Tweet
Tweet

Slide 1

Slide 1 text

PRESS START

Slide 2

Slide 2 text

KEVIN SHEKLETON 15 YEARS @KPSHEK DISTINGUISHED ENGINEER HP 13/ 37

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Video game crash of 1983

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

2 years of exclusivity 5 games per year Content review Nintendo controlled all manufacturing, upfront payments, no returns

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

1988 © CAPCOM CO. LTD TM AND ©1989 CAPCOM USA, INC. NOT LICENSED BY
 NINTENDO OF AMERICA. INC. KEVIN SHEKLETON @KPSHEK

Slide 9

Slide 9 text

1988 © CAPCOM CO. LTD TM AND ©1989 CAPCOM USA, INC. NOT LICENSED BY
 NINTENDO OF AMERICA. INC. 2017 NEBRASKA.CODE() KEVIN SHEKLETON 1988 © CAPCOM CO. LTD TM AND ©1989 CAPCOM USA, INC. NOT LICENSED BY
 NINTENDO OF AMERICA. INC. KEVIN SHEKLETON @KPSHEK

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

CRASH GENESIS DREAMCAST NES PSX SATURN INTV II TODAY

Slide 12

Slide 12 text

INTELLIVISION II

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Intellivision II Executive ROM (EXEC) if bit 6 in $500C == 0 halt if copyright_year < 1978 halt if copyright_year > 1982 halt ;load title on copyright screen ;continue loading game code

Slide 16

Slide 16 text

NES

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

NES Checking Integrated Circuit (CIC) / 10NES Nintendo Console Lock

Slide 19

Slide 19 text

Key Nintendo Console Nintendo Cartridge NES Checking Integrated Circuit (CIC) / 10NES Lock

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Key Nintendo Console Nintendo Cartridge Attack: Convert the CIC from a lock to key ❌ Key

Slide 23

Slide 23 text

Nintendo Console Nintendo Cartridge Attack: Knock the CIC offline -5V Lock

Slide 24

Slide 24 text

Key Nintendo Console Nintendo Cartridge Attack: Clone your own CIC key Lock

Slide 25

Slide 25 text

GENESIS

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

Trademark Security System (TMSS) ; TMSS first checks for SEGA at $100 Main: ; Put the Genesis model version in d0 move.b $A1OOO1, d0 ; Genesis model version is the last four bits andi.b #$0F, d0 ; The 1st Genesis model didn't implement TMSS beq.b Version_0 move.l $'SEGA', $A14000 Version_0:

Slide 29

Slide 29 text

SATURN

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

Static ‘wobble’ signature readable/writeable using a proprietary CD drive

Slide 33

Slide 33 text

For attackers, work < value(asset) The Sega Saturn CD security represents a very high work factor It has yet to be broken!

Slide 34

Slide 34 text

“The trouble with the work factor principle is that many computer protection mechanisms are not susceptible to direct work factor calculation, since defeating them by systematic attack may be logically impossible. Defeat can be accomplished only by indirect strategies, such as waiting for an accidental hardware failure or searching for an error in implementation. Reliable estimates of the length of such a wait or search are very difficult to make.” Saltzer, J & Schroeder M, (1975) The Protection of Information in Computer Systems

Slide 35

Slide 35 text

Successful Saturn Attacks Disc swap Mods

Slide 36

Slide 36 text

PLAYSTATION

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

Playstation Attacks 1. Read CD-ROM wobble region data Inject proper region header into data stream Tell console to change discs 2. Read license title screen text

Slide 39

Slide 39 text

“Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur.” Saltzer, J & Schroeder M, (1975) The Protection of Information in Computer Systems

Slide 40

Slide 40 text

Playstation (1994)

Slide 41

Slide 41 text

“Keep the design as simple and small as possible… design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths).” Saltzer, J & Schroeder M, (1975) The Protection of Information in Computer Systems Playstation (1999)

Slide 42

Slide 42 text

DREAMCAST

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

}executable code

Slide 45

Slide 45 text

Dreamcast Media Attack

Slide 46

Slide 46 text

Attacks follow the path of least resistance

Slide 47

Slide 47 text

TODAY

Slide 48

Slide 48 text

1UP Work factor of modern console hardware has surpassed effort

Slide 49

Slide 49 text

Connect to a local malicious server via DNS hijacking. OS is rooted through execution of malicious code that masquerades as an update to the game.

Slide 50

Slide 50 text

Malicious save game file results in buffer overflow when reading in the name of Link’s horse. OS is rooted through execution of malicious code.

Slide 51

Slide 51 text

No content

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

THANK YOU PRESENTATION AT BIT.LY/CONSOLE-SEC