chip whisper to mainly do
the glitching attacks, the conclusions
from last year is that the F2O5 was
vulnerable to fault injection but it was
inconclusive if we could do a exploit via
the fault. So this year we have a
different result but the output of that
work was this board was
called the breaking bitcoin board.
Basically it was a Trezor clone that just
made it easy to attach wires and probes
and so we made this board. The design
schematics are all online. It's open
source hardware. This is the chip
whisperer set up that we were using so we
made the board specifically to fit on the
chip whisperer target board. And this is
just what it looks like when you use the
chip whisper GUI to perform a glitch. And
here we were doing application level code
so it's very different but I gave that
talk and then I met Dmitry and Thomas.
Dmitry: Fortunately we had Josh to do the
talk last year and to kind of exhaust a
lot of the firmware vulnerabilities that
were actually hardware vulnerabilities in
the firmware that might have been there.
So we immediately knew that we could
exclude this. And so you can start looking
at the underlying microcontrollers. So in
this case it's STM32 microcontroller that
they use inside of it and it controls
everything. So compromising the STM32
microcontroller means that you can
compromise, you can compromise the device.
So I mean so there's a couple of papers
that have covered some of the
vulnerabilities in the STM32 specifically
there's one which describes a UV attack
which lets you downgrade the security on
the STM32. So we determined that paper
unfortunately does not apply to our result
because the Trezor or is smart enough when
it boot's to check the value stored in
Flash. And if it has been altered in any
way to set it correctly. So they actually
even protect against this kind of attack.
But nevertheless you can see that there is
some vulnerabilities. So there is another
paper which unfortunately has not been
published yet and we couldn't get in touch
with the authors yet. That should be
coming out in January hopefully which
describes glitches against the STM32 F1
and STM32 F3. So now we have the F0, the
F1, and the F3 and so basically here's the
product matrix. So three of them are
already vulnerable. So what we're looking
at SDM 32 F2 and potentially STM32 F4 if
we're talking about the Trezor model T so
those we do not have vulnerabilities for
yet. So let's take a look at how how it
works really quickly. So the way that STM
implements security on the STM32 is that
they store an option byte and the option
byte the thing to remember is on on a
cortex M3 or M4 microcontroller that you
don't have anything other than flash. So
even though they call it option buy or
refer you to this is fusing or being
permanent and hardware. It's still stored
and flash just like the user application
is stored in flash. So it's the same exact
same non-volatile memory that's otherwise
used. So basically when you get a new SDM
32 it's shipped in a state where you have
full access. So that's how Josh was able
to rework abord and flash it with new
firmware. And there is the ultimate
security is what's called RDP2. So there
you have no access but you can see that
basically if you have a value other than
aa or cc which correspond to RDP0 and RDP2
respectively then you have what's called
RDP1 and this is interesting because it
doesn't give you access to the flash which
is actually where the cryptographic seed
is stored on the Trezor but it gives you
access to RAM, it gives you access to the
registers but it doesn't give you flash
access like I said and it doesn't give you
single stepping as well so connecting a
debugger and this mode will actually cause
the hardware to hard fault which we'll see
in the second. So basically what we want
to try to do is to downgrade RDP2 which is
what the trezor is set to. And we want
to be able to access the device at RDP1
which is somewhat vulnerable state. This
so I should say that this is this is the
correct way to approach this and it's
great for doing an educational talk. But
in all honesty there's three of us. And so
we did this completely in the dark over a
over 3 months trying different
parameters on our on our glitch setups
which also later and were able to find
this. But I'm here to explain it to all of
you so that it's easy to reproduce. So if
you actually watch the SDM 30F2 boot
you'll see that it's relatively slow and
it's only this slow after you power cycle
the board. So it takes approximately
1.8 milliseconds to boot which is
a microcontroller terms pretty slow so you
can see there's the power supply there's
the IO pin and that's approximately how
long it takes to boot the firmware so you
can see that's where the IO actually
toggles so 120 milliseconds later. So we
just wrote some firmware to basically
toggle one of the pins measured within an
oscilloscope. Now we have the timing of
how long that takes. So that's not super
interesting because that's not really a
trigger. And each one of these
microcontrollers internally it has a boot
rom so it has some some rom read only
memory. It's not non-volatile memory it's
not the flash. It's literally a rom which
is inside the chip itself. It's it's hard
coded. It cannot be fixed or patched that
gets executed first. So we wanted to
actually attack that because anything else
is the user application and that's what
Josh did last year. So you can kind of
start to fiddle this down. So you see that
1.4 milliseconds of the reboot
nothing actually happens because this is
now the reset line. And so the reset line
goes high after 1.4 millisecond
so you can ignore the first
1.4 milliseconds after you
cycle the power. So now the next step that
you can actually do is you can connect
what's called a shunt resistor. So
oscilloscopes are there to measure
voltage and so you want to actually
measure current to be able to know how
much power is being consumed
by the device. So you do what's called
a shunt measurement and that's
what I have on this slide right here.
