Side-Channel Attacks Hack Chat

Samy Kamkar will host the Hack Chat on Wednesday, March 25, 2020 at noon Pacific Time.

Time zones got you down? Here's a handy time converter!

In the world of computer security, the good news is that a lot of vendors are taking security seriously now, and making direct attacks harder to pull off. The bad news is that in a lot of cases, they're still leaving the side-door open. Side-channel attacks come in all sorts of flavors, but they all have something in common: they leak information about the state of a system through an unexpected vector. From monitoring the sounds that the keyboard makes as you type to watching the minute vibrations of a potato chip bag in response to a nearby conversation, side-channel attacks take advantage of these leaks to exfiltrate information.

Side-channel exploits can be the bread and butter of black hat hackers, but understanding them can be useful to those of us who are more interested in protecting systems, and certainly for our reverse engineering efforts. Samy Kamkar knows a thing or two about side-channel attacks, so much so that he gave a great talk at the 2019 Hackaday Superconference on just that topic. During that talk, he teased a few uses for side-channel attacks in reverse engineering, like figuring out how to not spend a couple of hundred bucks to replace your chip-enabled car keys when you lose them.

Samy will "extend and enhance" his Superconference talk by going into more detail on SCAs and their practical applications. It's all white-hat stuff, of course; we're the good guys here, after all. Join us and learn more about this fascinating world, where the complexity of systems leads to unintended consequences that could come back to bite you, or perhaps even help you.

Event Logs

Collapse

Hack Chat Transcript, Part 2
Dan Maloney • 03/25/2020 at 20:16 • 0 comments

Tom Redman12:51 PM
@Dan Fruzzetti Any experience? :)

samy kamkar12:52 PM
Tom Redman (I can't @ you for some reason): https://www.cs.tau.ac.il/~tromer/papers/acoustic-20131218.pdf

Tom Redman12:52 PM
👀 Thanks!

Tom Redman12:52 PM
It seems almost like scifi

samy kamkar12:53 PM
Tom: i'd also suggest just investigating the underlying phenomenon of electrostriction as you can reproduce this at home

Tom Redman12:53 PM
Even with the CPU instructions... is that truly readable in any meaningful way? Just kinda throwing it out there, I'm sure it could be to people much smarter than me. Some state-level hacks are kind of surreal in their complexity

Dan Fruzzetti12:54 PM
around Y2K i did several banks in my area as either a mainframe worker for Y2K, a mainframe worker's subcontractor (they were so hot to hire anyone omg), and a hospital administration. the banks would be easier targets today, by far, because their hourly employees are often quite friendly even with people they only vaguely recognize online who may or may not be that one person thay think they remember from whatever.

that said, at the time the access controls were different, printers had just made a surprising jump in photorealism and some weird things were awry. i had my own work badge, my own telecom tool belt, and my own telecom tool bag. some trick telecom tools and some stuff to plant.

fact #1: back then, you could just call and say you were coming, and when you arrived you'd have authority as if someone hired you. no authentication strings that i recall, once i was asked for a cost cener code and told them i wrote it down but forgot to bring it

Tom Redman12:54 PM
Nice, thanks @samy kamkar – i'll check that out!

Tom Redman12:55 PM
@Dan Fruzzetti that is wild!

Tom Redman12:55 PM
Honestly the human element... every time.

Dan Fruzzetti12:55 PM
back then, it was way less tech-deep. what i mean is, if i could get into a back room or into an absent teller's drawer and grab a confidential document or photograph a confidential document, then i'd get a solid day's pay for teaching them all how to avoid it

Dan Fruzzetti12:56 PM
but you were still sometimes asked to prove you could access the voicemail room, the mainframe room, the 'computer room' etc. and sometimes they'd ask you to leave a calling card. i never had to actually tap a circuit of any kind, though i had to prove i could have with photographs

Tom Redman12:56 PM
I recall the story of a pen tester who would wear a fake pregnancy prosthetic because honestly, who's gonna deny her entry if this poor woman forgot her key card? She played the "pregnancy brain" card

Dan Fruzzetti12:56 PM
@Tom Redman i would delight in pulling that

Tom Redman12:56 PM
That's so crazy. My heart would be pounding haha

Dan Fruzzetti12:57 PM
adrenaline, yes; heart, do anything to keep it no

Dan Fruzzetti12:57 PM
the trick is to actually feel nonchalant

Tom Redman12:57 PM
beta blockers or square breathing, etc?

