Endpoint Security , Hardware / Chip-level Security
Researcher Strips ROM for Binary Code
Improved Tooling Makes Such Attacks More LikelyOne bastion against multifactor authentication hacks has been the security key. A physical device outdoes other methods such as one-time codes - which hackers can intercept - and safeguards against machine-in-the-middle attacks.
See Also: Zero Trust: A Global Perspective
Now, that bastion may be crumbling, at least theoretically, following research showing that attackers can physically extract secrets embedded in read-only memory on a shoestring budget. The equipment involves a polishing wheel, a jig and an optical microscope.
"Physical ROM extraction may sound like something impossible or implausible until it’s observed for real," said Tony Moor, senior director of silicon lab services at IOActive.
The Seattle company in a Thursday blog post detailed how Moor took a decapsulated computer chip with embedded ROM and stripped away its physical layers using a rotating platen until he reached the encoded raw bits.
"Determining when to stop polishing (end pointing) is difficult; however, when we hit the ROM encoding layer, we should see some kind of pattern under an optical microscope," he said.
ROM is nonvolatile memory: The bits don't disappear when the power does. It's also very expensive to change, making it the ideal place to go for secure computing mechanisms such as root of trust and handling tasks such as cryptographic key management.
ROM encoding is literally visible within the many layers of a chip - meaning extracting binary code is possible with a photograph and a reverse-engineering tool. "We feel that this is a little-known and rather low barrier of entry technique for someone with some skill, determination and a small budget. It could be the difference between making an unpatchable break on a platform or not," Moor told Information Security Media Group.
Admittedly, this demonstration had a few advantages a real-world attacker wouldn't have. For one thing, the chip in question has a known flaw making it possible to dump the ROM without having to physically wear down the layers and reverse-engineer the contents from binary code. Moor was able to verify he correctly extracted the contents in his physical demo by comparing the results to the ROM dump he already took from the chip by other means. The chip was an older one, and newer devices would be harder to crack.
Also, the chipmaker didn't scramble or encrypt the bits. "As a general rule, scrambling and encryption are commonly seen in specialized security processors (smartcards, etc.) but rare in more general-purpose microcontrollers," Moor said.
Still, physical ROM extraction isn't as farfetched as it might seem, he said. Vintage video gaming enthusiasts already use it to extract the contents of classic game ROMs, the better to emulate old arcade games. They're in the vanguard of what is likely to be a wave of attacks taking advantage of new advanced tooling that can operate at the nanoscale of silicon chips. "We're seeing rapid advancement of techniques and capabilities focused on extracting the most closely guarded secrets, in addition to a growing ecosystem of underground suppliers," he warned.