Stealthy Information Leakage Through Peripheral Exploitation in Modern Embedded Systems

Embedded systems are being aggressively integrated in every aspect of modern life, with uses ranging from personal devices to devices deployed in critical systems, such as autonomous vehicles, aircrafts, and industrial control systems. Embedded systems handle sensitive information, which can be potentially exposed leveraging their poor security posture. In this paper, we present a novel attack vector that automates stealthy information leakage from modern embedded systems. Specifically, we leverage the Device Tree, a data structure that describes the hardware profile of a system, to extract detailed information about the target system. Utilizing this information, we introduce a stealthy attack that attempts to bridge the air-gap by transferring data from memory directly to analog peripherals. The attack resides solely in the peripherals, completely transparent to the main CPU, by judiciously short-circuiting specific components. We implement this attack on a commercial Programmable Logic Controller (PLC), leaking information over the available LEDs. We evaluate the presented attack vector in terms of stealthiness, and we demonstrate no observable overhead on both CPU performance and DMA transfer speed. Furthermore, we propose a generalized defense scheme for peripheral exploitation attacks by establishing a hardware root of trust through JTAG debugging. Our methodology keeps track of peripheral traffic through JTAG-enabled monitoring, alerts the system for possible malicious behavior and handles the threat removal. We test our defense in terms of imposed performance overhead and overall potency, achieving solid detection of the underlying attack at a low performance cost.

[1]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[2]  Manfred Pinkal,et al.  Acoustic Side-Channel Attacks on Printers , 2010, USENIX Security Symposium.

[3]  Michail Maniatakos,et al.  The Cybersecurity Landscape in Industrial Control Systems , 2016, Proceedings of the IEEE.

[4]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[5]  Mordechai Guri,et al.  LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED , 2017, DIMVA.

[6]  Reinhold Weicker,et al.  Dhrystone: a synthetic systems programming benchmark , 1984, CACM.

[7]  Michail Maniatakos,et al.  Open Platform Systems Under Scrutiny: A Cybersecurity Analysis of the Device Tree , 2018, 2018 25th IEEE International Conference on Electronics, Circuits and Systems (ICECS).

[8]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[9]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[10]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[11]  Thomas Morris,et al.  Trusted Platform Module , 2011, Encyclopedia of Cryptography and Security.

[12]  Nils Ole Tippenhauer,et al.  SWaT: a water treatment testbed for research and training on ICS security , 2016, 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater).

[13]  Georg Sigl,et al.  Securing FPGA SoC configurations independent of their manufacturers , 2017, 2017 30th IEEE International System-on-Chip Conference (SOCC).

[14]  Alberto Garcia-Serrano,et al.  Anomaly Detection for malware identification using Hardware Performance Counters , 2015, ArXiv.

[15]  Salvatore J. Stolfo,et al.  When Firmware Modifications Attack: A Case Study of Embedded Exploitation , 2013, NDSS.