Is there a process for secure firmware install/upgrade for device made offshore? - Page 2

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Threaded View
Re: Is there a process for secure firmware install/upgrade for device made offshore?
On 6/25/2017 4:46 PM, snipped-for-privacy@gmail.com wrote:
Quoted text here. Click to load it

"They" are the devices themselves.  Rather than have some entity OUTSIDE
the device create the public and private keys and then FEED THEM into the
devices -- and, then take pains to ensure that all traces of the private
key is removed from that outside entity's memory, disk space, etc. AND
that there have been no "unseen eyes" watching the process (i.e., that
the key generation has been secure) -- the *devices* generate their own
keys and inform the "outside world" of their *public* keys.  There is
never any need for the private key to be exposed outside the device.
No "table of private keys" to maintain in the device that talks to them.

And, if someone steals a device after it has created its key pair, there
is no way for the thief to discern the correct PUBLIC key with which to
talk to the device (unless he wants to generate a new key-pair -- which
means the device is no longer "paired" to the original system... that
system can KNOW that the device has been compromised/hacked.

Quoted text here. Click to load it

I use the keys as certificates to ensure *all* communications with the
devices are encrypted.  So, I can feed slushware to the devices at any
time without worry that any other device monitoring the communications
(a promiscuous interface, wireless traffic, traffic inside the switch,
etc.) can see ANYTHING.  And, that an adversary can't *inject* traffic
that the device could/would act on -- because the adversary won't have
the proper certificates to make sense of the "conversation".

As you realized:
    "Companies that developed those insecure devices got very
    bad publicity. People are afraid to use devices. We need
    to find some best practices and follow them."
I've long ago embraced that truth and taken every step that I
could to close down every attack vector that I can imagine.

E.g., you can take a tesla coil to one of my "exposed" network
ports and fry the port.  But, you won't corrupt the *switch*
into which it feeds!

[Am I *sure* that I've addressed all of them?  No.  But, I haven't
copped out and rationalized "What are the odds that someone would take
a TESLA COIL to a network drop just to crash the network switch??"]

As I said:
    "Then my solution won't work for you."
In my application, the devices are free to interact with the host
that provides the updates.  It's not a "file that you download and
push to your device(s)" but, rather, something that the *device*
fetches from its server (which, in turn, fetches updates from
the "manufacturer's web site")

This allows me to avoid having "one key fits all locks" and the
exposure that represents for the product *line*.

If you steal my car keys, you have access to *my* car; not all of
the other cars LIKE IT!

Quoted text here. Click to load it

For devices with "factory assigned MACs", you can create an algorithm
through which you derive a "secret" INSIDE the device to create a
device-specific key.  But, then you risk the algorithm becoming common
knowledge.  I.e., in that case, this gives you all the tediousness of
having to keep an upgrade-per-serial-number with none of the security
that it is intended to afford (because the attacker can synthesize the
correct key given your S/N -- unless the S/N isn't electronically visible)

Quoted text here. Click to load it

There have been innumerable attempts at providing "secure" computing
environments over the decades.  Unless you have really really deep
pockets (like stationing an armed guard over the I/O terminal for
your system), there are almost always exploits.

None of my "work computers" can access (or be accessed by) anything outside
these four walls.  You won't start poking around the network hoping to
find "source code for product ABC", etc.  It is intentionally difficult
for information to get in or out of my systems without me as an intermediary
(because that's another potential attack vector).

If you come for a visit and want to "use my internet connection", you
won't even *see* any of my "work hosts".  I may trust you, personally,
but can I expect your laptop to be uninfected??

[Did I mention that I take security in my designs pretty seriously?  :> ]

What you have to realize is that the folks who are out to copy/hack these
devices are *motivated* to do so.  Whether its a hobbyist who sees it
as a personal challenge (or just a curiosity) *or* the "professional"
who does it to avoid the high product development costs that would
otherwise attach to a virgin design effort, these folks are AS interested
in cracking your design as you are in protecting it!

And, often they have far more to gain than you have to lose!  You may lose
half your sales.  But, they gain ALL of their sales!

