danger fpga vulnerabilities
Skip this Video
Download Presentation
**DANGER** FPGA Vulnerabilities

Loading in 2 Seconds...

play fullscreen
1 / 15

**DANGER** FPGA Vulnerabilities - PowerPoint PPT Presentation

  • Uploaded on

**DANGER** FPGA Vulnerabilities. Anthony Karnowski. WHAT IS AN FPGA????.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '**DANGER** FPGA Vulnerabilities' - brandy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what is an fpga
  • A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer or a designer after manufacturing—hence "field-programmable". The FPGA configuration is generally specified using a hardware description language (HDL), similar to that used for an application-specific integrated circuit.
why use fpga s
  • The ability to update the functionality after shipping, partial re-configuration of a portion of the design and the low non-recurring engineering costs relative to an Application specific integrated circuit design offer advantages for many applications. Basically the time in production for using this type of controller is much shorter.
what are some of the applications of fpga s
  • FPGA’s are widely used in all of the following industries and applications
  • Aerospace and Defense
    • Avionics/DO-254
    • MILCOM
    • Missles & Munitions
    • Secure Solutions
    • Space
  • Audio
    • Connectivity Solutions
    • Portable Electronics
    • Radio
  • Automotive
    • High Resultion Video
    • Image Processing
    • Vehicle Networking and Connectivity
    • Automotive Infotainment
  • Broadcast
    • Real-Time Video Engine
    • EdgeQAM
    • Encoders
    • Displays
    • Switches and Routers
  • Consumer Electronics
    • Digital Displays
    • Digital Cameras
    • Multi-function Printers
    • Portable Electronics
    • Set-top Boxes
  • Data Center
    • Servers
    • Security
    • Routers
    • Switches
    • Gateways
    • Load Balancing
  • High Performance Computing
    • Servers
    • Super Computers
    • SIGINT Systems
    • High-end RADARS
    • High-end Beam Forming Systems
    • Data Mining Systems
  • Industrial
    • Industrial Imaging
    • Industrial Networking
    • Motor Control
  • Medical
    • Ultrasound
    • CT Scanner
    • MRI
    • X-ray
    • PET
    • Surgical Systems
  • Security
    • Industrial Imaging
    • Secure Solutions
    • Image Processing
  • Video & Image Processing
    • High Resolution Video
    • Video Over IP Gateway
    • Digital Displays
    • Industrial Imaging
  • Wired Communications
    • Optical Transport Networks
    • Network Processing
    • Connectivity Interfaces
  • Wireless Communications
    • Baseband
    • Connectivity Interfaces
    • Mobile Backhaul
    • Radio
how many fpga s are out in the wild
How many FPGA’s are out in the wild ?
  • The FPGA industry is a 2.75 billion dollar a year industry.
    • Considering the low cost of FPGA’s, and the fact that there are in so many devices, we will just say ALOT!!
  • We will be looking at a specific FGPA later.
    • 50,000 of these units are produced a year and have been for the last 5 years.
    • These FPGA’s are specifically used in large format LED signage.
how are fpga s vulnerable
How are FPGA’s vulnerable?
  • FPGA’s are physically vulnerable.
    • FPGA’s can be easily flashed by Jtag connection.
    • Flash protocols are some time vendor specific, we are not going to in depth.
  • FPGA’s often have vulnerable services.
    • FPGA’s operating systems often offer backdoor services for re-flashing.
lets review a bit of that
LETS review a bit of that…
  • FPGA’s are made by the manufacturer to be “field programmable.”
    • This means that usually the device can be flashed by physically connecting to the device.
    • Some third party operating systems allow for a flash to be reset to defaults by way of a system service.
  • A great example would be of both would be a wireless router.
    • Most wireless routers have a reset button to reset the router to defaults.
    • Most routers also have a web-based management system that allows the same.
    • Most routers even have a configuration page to load firmware.
    • And most routers are using some sort of FPGA controller
  • Consider that most of these third party operating systems are based on open source technologies or are freely available to users. It is pretty easy to get an understanding of vulnerabilities in a device. I would suspect that some of the students in this course have loaded third party firmware on a router at some point. When dealing with another FPGA, the ideas are no different.
let s get into specifics
Let’s get into Specifics

External Storage in form of USB.





External Storage in form of Compact Flash.

External Storage in form of SD Card.

FPGA Controller

We know that the FPGA controller has external storage devices.
  • We can guess what operating system it is running based on the chip.
  • We know that the FPGA controller has a JTAG connection.
  • We know that the FPGA has uses some network protocol and may offer services.
  • We should be able to have some fun with this controller.
foot printing our device
Foot-printing our device.
  • We don’t have access to the device to Flash via the JTAG.
    • The controller is under lock and Key.
  • After a couple of scans we found that our device has many services running.
    • FTP
    • HTTP for configuration
    • Telnet
    • SSH
We have guessed the root username and password for this device.
  • We connected via telnet and can run any of the following commands from the existing Linux kernel.
  • We have at least one storage device available to us.
  • If this device is on a network with other computers, we will be able to mount an attack from the device.
  • We will use wget to download the necessary packages.
  • We will store them to external storage.
  • We will use make and install to build source packages.
  • We will attack the network.
  • We will use FTP to send data collected off network.

As this kernel is Linux based, we may be able to install and run a full installation of Metasploit.

As this is a full Linux kernel, a worm or virus could also be ran via root privileges.

securing the device
Securing the device.
  • The first thing we do is create a separate user for the software package to use.
  • We edit the software to only have access to needed services.
  • The next thing we do is add a stronger password for the root user.
  • We always try to present the end customer with a closed network separate from their network.
  • If we install on the network we deny the controller access to the Internet.
this is one device should i be weary
This is one device, Should I be weary?
  • Yes.
  • Other devices have some of the same services installed and running for diagnostics and communications.
  • FPGA’s are used in a wide variety of networking equipment.
  • We must maintain the security of FPGA’s to maintain our networks.
  • Please be weary.
further reading
Further reading.
  • ECEs spot FPGA security weakness; Finding may lead to new chip ID
    • http://www.ece.vt.edu/news/ar08/weakfpga.html
  • US Military Chips "Compromised”
    • http://www.technologyreview.com/view/428029/us-military-chips-compromised/
  • Study looks into Xilinx FPGAs' vulnerability
    • http://forum.eetindia.co.in/view_comments.jspa?entry_id=8836&from=RSS
  • Backdoor Found (Maybe) in Chinese-Made Military Silicon Chips
    • http://www.schneier.com/blog/archives/2012/05/backdoor_found.html