Set Top Box Security.pdf

8/10/2019 Set Top Box Security.pdf

1/51

Set Top Box

Security

Budapest, September 19, 2010

Zoltn HornkTams JsKristf Kernyi


2/51

Outline

SEARCH-LAB Security Evaluation Analysis andResearch Laboratory

Embedded systems

Introduction

Security

Set-Top Boxes

Security solutions

PCB security

Interfaces

Chipset security featuresSmart card security

Demonstration

2


3/51

SEARCH-LABintroduction

SEARCH-LAB introduction


4/51

Introduction of SEARCH-LAB

SEARCH Laboratoryestablished at theBudapest University of Technology in 1999with the financial help of Nokia Hungary

SEARCH-LAB Ltdestablished in 2002 as aspin-off company to provide professional services

4


5/51

Professional activities

SAFECode: Software AssuranceForum for Excellence in Code

Aims:

dedicated to increasing trustin information and communications

technology productsadvancement of proven softwareassurance methods

SHIELDS: Detecting known security vulnerabilities

from within design and development toolshttp://www.shields-project.eu

5
http://www.shields-project.eu/http://www.shields-project.eu/http://www.shields-project.eu/http://www.shields-project.eu/


6/51


7/51

What is an embedded system

Computer systems designed for a specific purpose

As opposed to general purpose systems like PCs

Used where specific computing capability is needed

Limited resources

Input (designated knobs, dials)

Output (directly driving something)

Power (battery? cooling?)

Cheap components (mass production)

Not designed to be upgraded for new service areas

Used literally everywhere on the GlobeRanging from very simple to quite complex systems

Most people have got at least one in their pockets

7


8/51

Security challenges of embedded systems

Freedom to tinker?

is your freedom to understand, discuss, repair, andmodify the technological devices you own

The embedded system is sometimes not even theholders property

Works in a hostile environmentIncentive to abuse the device to get more (unpaid)services

Attackers have unlimited time to reverse engineer thehardware and the software of these devices

Cracking an embedded system usually results in lossof profit for the owner (through the services)

8


9/51

Security advantages

Developers have full controlof designing thehardware architecture

Developers can use custom designedprocessors/chipsets with enhanced security features

The software can be protected by some kind oftrusted computing solutions

End-to-end securityis harder to crack than security

of open systems

9


10/51

Example: Set-Top Boxes

Digital television receiver

Terrestrial, cable, satellite or IPTV

Tuner, demodulator, demultiplexer

Conditional Access (Pay-TV)

Common Interface

Built-in card-reader

Additional features

Hard disk (DVR, PVR)

USB

Network (VOD, Web access)Parental control

10


11/51

General model for STB

11


12/51

General STB architecture

System-on-Chip (SOC)

Processor core

Some RAM

Some Flash

Embedded controllers for network, USB, etc

Various engines for video decoding, decryption,descrambling, etc

Main SDRAM

Flash memory for firmware

HDD interfaceOther interfaces

12


13/51

Attack paths

Attackers prime goal: viewing unsubscribed content

Attack paths

Extract Control Words out of the STB (to distribute)

Inject downloaded CWs directly into own STBExtract recorded programmes from PVR disk

Dump VoD programmes from disk or multicast

To reach this

External or internal interfaces could be eavesdroppedHacked software could be loaded on the STB

13


14/51

Securitysolutions

Security solutions


15/51

Security solutions

Interfaces

JTAG, RS-232, Smart Card, Infrared, I2C, USB, Ethernet,HDMI, VGA,

Probing resistance

TSOP chips, BGA

Secure signal routingGluing

Chipset security features

System-on-Chip security

Firmware integrity protectionSmart Card Security

Shared secret between the Smart Card and SoC

15


16/51

Interfaces


17/51

JTAG

Generic test access point for electronic components

Standardized signals, but often custom protocol

Used during

Development

Finalization on the production line

Maintenance at service points

This interface has full control over the component

SoC, other chips

Many gaming consoles have been hacked with the use

of this interfacePossibility to lock it (password protect or disable)

17


18/51

Serial interfaces

RS-232Common serial interface

Could be external or internal

Could be used to

Obtain debug information

Initiate firmware upgradeRead out data for finalization on the production line

Smart card

Smart card reader chip usually connected to UART

Infrared

No protectionFull features only known to the programmer whoimplements it

I2C

18


19/51

External connections

USB

Widespread interface

Could unlock or bypass security features when correcttoken inserted

Hard to find out which profiles are implemented

EthernetEthernet interface with TCP/IP stack implies the samewell-known weaknesses as it does on PCs

Is the stack well implemented?

Are the servers well implemented?

Is there a firewall?

19


20/51

HDD, Display

External or internal file systems

IDE or SATA HDD, USB PVR

File system

File/content encryption

Display interfaces

HDMI

HDMI has a two-way serial interface, like mostdisplay adapter interfaces

HDCP key exchange (master key just cracked)

Device control (e.g. CEC)Could be used for even more purposes

DVI

VGA

20


21/51

Probing resistance


22/51

Secure component selection

TSOP chips

Easily probed logic analyzer

Easily replaced break-out boards

BGA means a level of physical protectionagainst tapping and probing attacks

In many cases chip identity concealed(grinding)

In some cases special chips used(mixing pins)

22


23/51

Secure signal routing

Exposing signal lines is dangerous for

Key components (Flash, RAM)

Any confidential data transmittedin plaintext

An attacker could sniff the data

being sent and receivedAnd could do much more

23


24/51

Gluing

Could hide chipidentification string

Hides sensitive signal linesand exposed pins

Makes the removing

process really hardRemoves also top layer ofPCB signal lines

Heat-resistant glue types

Not often used because ofthe high cost

24


25/51

Chipset security features


26/51

System-on-Chip central units

Provides the majority of the core functions for theembedded device integrated into one chip

