[HN Gopher] PiFex: JTAG Hacking with a Raspberry Pi
___________________________________________________________________
PiFex: JTAG Hacking with a Raspberry Pi
Author : wrongbaud
Score : 155 points
Date : 2024-05-06 13:59 UTC (9 hours ago)
(HTM) web link (voidstarsec.com)
(TXT) w3m dump (voidstarsec.com)
| MrBuddyCasino wrote:
| A device that is a bit similar, but more advanced is the Glasgow
| Interface Explorer:
| https://www.crowdsupply.com/1bitsquared/glasgow
|
| It costs 145$ instead of 50$, and you can interface with it via
| Python3 over USB. It is quite flexible due to a reconfigurable
| FPGA and has some nice features such as automatically detecting
| UART baud rates, JTAG pinouts, ESD / Under / and Over-Voltage
| protection on the I/O pins and more.
| wrongbaud wrote:
| The Glasgow is an awesome piece of kit, I have one and love it!
| I wanted the PiFex to be a little more user friendly and
| targeted towards beginners
| westurner wrote:
| A $5 Pi Pico has two UARTS, but is not an FPGA; "Show HN:
| PicoVGA Library - VGA/TV Display on Raspberry Pi Pico"
| https://news.ycombinator.com/item?id=35117847#35120403
|
| According to
| https://www.reddit.com/r/raspberrypipico/comments/1aut3l2/co...
| , pico-uart-bridge turns a pico into 6 TTL UARTs;
| https://github.com/Noltari/pico-uart-bridge
| cushychicken wrote:
| I'm always surprised how infrequently JTAG interfaces are
| disabled on actual honest to god products that go into the field.
|
| It's not at all hard to blow the JTAG enable fuse in most chips.
| And you can give away a _ton_ of info from your device if you don
| 't do this. That potentially includes _really sensitive info_ -
| through backdoors like this. People keep all _kinds_ of stuff on
| their hard drives.
|
| (Full disclosure: I'm the HW eng who reviewed this design. Hi
| Matt! Reverse engineering is still magic.)
| londons_explore wrote:
| I don't disable JTAG on field hardware because theres a good
| chance I'll be expected to do failure analysis or bug-hunting
| on the production hardware. JTAG is going to make that _much_
| easier.
|
| And, lets be honest, your smart IoT coffee maker doesn't really
| have any secrets that need protecting from you, despite
| whatever the business team thinks.
| foldor wrote:
| Hard disagree. That "smart IoT coffee maker" stores your wifi
| details, including the password so it can reconnect. I
| appreciate the level of sophistication and effort required
| for someone to be able to abuse that is beyond the realm of
| likelihood, it's not unreasonable to believe that there may
| be higher value targets (like journalists) who are being
| targeted where this is a reasonable method for dedicated
| attackers to use to gain access to a targets home network.
| Better to just secure these things by default.
| OJFord wrote:
| You're worried about someone with physical access and time
| to dump info from a JTAG header gaining the WiFi password?
| bongodongobob wrote:
| Target throws out coffee maker. Threat actor goes through
| trash. They don't have to break into the building to get
| it.
| buildbot wrote:
| If someone is targeting you that precisely they are
| sorting through your trash for a coffee maker, then I
| would posit you are already in deep trouble and they'd
| likely do something easier like wait for you to leave and
| insert physical access into your network then...
| tverbeure wrote:
| The $5 password circumvention device comes to mind.
| https://xkcd.com/538/
| buildbot wrote:
| Exactly! Sniffing passwords out of coffee makers is hard
| to scale. Lots of tech needed/knowledge. Wrenchs scale
| linearly with people given wrenchs, and typically one
| does not need training to apply brute force with wrench.
| You may be able to save on labor even as other primates
| can use the wrenchs better and with more force than
| humans.
| theoreticalmal wrote:
| Who's your wrench guy? You're wayyy overpaying
| numpad0 wrote:
| That's why lots of companies crush perfectly good
| Surfaces and 2242 SSDs when recycling.
| beeboobaa3 wrote:
| People are allowed to throw out a piece of paper with
| their wifi password written on it as well.
| OJFord wrote:
| And you propose what instead, that the target verifies
| their coffee maker manufacturers disable the JTAG
| interface on production units so that they can throw it
| away without worrying about this?
|
| Seems like the wrong solution to an already absurd/niche
| threat model.
| ProllyInfamous wrote:
| Just out of curiosity, what coffee-making function would
| possess somebody enough to connect their coffeemaker to the
| internet?
|
| My new water heater came with WiFi, and I just cannot
| understand why my tank needs-do anything more than just
| heat water..?