So you have the blue signal is now
actually the power consumption. And so now
you can actually look and see what's
happening. So the first thing that happens
is we have the execution of the BootROM.
You can see in the power consumption curve
you can clearly see this moment in time.
Then you have basically where the flash
and option bytes actually get read
somewhat at least within the BootROM. And
finally the third distinctive moment in
time is where the application actually
begins to execute. So now we've taken this
1.8 milliseconds which is a
relatively long time and reduced it to 200
microseconds. We're actually interested
in. And not only that we know that we're
actually interested in having slightly
higher power consumption than the normal
execution of the bootloader or the BootROM
rather and this is somewhere between
let's say 170 microseconds and 200
microseconds. So this is the time at which
we actually need to glitch and this is
also reasonable parameters. If you're
trying to reproduce this at home. So what
do you need to reproduce this thing. So I.
The greatest thing that came out in the
last couple of years is the these cheap
Chinese power supplies where you take a
cheap you know old wall wart from one of
your old Linksys routers you plug it in
and then you actually have a controllable
power supply with with voltage and current
and you can adjust this and control this.
And so that's what we're using here. The
second thing that I have to actually
control the timing is an FPGA. I mean I
use FPGA's for everything and this is
something that was easiest to put together
with an FPGA because FPGAs have constant
timing. So finally we have a multiplexer
there as well and the multiplexers are
actually switching between two voltages
between ground so completely cutting the
voltage off and the normal operating
voltage of the microcontroller. And
finally we have a debugger, the J-link
which is highly advised if you want to
ever do Jtag stuff. So it's just a Jtag
debugger and basically what happens is
you let this run for a while and it looks
like this. It's not really super eventful
so you can see that the voltage the yellow
signal is actually the voltage and you can
see we're just dipping the voltage at
different points in time and
simultaneously we have a python script
checking if we have Jtag access or not.
Protip to all the new dads if you do this
at home you can turn your oscilloscope
towards the door, so that when you get up
at night because the baby's crying, you
can see if it's still running or not. So
it's very, it's highly advised. So now
Thomas is going to tell us how to get the
seed into into RAM.
Thomas: So we had this thing running for
3 months roughly across 3
continents because Josh is in America,
Dmitry is in Russia and I'm in Germany and
so it took us 3 months to get a
successful glitch and even then we didn't
believe it at first because we exhausted
everything basically. And the only reason
we finally got it working is that we did a
mistake where we misstook 70 ms with
170 ms and had it run for a long time. And
that's how we found out that the BootROM
is actually super slow to boot on this
device. And once we had this downgrade
from RDP2 to RDP1, we were able to read
the RAM, but we cannot read the flash
which actually contains the seed. And so
how do we find this? And our idea was we
start reviewing the upgrade procedure
because on the Trezor, the way the
bootloader works is, it doesn't require a
PIN or anything to upgrade the firmware,
which makes sense, because let's say you
have a bug in the pin function you want to
somehow be able to get rid of it, right?
