Does physical device access = game over?
According to a group of hackers speaking at this years Black Hat conference most manufacturers assume that once a bad guy has physical access to the device, all is lost. As such, they assert that many of those same manufacturers don't bother worrying about device security under those circumstances. Admittedly I would have been inclined to agree, and it's largely a given in security circles that once physical access is an option, you've lost.
The group that calls themselves Exploitee.rs argue that there are things that can be done to at least make it harder on the attackers, and more so, that we should be doing as much of that as we can. At Black Hat they showed off an inexpensive flash memory hack, that allows for the exfiltration of then device firmware, and thus enables detailed analysis to find software flaws that can be exploited. This is much worse than just an attack on the one device or network, because such flaws can be leveraged against all devices of that type, quite possible remotely.
And manufacturers are still releasing things using this. It's still a very prevalent flash type.
- CJ Hres, Exploitee.rs
The attack focuses on eMMC, a commonly used type of flash memory found in all manner of uses such as smartphones, applicances, and even auto-motive applications. Unlike others forms of flash, eMMC can be accessed very simply using only 5 wires, and shares common protocols with standard SD Cards. What this means is that by utilising some deft, but do-able, soldering of those 5 wires, and an SD Card reader, the contents of the flash can be extracted for later inspection. This obviously makes it trivially easy to dig into the code to hunt for vulnerabilities. To domenstrate the effectiveness of this attack, 22 zero-day exploits were disclosed by the group at the following DefCon conference including in devices from well-known vendors like Amazon and Cujo.
So, what can be done? Encryption.
According to Heres many manufacturers either don't encrypt enough of the chips contents, or there are holes in their approach. Accessing the firmware is obviously a boon, but accessing the stored data can also be very informative for attackers. Strong encryption carries a processor overhead, and thus a cost burden, so time will tell if manufacturers take this warning seriously enough. My guess is that plenty won't care.