If you've never been on a Red/Blue team or actively tried to hack a product,
you probably haven't even considered how you'd go about it.  People are
quick to dismiss the effort/cost as "too high" or "too difficult" for anyone
to realistically attempt such a feat.  In reality, its not that hard.
And, if you're in the business of doing it (i.e., have DONE it already),
you've probably streamlined your "hacking process" to the point where
it's almost effortless!

Have a look at:
<http://www.break-ic.com/manufacturers_list_mikatech_reverse_engineer.htm
just to get a quick idea of how pervasive this "industry" is.  And, that's
not even poking around in the "gray markets"!  Depending on the product,
you can get firms to "expose" the "locked contents" for as little as $1K.
How much DESIGN time/cost does that *save* the thief??

Make sure you understand the capabilities of your adversary before you
try to defend against him.  Otherwise, you spend time and money (and
possibly unnecessarily complicate the design/build) for dubious results.

Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

This cannot work unless you have a trusted person installing this initial key generation code to devices. I already explained why this is difficult.
May be this can work if chip makers will build this algo into silicon.
Yes, we all know that silicon can be tampered with at the fab, but let's discuss that elsewhere.

Quoted text here. Click to load it

Please, do not repeat the obvious again and again.
I kind do you like the implication of your speech that the problem is so complex and adversary is so scary that I should give up and do nothing.
I did not promised to do miracles, but I promised to follow the best practices of our industry.
And in this post I am trying to find a consensus about these best practices.

Re: Is there a process for secure firmware install/upgrade for device made offshore?
On 6/25/2017 6:57 PM, snipped-for-privacy@gmail.com wrote:
Quoted text here. Click to load it

My system pushes the key generation code into the devices.  "From the factory",
the devices only have diagnostic firmware installed.  (I already explained this
upthread)

The (end) user connects the device to my system through a protected
(physically secured) network connection so there are no "third parties"
around to see the transaction.  Code can only be installed when the magic
button is pressed -- so a remote adversary needs a "local accomplice"
to subvert the process/device (would you invite someone you don't trust
to wander around a secured part of your facility?).

Quoted text here. Click to load it

I didn't say that.  What I said was not to underestimate the adversary
by thinking that you can BOLT ON security ("Hey, I'll use a secure boot
loader and that will guarantee that my device can never be pwned!").

I was invited to bid on a project for a company that made "locks"
(as in door locks, etc.).  I was given a tour of their facility followed
by a brief exposure to their prototype system (just entering initial
production).  They had their fancy "key making" workstation set up
along with some toy doors outfitted with prototype lock mechanisms.

My host demonstrated how a user (e.g., hotel manager) could make
a key for:
- a newly arrived guest (access to a room and certain common facilities)
- a new housekeeper (access to a set of rooms and certain supply rooms)
- a new maintenance man (a larger set of rooms and different supply areas)
...
- "god" (grand master:  all locks bow down before me)

I asked if I could play with the system -- after that skimpy 5 minute demo.

I hadn't seen any of the source code for the workstation.  Nor any of the
code running in the actual door locks.  Haven't seen any schematics.

And, proceeded to make several "grand master keys" without the system
having any record that they were created, issued or *who* was involved.

[Recall, this system is designed to enforce PHYSICAL SECURITY on large
commercial properties!  It could be an office building, hotel, bank, etc.]

Quoted text here. Click to load it

The best practices are to see devices get pwned over and over again
because folks treat security as an afterthought.  The only way NOT to
have a problem is to make something that no one wants!

But, hey, don't take my word for it.  Just let us know when you win the
Nobel -- or, when your product gets pwned!  (I know where *my* money is!)

Good luck.

I'm out!

Re: Is there a process for secure firmware install/upgrade for device made offshore?
On 26/06/17 01:46, snipped-for-privacy@gmail.com wrote:
Quoted text here. Click to load it

I haven't been following this thread very accurately (Don Y has lots of
experience and smart ideas, but conciseness is not his forte).  But
there is a step between "MCU manufacturers installing firmware" and
"board manufacturer installing firmware".

You can pre-program the MCU's yourself before they are mounted.  If you
don't have the right equipment (few people do, unless they are a big
manufacturer), your distributor will do it for you for a small fee.  Big
distributors like Arrow can pre-program practically any microcontroller,
including appropriate security bits, and re-package them in trays,
tubes, reels, etc. for mounting.