And the other thing is if you flash a
fully valid firmware it retains the data,
it retains your seed. if you flash and not
genuine one. It actually will erase your
seed and so on. And the big, and they do a
really good job on the firmware
verification. We reviewed it for days and
days and days and didn't find anything.
But so how does this upgrade procedure
work? how is this seat retained? And so
when you reviewed the relevant code you
see that there is a call to backup
metadata which sounds like it's going to
retain somehow your data. And indeed you
can see that it's literally a mem-copy
from the data on flash we're interested
into RAM. And so our basic procedure
was, we go into bootloader we start the
firmware upgrade and we stop it before the
RAM gets cleared. Because if you finish
the upgrade procedure, the Trezor actually
clears its memory again, which is a very
decent way to do it. But we've found a way
to retain it in RAM. So it turns out that
when you start the firmware upgrade
process, it eventually asks you to verify
to check some of what you just flashed and
it turns out that at this point in time,
the seed is still in RAM and we can read
it out via RDP2. And this is relatively
simple to do once you actually manage to
glitch the device. You basically just run
openocd dump_image, you get an image of
the SRAM and you have the whole RAM
contents and so.
Dmitry: What are we going to do,Thomas?
What high tech hacking tool will be using
today to extract the seed?
Thomas:So we actually before we were
successful, we had hours of talks on the
how do we, how is this seed stored and so
on. But we've found this super
sophisticated seed extraction tool that
only runs on POSIX and POSIX-like systems,
it's called strings.
Laughter
And so basically it turns out that when
you have a firmware dump as we have RAM
dump as we do now, and we go to we just
run strings on the dump. We get a couple
of really nice words and I don't know if
you remember the intro, but this is your
seeds.
Applause
And you might be wondering what this
little number is. This is your pin to the
device.
Laughters
That was a great day. And so Josh, or one
of Josh's employees took all this mess we
created on all desks and made it into this
nice device which is basically a socket
where you put in your chip and then we can
read out the seed and so on.
Dmitry: And all of this stuff including
the board design, FPGA codes, and the
Verilog code that we use, I mean if
somebody wants to, they can apply it and
do the same thing with one of the ICEPICKs
or one of the more open source friendly
FPGA boards. This just happens to be the
one that we all had lying around and could
reproduce the work with. You can go ahead
and do it. I mean we suspect, I think
Thomas said, we suspect you might be able
to do with Arduino as well, because the
actual glitch pulse is only approximately
60 μs or sorry, 6 μs in time. So it's a
relatively slow signal as well, so it
should be relatively repeatable even with
something cheaper than this. But this is a
way to automate this even better and to
not have dangling wires or any of the
small soldering that was required to do it
in situ in the device which we had on the
previous slide. So all of that we're going
to have it on GIthub. And so I think the
final, the final thing.
Thomas: one more thing before we are,
sorry. One more thing. So this breaks a
lot of the Trezor security, but there is
a way to protect your seed against this,
So if you use a passphrase on your device,
the way we understood it, it basically
doesn't allows somebody with hardware
access to steal all your funds. So if you
add a passphrase to your Trezor, a good
passphrase and your machine is not already
owned you can somehow somewhat protect
against this. But a lot of people don't.
So we are really sorry we didn't mean any
harm.
Dmitry: So yeah, that's the conclusion I
would say. So yeah I mean, so all the
stuff we're going to put online, I guess I
said, so you can follow us for the links
on the online. wallet.fail, it's a domain
name, believe it or not, fail is a TLD. So
you can go to github.com/walletfail,
twitter.com/walletfail. You can follow me,
Thomas, and Josh on Twitter as well and
like I said, we'll be releasing all this
stuff so it will go up slowly. Just
because I think when we set out six months
ago we did not expect us to have 100
percent success in everything that we were
planning to do. so that's a first for me
at the very least.
