Tuesday, November 25, 2008

25C3 Workshop

I'll be giving a workshop on Repurposing the TI EZ430U at the 25th Chaos Communications Congress, Berlin. It will be on Day 3 (2008-12-29 Mon) from 16h00 to 18h00.

There's no charge for the workshop beyond conference admission, but please attend the lecture and bring an EZ430 with you if at all possible.

<travis at radiantmachines.com>

Wednesday, November 19, 2008

Radiant Machines

I've started a site, http://radiantmachines.com/ to showcase my collaborations with Josh Gourneau. The first is a belt buckle.

<travis at radiantmachines.com>

Friday, November 14, 2008

Speaking at 25C3

BSLCracker 3.0

At the 25th Chaos Communications Congress in Berlin this December, I'll be presenting some new research in the security of the MSP430's serial bootstrap loader (BSL) as well as a nice little lecture/workshop combo on reverse-engineering the TI EZ430 development tool.

I intend to travel through France and England, returning in late January for S4, Miami. Please email me if you'd like to meet.

Cracking the MSP430 BSL
Day 1 (2008-12-27), 20h30 (8:30 pm) in Saal 3.

The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. When its JTAG fuse is blown, the device's firmware is kept private only a serial bootstrap loader (BSL), certain revisions of which are vulnerable to a side-channel timing analysis attack. This talk continues that from Black Hat USA by describing the speaker's adventures in creating a hardware device for exploiting this vulnerability.

While the previous part focused on the discovery of the timing vulnerability and its origin, this lecture will focus on the exploitation. Topics include a brief review of the vulnerability itself, PCB design and fabrication, the malicious stretching of timing in a bit-banged serial port, observation of timing differences on the order of a microsecond, and the hell of debugging such a device.

Repurposing the TI EZ430U
Lecture: Day 3 (2008-12-29), 12h45 (pm) in Saal 3
Workshop: Not yet scheduled.

USB devices are sometimes composed of little more than a microcontroller and a USB device controller. This lecture describes how to reprogram one such device, greatly expanding its potential.

At only twenty dollars, the Texas Instruments EZ430U is a bargain of an in-circuit debugger for the MSP430 microcontroller. The board itself is composed of little more than an MSP430 and a USB to Serial controller. The board's JTAG fuse is unblown, and full schematics are included in public documentation. This lecture will discuss the use of the EZ430U, not as a debugging tool, but as a development platform in and of itself. Topics will include the writing of replacement firmware, analysis of the default firmware, reprogramming the USB to Serial controller, and potential target applications.

Travis Goodspeed
<travis at radiantmachines.com>

Tuesday, November 4, 2008

MicaZ Code Injection

by Travis Goodspeed <travis at utk.edu>

Aurélien Francillon and Claude Castelluccia of France's INRIA recently demonstrated at CCS2008 a code-injection attack that reflashes Mica wireless sensors. This is more difficult than my TelosB attack because the MicaZ uses a Harvard-architecture CPU, one that is incapable of directly executing RAM. The authors use meta-gadgets, collections of executable code found already within the device, to copy the payload into executable flash memory. It's about damned time that someone authored a practical implementation for those things, and the paper is well worth reading.

If you quickly glance over the paper, you might miss the best part, which is not that the authors used meta-gadgets but exactly how they found the meta-gadgets. See the seventh page of their paper, the section entitled `Automating the meta-gadget implementation', for details of a modified CPU simulator that constructs meta-gadgets automatically from a given firmware image.

Sunday, November 2, 2008

Speaking at S4 in Miami

On Thursday, January 22nd, I'll be presenting at Digital Bond’s SCADA Security Scientific Symposium (S4) a paper authored with Brad Singletary and Darren Highfill of Enernex on the topic of Low-Level Design Vulnerabilities in Wireless Control Systems Hardware. As 802.15.4 sensors and similar hardware are subject to theft by an attacker, we demonstrate several practical attacks that we've been cooking up for the past year. We include plenty of schematic diagrams, logic analyzer recordings, oscilloscope photographs, and code fragments to keep things interesting. Attendance is strictly limited to fifty-five, and registration is expected to sell-out this year.

Please email me if you'd like to meet up while I'm in town. As always, I'll bring some of my equipment for a show and tell.

--Travis Goodspeed
<travis at utk.edu>