Main SoC blocks are

CPU

Memory controllers RAM, Flash

External interface controllers RS-232, Ethernet, USB, IRInternal interface controllers SATA, Smart card, I2C, SPI

Complete MPEG stream processor

Demultiplexing

DescramblingDecoding

A lot of general purpose pins

26


27/51

SoC security

Secure unique identity

Unique serial number stored inside the chip duringmanufacturing

Cannot be changed

Secure key storage

Small amount of ROM, RAMHolds the keys for cryptographic operations

Some unique

Others shared

Secure on-chip cryptographic enginesThe core CPU is slow, needs hardware acceleration forcrypto functions

Secure DMA using key in SoC-internal RAM/ROM

27


28/51

SoC security II

Antifuses

OTP One Time Programmable memory cells

Can set certain behavior of the chip like forcing flashauthentication

Usually set as the final step of manufacturing

Secure bootloaderBefore booting the firmware

SoC-internal boot code runs, which authenticatesthefirmware before running it or loading it to the RAM

Integrity

Authenticity

Only signed code will start

28


29/51

Firmware security

Mandatory AES-256 encryption for the systemsoftware on new STBs

RSA-1024/2048 digital signature

Runtime integrity checking

The SoC checks the integrity of the firmware not just at

boot time but later, in random or pre-set time intervalsAuthenticated flash memory update

Firmware upgrade only from authenticated source

Potentially insecure channel

Therefore signedDowngrade protection (version number is signed alongwith the firmware, lower version will not install)

29


30/51

Memory security

Flash security

Authenticated flash image

Write protection

Write Enable pin

Hardware logic in the flash chip (passwords)

Write-protecting certain (boot) sectors of the flashRAM security

Performed by SoC (designated module)

RAM encryption

Transparent for the CPU and authenticated developers

Prevents disassembling the RAM contents after dumping

Source ID monitoring

Acts like a firewall between RAM and SoC cores, onlygranting access to certain areas for certain cores

30


31/51

Smart card security


32/51

Chipset pairing and protection of link to smart card

ECM is decrypted by the smart card to yield CW

Must be transmitted to SoC for descrambling

Simple serial interface (UART)

Could be sniffed

Encrypted channel between SoC and smart card

SoC and smart card sharea symmetric encryption key,which is unique

Pairing between smart card and chipset (STB, CAM)

Pairing also prevents to use a STB at another contentprovider (protects provider investment)

Similar type of link protection can be used to encryptall communication between smart card and SoC,not just CWs

32


33/51

Embedded SystemsSecurity Services


34/51

34

SEARCH-LABs Testing Tools

Embedded systems debugging toolsGeneric JTAG and manufacturer-specific evaluation tools

Boundary and parallel scanning

Content analysis of memory chips

Man-in-the-Middle (MiM) analysis and manipulation toolsFlash MiM

Smart card MiM

USB MiM

UART/serial MiM

Flash memory manipulator toolVHDL programmable run-time XILINX logic

Post-processing on a PCVarious reverse engineering tools

Soldering and rework equipment,X-ray microscopy


35/51

35

JTAG pin reconstruction based on X-ray images

6 GenIO27 VSS JTClk EMU1

5 GenTest0 JTRst VDDLMM

4 JTDI JTDO EMU0

3 JTM S E MU 0 G en IO 30 M Bu sRx F Bus Rx

2 GenIO26 VSS EarData

1

A B C D E F


36/51

36

JTAG test device and its connection


37/51

37

Logging board


38/51

38

Patch board


39/51

39

Phone boots up with patch board


40/51

40

Logic analysis environment


41/51

41

MiM Flash Manipulator

Flash Manipulator board that is able to switch betweenan original Flash and another one with manipulated content


42/51

42

MiM Flash Manipulator

XILINX

RAM

USB Port

PORT

3PORT

2

PORT 1

OriginalFlash

Modified

Flash

Place of theFlash Memory Chip

on the PCB


43/51

43

Man in the middle connection

between Flash memory and CPU


44/51

44

Capabilities of our MiM Flash Manipulator

VHDL programmable XILINX logic

Fast enough for run-time operation

Logic analyzer capabilities

Programmable triggers

Records up to 2MB of internal bus traffic

Post processing on PC (connected via USB)Flash memory manipulation

Shows original content during boot loaderto bypass integrity checking

Switches to the manipulated flash chip during operation

Arbitrary code can be executed this wayPossibility to run internal testing algorithms

Similar solutions for Smart cards, USB, UART/serialconnections


45/51

45

Summary

Attack potential is there

SIM unlocking, IMEI number forgery

Cracked video set-top-boxes (with upgrade guarantee)

Security evaluation of embedded systems require

Laboratory infrastructurePrepared hardware and security professionals

Adequate tools and methods

Research background

Continuous attack technology watch


46/51

Demonstration


47/51

Target

Generic Set-Top Box off the shelf

Probing security very low

TSOP chips for SoC, RAM, Flash

External signal routing

Chipset security medium

Secure boot

Flash authentication

No flash encryption

No RAM encryption

No run-time integrity checkingContent security low

No smart card pairing

47


48/51

Conclusion


49/51

Set-Top Box security

If all the security solutions are appliedSecure component selection and signal routing

Secure chipset with

Boot authentication

Flash encryption

RAM encryptionRuntime integrity protection/source monitoring

Authenticated updates

Secure channel (Smart Card pairing with SoC)

Only encrypted Control Words transferred

Display of Smart Card number on screen then hacking a solution is not cost-efficient

Provides a high level of security

49


50/51

50

Zoltn Hornk

managing director

[email protected]


51/51

Interested for

more?

[email protected]

Documents

Set Top Box Security.pdf