Thomas: The saddest part is that we have
more vulnerabilities to other wallets,
but, only one hour. And so we also have
some stuff to give out so we have the
hardware implant PCBs, we have thousands
of them if you want to get some.
Dmitry: Off to Josh.
Thomas: We even have components for them
for like 100 devices so hit us up and we
can do something. Thank you.
Applause
Herald: Thank you guys, it's an amazing
talk. I feel really inspired to break
things apart in a very creative way. We
have some time left for questions. So if
you have questions, please line up at the
microphones. But first we're going to
start with a question from the Internet.
Signal Angel: Thank you,
I've got two related
questions from the internet. First one,
how hard did you guys laugh when bitify
announced that their Android-based wallet
was unhackable? And second question, have
you had a try to attack larger processors
like ARM-based processors?
Thomas: So maybe let's start with Bitfi.
So we only talk about somewhat secure
wallets, we didn't want to use a Chinese
phone in this talk. So we laughed pretty
hard and we ordered some, but yeah.
Dmitry: And I mean this was covered
extensively. So another guy who you should
follow on Twitter @cybergibbons gave a
talk at hardwear.io on the topic of the
Bitfi. He was summarizing research that
he did in conjunction with a bunch of
other people as well. So if you're
interested in the Bitfi you should go look
at them.
So the second question was about ARM-based
controllers. I mean all of these were
ARM-based. Every single chip as far as I
know that we looked at was was ARM-based
in one way or another.
Thomas: Yeah and there's,
so if you're interested in this, look at
glitching the Nintendo Switch where they
glitch the Tegra used in the Nintendo
Switch, which is very interesting and will
give a lot of inspiration in that
regard, basically.
Herald: Thank you. A question for
microphone 4 please.
Mic 4: Hi, Trezor CPO here, first thank
you for the talk, we worked with you to
fix the issues as soon as are recommend to
prod and if anyone interested in hacking
hardware wallets, we are really interested
in working with the hardware hackers
community and we have a
responsible disclosure program.
you mentioned problems with supply chain
attacks, but gave no solutions, so let me
give you one. Trezor is open source
hardware so you can build your own
from locally sourced components
and if you are paranoid and don't want to
deal with these kind of attacks.
but my question is, is there any
other solution except for building
your own wallet or inspecting
the code to run and
interrogate about basically?
Thomas: First Thank you. One thing we
should mention is that when we looked at
the Trezor code, the reason we had to end
up glitching this chip for three months is
that we couldn't break the firmware
otherwise. So they do a great job. And
it's really awesome.
Applause
Dmitry: Yes. The firmware on the Trezor is
something to look at. I mean I recommend
that, I mean we all do consulting work as
well. And so it's something that I
recommend that people who are interested
in looking at how to prevent certain doom
mitigations and hardware. It's an
excellent project to look at. And so
Trezor should be commended on that. But at
the end of the day it doesn't mean that
the chip that the Trezor uses is secure
against these kinds of attacks. And that's
where we had a fallback to looking for
silicon vulnerabilities against a chip
or, sorry, a wallet like the Trezor.
Josh: I would say on this hygeine side,
this is a very difficult problem,
governments especially have this issue.
You can do cryptographic attestation, but
as we saw with the Ledger nano,
that cryptographic attestation didn't help
verify that the requests were legitimate
against a hardware attack, so there's been
talk about X-raying the board and all this
stuff, but this is still very much an
open problem in hardware security.
Herald: Another question from microphone
3.
Mic: Actually I have a suggestion.
Herald: Make it short, though. Because
usually we just take questions. One
sentence.
Mic: A few MCUs actually have Jtag
connected via hardware fuses.
So this might be useful
at least slow down glitching attacks.