| Dowwie wrote:
| What vendor and model water heater did you get? Useful
| smart features are of the variety that the manufacturer
| would never enable off the shelf, such as monitoring
| magnesium anode deterioration so that it could notify a
| user when it is time to replace the anode. It's against
| the interests of the manufacturer because replacing the
| anode extends the life of the heater.
| sunshinesnacks wrote:
| For the coffee maker, maybe being able to set a schedule
| to brew in the morning.
|
| For a water heater, participating in a utility program
| where they modify your temperature sweeping in exchange
| for a reduced rate or similar incentive.
|
| Those are the first reasons I can think of.
| margalabargala wrote:
| Adding to the other reasons listed here:
|
| Some people have solar installations, but do not have
| 1-to-1 net metering from their power company. For these
| people, having a connected hot water heater allows them
| to use their own solar power for heating water when they
| can, lowering their power bill.
|
| Essentially any high-consumption electrical device can
| similarly benefit, especially ones that store energy such
| as hot water heaters and electric car chargers.
| crispyambulance wrote:
| It really depends on the situation. For a mature, mass-
| produced product going into sensitive places, sure, disable
| it before it goes into the field. Same for very security-
| focused hardware.
|
| But most of the "pizza-box-shaped" things I've worked on in
| telecom have jtag enabled even when in the field. I've
| never thought about it much, but to actually get to a jtag
| interface requires a level of physical access that would be
| far-fetched unless you're talking about "James-Bond-level"
| bad actors or "inside-job" people who are already entrusted
| with an enormous amount of privileges anyway.
|
| JTAG is super useful for troubleshooting and in general,
| for things that aren't throw aways and that can be
| repaired, re-calibrated, or re-configured, it makes sense
| to keep it available.
| londons_explore wrote:
| If your attack vector is bad guys with physical access to
| the circuit board, disabling JTAG will only be a minor
| speedbump to them.
|
| The vast majority of microcontrollers aren't hardened
| against physical attack - especially not anything with wifi
| capability.
|
| "disable jtag" is intended to make it harder to make
| modchips (ie. bypass the coffee subscription), but doesn't
| help against someone willing to do a one-off glitching
| attack or similar to dump secrets.
| fullspectrumdev wrote:
| If someone's breaking into my house and disassembling my
| IoT coffee machine to hook up some JTAG cables I have
| bigger problems than someone getting my WiFi password -
| such as the fact the pricks in my house.
| beeboobaa3 wrote:
| Yikes. You think people shouldn't be allowed to know _their
| own_ wifi credentials?
|
| Or do you think that physical access does not mean you own
| the device?
| numpad0 wrote:
| One of items often missing from discussions on security on
| the Internet is that the first step of security is physical
| security. Phrases like "once they have it it's over", "DRM
| is not security" are not just mantras, it's reflecting
| that.
|
| To secure a thing, you are supposed to literally _secure_
| the thing, as in, placing the equipment away from walls,
| bolted down to the floor, chassis locked and rigged for
| self destruction, perimeters patrolled and monitored by
| armed guards.
|
| Software security is additional parts that build on top of
| that physical security. Hardware root of trust, Secure
| Boot, code signing, all helps, but physical security has to
| come first.
|
| If you're throwing out the coffee maker not securely
| erased(military guys call it _zeroizing_ - cool), or not
| maintaining custody of it by either keeping it to yourself
| or having dogs and your grandsons taking part watching it
| at all times, then the coffee maker is technically not
| secure, by any of those alone.
| Dowwie wrote:
| What aren't you capturing by sending coredumps from the
| device to another machine? Why do you need physical access?
| londons_explore wrote:
| Most embedded hardware has no easy way to send/restore core
| dumps if JTAG is disabled.
|
| And even if it did, a good chunk of debugging involves
| running the system live in the target environment and
| looking at traces. Eg. "the device doesn't work properly
| when on the customers wifi network because their router
| responds to ARP requests too fast and we miss the response
| packet because we're still busy reconfiging the radio from
| TX mode into RX mode"
| mdaniel wrote:
| Security is always a spectrum between defense and convenience,
| and my life experience thus far is a lot closer to
| "manufactures hate me" than it is "someone gonna break into my
| house, disassemble some electronic, tap into jtag, exfiltrate
| all the things" so I would much, much, much prefer if it were
| advertised as an _option_ that folks who do have considerable
| threat models could just push a safety pin through the magic
| "blow jtag fuse" hole and the rest of us could monkey with
| hardware we legitimately should _own_
___________________________________________________________________
(page generated 2024-05-06 23:00 UTC)