Somewhere along the line you have to trust /somebody/ - but you would be
trusting your distributor rather than the end manufacturer.


Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

Who installed this initial networking code to your device?
Factory? End user? Or some other trusted person?
Do you just send JTAG programmer to the end user as ask to install FW himself?

Quoted text here. Click to load it

I am not treating it as afterthought. But all I am hearing here is that it cannot be done.

Re: Is there a process for secure firmware install/upgrade for device made offshore?
On 2017-06-24 snipped-for-privacy@gmail.com wrote in comp.arch.embedded:

Quoted text here. Click to load it

There are chips designed for this purpose. I did some searching for a  
product a while ago and found some chips that claim secure key storage
or other secure services. I did not use them (yet), but here are some
examples of product families:

https://www.maximintegrated.com/en/products/digital/embedded-security/deepcover.html
http://www.atmel.com/products/security-ics/default.aspx
http://www.fujitsu.com/us/products/devices/semiconductor/memory/fram/lineup/authentication/


--  
Stef    (remove caps, dashes and .invalid from e-mail address to reply by mail)

"Probably the best operating system in the world is the [operating system]
We've slightly trimmed the long signature. Click to see the full one.
Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

Max seem to provide complete MCUs with Secure Boot Loader with Public Key Authentication. But all the details are under NDA, so I cannot tell whether it makes sense. Did anybody studied those?
Atmel and Fujitsu appears to only provide peripheral I2C/SPI chips with Crypto-Authentication. But I cannot imagine how this can work if FW on the main MPU is not trusted. Am I wrong?

Quoted text here. Click to load it

I guess there is no real difference whether we (or some other trusted party) reprogram MCUs before or after assembly. Is there?

Also, there was some disagreement about what kind or keys to pre-program: symmetric or private, single key for all devices or unique key per device. Any opinion on this?

Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

https://www.segger.com/products/production/flasher/models/flasher-secure/



--  
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Is there a process for secure firmware install/upgrade for device made offshore?
On Thursday, June 29, 2017 at 10:11:19 AM UTC-4, Boudewijn Dijkstra wrote:
Quoted text here. Click to load it

Would it not be easy to build a hardware gadget that logs the programming
bit-stream at the target side of this programmer?

Re: Is there a process for secure firmware install/upgrade for device made offshore?
On Thursday, June 29, 2017 at 10:44:48 AM UTC-7, Dave Nadler wrote:
Quoted text here. Click to load it

The details about this "Flasher secure" are very scarce,
Flasher manual does not mention it at all.
This seem to be the most detailed explanation:
http://www.embedded.com/electronics-blogs/max-unleashed-and-unfettered/4458187/Secure-the-off-site-production-programming-of-your-embedded-products

It appears that they do nothing to prevent JTAG sniffing.
And they cannot, theoretically, do anything without some support from the chip maker (decryption on the chip itself).

What is interesting is this "Flasher SECURE reads the UID from the device".
How? Which chips are supported? Is it a standard feature?


Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

Yeah, it's quite a new product, documentation is lagging a bit.

Quoted text here. Click to load it

Just sniffing may not instantly make cloning possible. See my reply to  
Dave Nadler.

Quoted text here. Click to load it

I've heard that they're talking to ST and possibly others about secure  
JTAG/SWD.

Quoted text here. Click to load it

Lots of newish 32-bit devices have a UID register. Otherwise, you can  
usually generate a good-enough fingerprint from the SRAM reset state.



--  
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Is there a process for secure firmware install/upgrade for device made offshore?
On 6/29/17 1:44 PM, Dave Nadler wrote:
Quoted text here. Click to load it

One FPGA vendor that I have been using, Microsemi, actually sends  
encrypted programming files to the chip, and there is decryption  
hardware built into the chip, so no unencrypted data to sniff.

The chips come with a generic Microsemi key built in, and the tool by  
defaults encrypts to that key. You can also load yoour own private key  
into the chip, and encrypt the data to it, so only units which you have  
put you key into can use that data, and you can lock the device so you  
need to know the private key to even connect with a programmer/debugger.