Dmitry: Thanks. I agree. But these are
not Cortex-M microcontrollers I can tell
you that with 100% certainty. It has to do
a lot with the fact that the
microcontrollers that are being used in
these devices, they're built to spec to
the spec that ARM specified that ARM
thinks would be a good set of features for
this class of device or rather for the for
the CPUs for the class of device that they
ended up getting put in. So anything
Cortex-M is gonna to have vulnerabilities
that are more or less like the silicon
vulnerabilities that we have. It's just I
mean if you ask me I think it's a matter
of time just to sit there. I mean
fortunately we had something like 3 months
of just glitching to be able to find find
these bugs. But if you can apply that much
to find it silicon attack you might be
able to find this kind of vulnerability as
well in other Cortex-M products. Only
three minutes.
Herald: All good. Another question from
microphone 4 please.
Mic 4: So obviously as part of your work
you analyzed the firmware of these
devices. Did you find that the firmware
is in any way obfuscated or encrypted?
Thomas: So basically yep, on these chips
you cannot really encrypt the firmware. On
the ST31 you can encrypt it. But we didn't
have to look at it because the ST31 is not
something you have to break but so no
there was no real obfuscation that we
could see. But we also don't have the code
in the case of letters so I just stared at
IDA pro for hours and yeah.
Herald: The next person on microphone 4.
Mic 4: Hello, did you have a look at the
entropy chip that generates the master
seeds on both of these hardware devices,
and what's your take on that?
Dmitry: I mean, so we already hovered how
the Trezor works. There is only one chip
and it's the STM32 so I know that there
was a known issue with Trezor back in the
day where they weren't seeding the
basically the RNG correctly. But this was
fixed. But for our attacks this wasn't
this wasn't an issue. I mean if you were
concerned about how strong these are, how
strong the random number generators are
for creating a seed you could actually
create a BIP39 wallet outside of any
one of these and then just use them for
their hardware features and get the seed
from outside.
Herald: And if you have a question, do
move to the microphone if you're able to.
But first we have another question from
the Internet.
SA: Thank you. Did you guys see the
dinosaur hiphop zero wallet?
Thomas: No but if you send it to us
we are happy to look at it.
Thomas: Oh you did.
Dmitry: Yeah, we had the it
Josh: The dinosaur hiphop wallet -
Thank you for the kind of trick questions
- So the design of the dinosaur hiphop
wallet was a trezor clone
that we looked at last year.
Thomas: Ah
Josh: Called breaking bitcoin board
so that if we didn't, otherwise
functionally it's a trezor clone
but we stole a lot of the instructions
from dinosaur hiphop
make the breaking bitcoin board
and then prepare the operating system.
Dmitry: I mean, and maybe on that note
I would say that in terms of looking at
what wallets are actually be used you'll
find that, so the Ledger is a very popular
wallet, the Trezor is a very popular
wallet. But since the Trezor is opensource
there is a lot of clones and forks of the
Trezor. And when I say that not all of
them run the latest security patches that
have been applied to the Trezor code base.
So that's also something that you can do
is basically diff the projects and see
which one of them which ones are staying
up to date and which aren't.
Herald: Your question has to be the very
last one today.
Please speak directly into the microphone.
Even closer to the mic.
Mic: Seeing as this is the first CCC for
many of us and some of us might not have
that much experience in hardware hacking.
Do you have any tips for beginners?
Thomas: Yeah lots of them. Buy an Arduino
learn what mistakes you do with it and
learn how hardware works, basically. Watch
a lot of online videos and I think you
gave presentations, you gave
presentations. I gave some presentations.
So just watch talks, watch LiveOverflow.
LiveOverflow, great YouTube channel on
exactly this stuff. And also don't
hesitate to reach out to us. If you have a
question. Always contact us
info@wallet.fail, on Twitter, wherever. we
are happy to talk to you. It might take a
while.
Josh: On non-security electronics, if you
go to Sparkfun or Adafruit, they have lots
of free material of how electronics work,
how to get started. It's not security
related, but it's a very good
electronics program
Dmitry: But I'll say I started
with Arduino too.
Herald: All right thank you guys so much
for the very nice questions and you guys
for the amazing and inspiring talk.
Thank you so much.
Applause
Subtitles created by c3subtitles.de
in the years 2018-2020. Join, and help us!