Dan Fruzzetti12:57 PM
and then, to be able to bullshit FAST on your feet

If I had it to do over again, pen testing would be my thing

Dan Fruzzetti12:57 PM
because your rehearsed option will go sideways if you have to interact with the target

charliex12:58 PM
just ask which printer/scanner it is that needs fixing

Dan Fruzzetti12:58 PM
@Dan Maloney you're still alive. i'm 40 and completing an MTM because *shrug*

Dan Fruzzetti12:58 PM
@charliex ahh, you remember too

charliex12:58 PM
still works

Dan Fruzzetti12:58 PM
copy machines too, ESPECIALLY right when they got networked

Dan Fruzzetti12:58 PM
@charliex <3 oh i wanna see so bad

Tom Redman12:58 PM
@samy kamkar I loved your project on the credit card mag stripe emulator... your enthusiasm for that project came through in the post. What your most excited moment in hacking?

Tom Redman12:58 PM
What was*

samy kamkar12:58 PM
@Tom Redman it's surprising that much of this can be very effective -- of course sound is going to make it harder but when you're...
Read more »
Hack Chat Transcript, Part 1
Dan Maloney • 03/25/2020 at 20:15 • 0 comments

samy kamkar11:56 AM
<3

brainsmoke joined the room.11:59 AM

Hello everyone, hope your self-imposed or otherwise lockdowns are going as well as can be expected. Today we're going to be welcoming Samy Kamkar to the Hack Chat, to talk about side-channel attacks and reverse engineering.

Welcome back, Samy! I normally ask guests to tell us a little about themselves, but that seems silly in this case. Maybe just start off by telling us how you're keeping sane these days?

Lazer.Coh3n12:00 PM
Hi

samy kamkar12:00 PM
Hey all, thanks for having me!!

Mark J Hughes12:02 PM
Hi @samy kamkar

samy kamkar12:02 PM
lately have been working on a number of projects - personally some more side channel experimentation with RF, some proof of concept projects and vacuum system building at home for sputtering and physical vapor deposition, and professionally a lot of research and hardware at openpath.com building physical access control

samy kamkar12:03 PM
hi @Mark J Hughes!

Dylan Caponi joined the room.12:03 PM

So I guess WFH isn't a big deal for you?

Mark J Hughes12:03 PM
@samy kamkar With the sputtering -- are you preparing samples for SEM or something else like making sub-mil traces , etc..?

stansanders12:04 PM
samy!

Mark J Hughes12:04 PM
Also -- what does your setup look like?

samy kamkar12:04 PM
@Mark J Hughes atm one of the projects on my plate is creating a prototype "usb condom" -- these are meant to be devices that remove the data lines from USB and only allow power to prevent a malicious charger from exploiting something like your phone

morgan12:05 PM
yeah, itneresting in building my own sputtering setup

samy kamkar12:05 PM
but i'm a bit confused by the implementation as most of the usb condoms I've seen are opaque -- so how do i know the device itself is not malicious?

samy kamkar12:06 PM
so i've begun a PoC of creating an entirely transparent USB condom where you can visually see the data lines get cut off and the power run through...

morgan12:06 PM
won't that disable power level negotiation?

samy kamkar12:06 PM
except, it's a lie. i'm building the sputtering setup in order to sputter ITO (indium tin oxide), which as a thin film is a transparent conductor

@samy kamkar - Sort of like the inverse of the PowerBlougher that @Brian Lough makes - it cleans the power off a USB port and only lets data through

samy kamkar12:07 PM
thus, the data lines will continue, transparently, and one of the USB lines will be tied to a transparent antenna for nearby RF pickup

samy kamkar12:07 PM
i've used some ITO plastic but it's just too obvious hence the desire for a sputtering setup.

Seth12:07 PM
Hahaha, that's super sneaky!

Condoms break, just saying

Mark J Hughes12:08 PM
@samy kamkar You could make it transparent and use a 4-layer PCB. Hide the USB diff pair on an internal layer.

samy kamkar12:09 PM
my setup atm: Leybold Trivac D2.5E (two stage rotary vane) -> foreline trap (which I recently baked out way too long and destroyed the zeolite) -> Edwards EXT255Hi turbomolecular pump -> chamber -- with an MKS901P Pirani gauge and BPG400 Bayard-Alpert gauge

Mark J Hughes12:09 PM
@samy kamkar What is the least expensive entry into side-channel analysis? Last thin I heard about was the chip-whisperer.

samy kamkar12:11 PM
please note this is a very diy project so i'm fabricating some of the parts and trying to keep this as low cost as possible -- hence my high voltage feedthrough is really a J99 spark plug with a turned KF16 connector, my high voltage setup is a variac -> microwave oven transformer -> high voltage diode -> spark plug

samy kamkar12:12 PM
@morgan it would if the lines weren't going through but in this case they will -- however even without negotiation you'll still get 500mA

Seth12:12 PM
Yowza! Are you current limiting the MOT somehow?

samy kamkar12:12 PM
@Mark J Hughes the ChipWhisperer is awesome! i highly recommend it as well as Colin's site, videos, documentation. i was fortunate to take his class on...
Read more »