Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Security of Classic Game Consoles

Kevin Shekleton
May 18, 2017
Technology
0
370

The Security of Classic Game Consoles

It's 1986 and you're sitting a few feet away from your 19" CRT television. Blowing the dust out of your Super Mario cartridge you insert it into your Nintendo and push the power button. The familiar music plays and you're sucked into a world of goombas and castles on your quest to save the princess. While engrossed in your game, you probably didn't realize the engineering that went into the security of your game and console.

Join me as we travel back through history and explore the security of classic game consoles. You don't have to be a gamer to appreciate the various security methods that were employed, including hardware, media, and software security measures. Learn how many of these security measures were exploited, either directly or indirectly, as well as the security measures which have yet to be broken.

You'll leave this fun presentation with not only an understanding of the technical details of what went into protecting the security of your favorite classic game consoles and how they were broken, but also how we can apply these historical lessons learned to the modern software and systems we build today.

Kevin Shekleton

May 18, 2017
Tweet

More Decks by Kevin Shekleton

See All by Kevin Shekleton
UPMC - Remote Decision Support with CDS Hooks
kpshek
1
310
Remote Decision Support with CDS Hooks - FHIR DevDays 2017
kpshek
1
360
CDS Hooks Connectathon Sept 2017 Summary
kpshek
0
150
PSS 1234 Update - Clinical Reasoning & CDS Hooks Unification
kpshek
0
310
CDS Hooks Connectathon May 2017 Summary
kpshek
0
210
Remote Decision Support with CDS Hooks - HSPC HIT Developers Conference
kpshek
1
400
CDS Hooks Connectathon Jan 2017 Summary
kpshek
0
630
Beyond SMART: Remote Decision Support with CDS Hooks - AMIA 2016
kpshek
0
430
CDS Hooks Connectathon Sept 2016 Summary
kpshek
0
420

Other Decks in Technology

See All in Technology
Databricks におけるデータエンジニアリング
databricksjapan
0
370
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
24
4.9k
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.8k
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
190
疲弊しない!AWSセキュリティ統制の考え方 #devio_osakaday1
masahirokawahara
6
5.9k
クラウドサインにおけるプロダクトマネージャーの役割と開発プロセス / 20240410_cloudsign-PdM
bengo4com
1
680
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
660
WebアプリケーションにおけるPDOの使い方入門 / phpcon odawara 2024
meihei3
2
420
Apple Vision Pro trial session
akkeylab
0
120
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs (QCon London)
inesmontani
PRO
1
150
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
200
SREとその組織類型
tatsuo48
8
1.5k

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
658
120k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
Docker and Python
trallard
33
2.7k
Scaling GitHub
holman
457
140k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
2k
The Language of Interfaces
destraynor
151
23k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
124
32k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990
Gamification - CAS2011
davidbonilla
76
4.6k
How to Ace a Technical Interview
jacobian
272
22k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
18
1.7k

Transcript

  1. PRESS START

  2. KEVIN SHEKLETON 15 YEARS @KPSHEK DISTINGUISHED ENGINEER HP 13/ 37

  3. None

  4. Video game crash of 1983

  5. None

  6. 2 years of exclusivity 5 games per year Content review

    Nintendo controlled all manufacturing, upfront payments, no returns
  7. None

  8. 1988 © CAPCOM CO. LTD TM AND ©1989 CAPCOM USA,

    INC. NOT LICENSED BY
 NINTENDO OF AMERICA. INC. KEVIN SHEKLETON @KPSHEK

  9. 1988 © CAPCOM CO. LTD TM AND ©1989 CAPCOM USA,

    INC. NOT LICENSED BY
 NINTENDO OF AMERICA. INC. 2017 NEBRASKA.CODE() KEVIN SHEKLETON 1988 © CAPCOM CO. LTD TM AND ©1989 CAPCOM USA, INC. NOT LICENSED BY
 NINTENDO OF AMERICA. INC. KEVIN SHEKLETON @KPSHEK
  10. None

  11. CRASH GENESIS DREAMCAST NES PSX SATURN INTV II TODAY

  12. INTELLIVISION II

  13. None
  14. None

  15. Intellivision II Executive ROM (EXEC) if bit 6 in $500C

    == 0 halt if copyright_year < 1978 halt if copyright_year > 1982 halt ;load title on copyright screen ;continue loading game code

  16. NES

  17. None

  18. NES Checking Integrated Circuit (CIC) / 10NES Nintendo Console Lock

  19. Key Nintendo Console Nintendo Cartridge NES Checking Integrated Circuit (CIC)

    / 10NES Lock
  20. None
  21. None

  22. Key Nintendo Console Nintendo Cartridge Attack: Convert the CIC from

    a lock to key ❌ Key

  23. Nintendo Console Nintendo Cartridge Attack: Knock the CIC offline -5V

    Lock

  24. Key Nintendo Console Nintendo Cartridge Attack: Clone your own CIC

    key Lock

  25. GENESIS

  26. None
  27. None

  28. Trademark Security System (TMSS) ; TMSS first checks for SEGA

    at $100 Main: ; Put the Genesis model version in d0 move.b $A1OOO1, d0 ; Genesis model version is the last four bits andi.b #$0F, d0 ; The 1st Genesis model didn't implement TMSS beq.b Version_0 move.l $'SEGA', $A14000 Version_0:

  29. SATURN

  30. None
  31. None

  32. Static ‘wobble’ signature readable/writeable using a proprietary CD drive

  33. For attackers, work < value(asset) The Sega Saturn CD security

    represents a very high work factor It has yet to be broken!

  34. “The trouble with the work factor principle is that many

    computer protection mechanisms are not susceptible to direct work factor calculation, since defeating them by systematic attack may be logically impossible. Defeat can be accomplished only by indirect strategies, such as waiting for an accidental hardware failure or searching for an error in implementation. Reliable estimates of the length of such a wait or search are very difficult to make.” Saltzer, J & Schroeder M, (1975) The Protection of Information in Computer Systems

  35. Successful Saturn Attacks Disc swap Mods

  36. PLAYSTATION

  37. None

  38. Playstation Attacks 1. Read CD-ROM wobble region data Inject proper

    region header into data stream Tell console to change discs 2. Read license title screen text

  39. “Every program and every user of the system should operate

    using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur.” Saltzer, J & Schroeder M, (1975) The Protection of Information in Computer Systems

  40. Playstation (1994)

  41. “Keep the design as simple and small as possible… design

    and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths).” Saltzer, J & Schroeder M, (1975) The Protection of Information in Computer Systems Playstation (1999)

  42. DREAMCAST

  43. None

  44. }executable code

  45. Dreamcast Media Attack

  46. Attacks follow the path of least resistance

  47. TODAY

  48. 1UP Work factor of modern console hardware has surpassed effort

  49. Connect to a local malicious server via DNS hijacking. OS

    is rooted through execution of malicious code that masquerades as an update to the game.

  50. Malicious save game file results in buffer overflow when reading

    in the name of Link’s horse. OS is rooted through execution of malicious code.
  51. None
  52. None

  53. THANK YOU PRESENTATION AT BIT.LY/CONSOLE-SEC