Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WooKey: Episode VII - The Force Awakens

WooKey: Episode VII - The Force Awakens

A presentation given at GreHack 2021

Philippe Teuwen

December 22, 2021
Tweet

More Decks by Philippe Teuwen

Other Decks in Research

Transcript

  1. WooKey: Episode VII
    The Force Awakens
    Philippe Teuwen
    November , (almost) Grenoble

    View full-size slide

  2. Doegox
    A Team Leader of
    Crypto & Embedded Security at
    White-box crypto “grey box” attacks
    EEPROM/RFID “tear-o ” attacks
    Funky microsoldering on Google Titan M
    One of Libnfc and RRG/Proxmark Maintainers
    Hardware-oriented CTFs
    International Journal of PoC GTFO
    /

    View full-size slide

  3. WooKey in brief
    Secure USB Mass Storage developed by ANSSI
    Encrypted SD Card
    Screen + touchscreen (randomized keypad)
    ISO reader + tokens (JavaCards)
    /

    View full-size slide

  4. WooKey nominal usage
    . Insert AUTH token
    . Type PetPIN
    . Check PetName
    . Type UserPIN
    . Now seen as Mass Storage
    Why Pet Pin and Pet Name ?
    To avoid PIN phishing attempts
    with a fake WooKey
    /

    View full-size slide

  5. Context
    ANSSI: French National Cybersecurity Agency
    Awards CSPN certifications to security products
    Based on private evaluation labs: CESTI/ITSEF
    : certified software CESTI
    ANSSI organizes regular inter-CESTI challenges
    /

    View full-size slide

  6. Last inter-CESTI challenge
    Based on WooKey
    Open source (hw/sw) project by ANSSI
    Large evaluation plan shared across CESTI
    Mixing hardware and software skills
    /

    View full-size slide

  7. What is this talk about?
    A bit about the WooKey
    We already got many talks on it
    Mostly about how to set up cheap hardware attacks
    . Timing attack against smartcard
    . UI automation over SPI (and a bit of crypto)
    . Electromagnetic Fault Injection test bench
    /

    View full-size slide

  8. Timing attack against smartcard

    View full-size slide

  9. The Plan
    Check if UserPIN validation doesn’t leak timing information
    Correct PIN (e.g. ) timing probably di erent, ok
    What if vs ?
    What if vs ?
    What if vs ?
    Code review: they used “OwnerPIN.check” JavaCard API
    Still, let’s see how to do it...
    /

    View full-size slide

  10. The Material
    Logic analyzer
    Way to hook on I/O and GND PINs
    Script
    Trigger trace acquisition
    Communicate with the card
    Acquire trace
    Rinse and repeat
    Target (that won’t kill itself after fails...)
    /

    View full-size slide

  11. Option : instrumented reader
    /

    View full-size slide

  12. Option : reader-card extension
    /

    View full-size slide

  13. Trace example
    /

    View full-size slide

  14. PIN length tests example
    Response delay in ms
    Tested PIN length Configured PIN length: Configured PIN length:
    . .
    . .
    . .
    . .
    . .
    . .
    . .
    . .
    . .
    . .
    Correct PIN . .
    /

    View full-size slide

  15. PIN length tests example: oops...
    Response delay in ms
    Tested PIN length Configured PIN length: Configured PIN length:
    . .
    . .
    . .
    . .
    . .
    . .
    . .
    . .
    . .
    . .
    Correct PIN . .
    /

    View full-size slide

  16. PIN length: a JavaCard OS issue
    Not a problem of the WooKey
    Found on J H (JCOP , EAL +) and J R (JCOP , EAL +) JavaCards
    Not a big vulnerability, but still unexpected
    Reported to NXP
    /

    View full-size slide

  17. UI automation over SPI

    View full-size slide

  18. First a bit of crypto
    Remember PetPIN & PetName?
    Wookey
    PetPIN → DK = PBKDF -SHA (PetPIN, salt)
    → DK sent to token
    Token
    Contains an encrypted key blob (ELK)
    KPK = DecDK
    (ELK)
    → KPK sent to WooKey
    Wookey
    If KPK correct:
    Decrypts a keystore
    Mounts a Secure Channel with token
    Gets PetName from token
    Displays PetName
    /

    View full-size slide

  19. First a bit of crypto
    DK → KPK = DecDK
    (ELK)
    DK & KPK → ELK = EncDK
    (KPK)
    /

    View full-size slide

  20. First a bit of crypto
    DK → KPK = DecDK
    (ELK)
    DK & KPK → ELK = EncDK
    (KPK)
    DK∗ & KPK∗ → ELK = EncDK∗
    (KPK∗)
    No need to know the correct DK or PetPIN to extract ELK!
    /

    View full-size slide

  21. The Plan
    Extract ELK from token
    Create fake token with ELK (and no countermeasure)
    Bruteforce PetPIN with WooKey + fake token
    Use original token and PetPIN → get PetName
    /

    View full-size slide

  22. The Plan
    Extract ELK from token
    Create fake token with ELK (and no countermeasure)
    Bruteforce PetPIN with WooKey + fake token
    Use original token and PetPIN → get PetName
    Bruteforce: deal with randomized keypad...
    Sni SPI commands to screen to reconstruct the keypad
    Inject fake touchscreen IRQ and SPI tra c
    Sni ISO to watch for a Secure Channel attempt
    /

    View full-size slide

  23. The Material
    Fake token
    Microcontroller (e.g. a Teensy)
    Logic analyzer (for debugging)
    Attach to SPI bus
    Hijack touchscreen IRQ track
    And... very unreliable results...
    /

    View full-size slide

  24. Tweaks
    WooKey bugs:
    Touchscreen Chip Select always active
    Touchscreen always sampled x even after pressure release → wrong average pos
    → Drive touchscreen IRQ and inject fake positions in sync with the full sampling sequence
    /

    View full-size slide

  25. Bruteforce results
    PetPIN broken in h
    ( h for full -digit space)

    Use original token to get PetName
    /

    View full-size slide

  26. Electromagnetic Fault Injection
    test bench

    View full-size slide

  27. The Plan
    Send an EM perturbation to a ect the chip operations
    E.g. skipping instructions
    Characterize target chip with sample code
    Simple loop counters to detect if instructions are skipped
    Try various coils, voltages, durations, XYZ positions,...
    Tune parameters and choose which function to target
    Skip locking and erasing security features
    Target: Loader checking firmware integrity (SHA- )
    Replace next stage by blinking LEDs (red=alert, blue=success)
    One more parameter: pulse delay
    /

    View full-size slide

  28. The Material
    Script framework orchestrating:
    EMFI injector
    Configurable trigger (FPGA)
    XYZ table ( D printer, CNC,...)
    Communication with target
    Reset of target
    Cartography and test campaigns
    /

    View full-size slide

  29. Cartography example
    /

    View full-size slide

  30. Results
    Integrity check bypass:
    tests/min
    First success after attempts
    Then with more tuning, success rate of .
    /

    View full-size slide

  31. Less expected results...
    Got firmware and RAM leaks over UART (disabled in prod)
    Tried RDP bypass, fried a demo board after few hundred thousand tests...
    /

    View full-size slide

  32. Conclusion
    Hardware attacks are fun
    Hardware attacks are a ordable
    Never assume, challenge always
    Two very recent books to recommend:
    Practical Hardware Pentesting, by Jean-Georges Valle
    The Hardware Hacking Handbook, by Colin O’Flynn and Jasper van Woudenberg
    /

    View full-size slide

  33. Thank you
    Contact information:
    Email: [email protected]
    Phone: +
    Website: https://www.quarkslab.com

    View full-size slide