This presentation walks through the reverse engineering and exploitation of a hardened embedded device and provides certain techniques you can use to exploit similar devices. The Supra iBox BT is a bluetooth and IR-based physical key storage device used by many real estate professionals in the US. It is physically hardened, and inside is a hardened MSP430 with a blown JTAG fuse. As MSP430 devices become more common, it is slowly becoming the norm to encounter devices in production with blown JTAG fuses. Previously, this was a significant hurdle. In 2008, Goodspeed described several attacks against the MSP's BSL (bootstrap loader). This presentation will review those attacks and describe the challenges facing a researcher attempting to perform them. This presentation will demonstrate how to reliably perform successful firmware extraction on a MSP430 with a blown JTAG fuse.
The second part of the presentation covers what I found inside the Supra iBox firmware, including a demonstration of an exploit that can open any iBox. The presentation will describe the complex and surprisingly effective crypto key management scheme used by Supra. The Supra lock has no internet access, and must rely on the keys (generally smartphones) to perform any necessary synchronization with the internet. The key management scheme used by the Supra would be interesting to any developer attempting to manage cryptographic keys in embedded devices with occasional internet access.
Braden is currently a Senior Research Scientist at Accuvant, focusing on embedded research in the AMI and medical device industries. Prior to Accuvant, he worked as a Product Security Engineer at Apple for six years. At Apple, Braden focused on drastically increasing the internal fuzzing throughput and coverage, as well as performing proactive security reviews for many high-profile features.