There is also a unique serial number in each device, and you can include  
in the encrypted bit stream instructions that only a given device is to  
accept the bit stream. They then sell a special programmer that you can  
make your contract manufacturer use that accepts a file that has been  
encrypted with instructions of how many copies this file is allowed to  
make, and doing some accounting over the Internet, allows them to make  
exactly that many copies, getting the chips serial number, verifying  
permission over the Internet, and then encrypting for THAT particular  
device and programming. (The programmer using a secure processor so any  
decrypted bit patterns only exist inside the chip, so not accessible  
without breaking the encryption.

Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

Sure. But suppose that the image contains a cryptographic signature of the  
program code *and* the device's unique ID. And the program checks the  
signature before booting the application.


--  
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

No, remember, until secure program is installed we cannot trust any pre-existing program in flash.
JTAG must wipe out entire flash and RAM before installing a secure program.

Quoted text here. Click to load it

This seem to be the only solution.
I guess it will take several more years until most chip makers adopt this practice.
And then there still will be a risk that they will not hide the secret key on die well enough.
If the secret key is discovered, then entire batch of devices with the same key will be compromised.

Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

I meant that the program would check its own signature. It can still be  
reverse engineered and patched to skip the checks, but this can be made  
arbitrarily difficult.


--  
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it
arbitrarily difficult.

Please, explain.
As far as I can see, if a program can be both disassembled and patched (which unencrypted JTAG allows),
then anything is possible (and trivial), including skipping the check entirely or replacing the signature.

Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

If we're talking about a connected device, then a trusted external agent
could verify the signature. Preventing or faking this is non-trivial. But
let's assume a non-connected device.

Skipping the check could be made non-trivial by obfuscation techniques, I
guess.

Replacing the flash signature by your own is of course prohibitively
difficult when an adequate cryptographic algorithm is used. Replacing the
signature calculation algorithm by a function that just copies the known
flash signature is indeed trivial. However, if the signature would be
calculated by some peripheral when writing flash and could only be
compared, and not read out, then copying would be impossible.





--  
(Remove the obvious prefix to reply privately.)
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: Is there a process for secure firmware install/upgrade for device made offshore?
On 07/04/2017 07:32 AM, Boudewijn Dijkstra wrote:
Quoted text here. Click to load it

Such as a TPM chip.

Cheers

Phil Hobbs


--  
Dr Philip C D Hobbs
Principal Consultant
We've slightly trimmed the long signature. Click to see the full one.
Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it
could verify the signature

I can only imagine the following algo:
1. If there is a trusted connection (without man in the middle, etc)
2. You have trusted person on one end of this connection and firmware on an
other
3. Then trusted person can send a random key to the firmware
4. Firmware encrypts its entire flash and makes a hash and returns hash to  
the trusted person
5. Trusted person compares the hash with a hash calculated with a known goo
d copy of firmware
If they are equal, then you do not know that firmware was not tampered with
.
But having firmware verify its own signature, as you proposed earlier, is t
otally useless.

But if you have a trusted person and a trusted connection, then you can sim
ply run regular JTAG and replace entire FW.
Again, my question was what to do if you have to install firmware on untrus
ted factory without a trusted connection.

Quoted text here. Click to load it
 guess

May be in a very large software, like Windows itself with gigabytes of code
, but most firmwares are too small to hide anything.

Quoted text here. Click to load it

Can you explain?
I read some texts about TPM chip and cannot understand how they can work wi
th my FW.
For example:
http://whatis.techtarget.com/definition/trusted-platform-module-TP
"... protects the device against unauthorized firmware and software modific
ation by hashing critical sections of firmware and software before they are
 executed. When the system attempts to connect to the network, the hashes a
re sent to a server that verifies that they match expected values."
Questions: is TPM a separate chip? How can it read firmware before executio
n? How can it work on devices without network access?


Re: Is there a process for secure firmware install/upgrade for device made offshore?
On 07/05/2017 05:14 PM, snipped-for-privacy@gmail.com wrote:
Quoted text here. Click to load it

I only know about it from the Qubes Anti-Evil-Maid defense, which  
presents the user with a known output from an unmodified /boot file  
system--it makes it possible for a human to recognize immediately when  
the unencrypted volume has changed.  _Somebody_ has to know what the  
signature is supposed to be.

Cheers

Phil Hobbs


--  
Dr Philip C D Hobbs
Principal Consultant
We've slightly trimmed the long signature. Click to see the full one.

Site Timeline