Embedded Systems Academy

Could Ransomware Go Embedded?

For criminal hackers, ransomware has become increasingly popular. Ransomware locks a PC or encrypts its data and ask for a ransom to be paid to the hackers to unlock the PC or decrypt the data.

To which extent are embedded systems vulnerable to similar attacks? How realistic is it that firmware update mechanisms are used by hackers to install foreign code? Although loading malicious code to deeply embedded systems might seem far-fetched, some of the Snowden documents have shown that this already happened to the firmware in disk drives. Also, the well-documented Jeep Cherokee attack in 2015 that allowed a remote operator to almost entirely remote control the vehicle shook the industry. A wake-up call?

The Challenges

For hackers, the challenging part is that even though there has been a development to use more off-the-shelf hardware reference designs and software, most Embedded Systems platforms are still different from each other. Different microcontrollers require different code, so that ransomware has to be tailor-made for a specific microcontroller. The bootloader mechanisms in place are also different which means hackers need to find exploits for every one they are trying to attack.

A hacker’s task would be to write an exploit that manages to replace the entire original code and includes an own, password-protected, bootloader. With payment of the ransom, the hacker would share details on how to use his bootloader. There would of course always be the risk that this feature was not tested well enough by the hacker and a restore was not possible at all. It can be assumed that far more effort would have gone into generating the exploit and replacement code than the unlocking and restoring procedure.

Note that many microcontrollers have a built-in on-chip bootloader that cannot be erased or disabled, so if such a bootloader is usable in a device, a device with ransomware could be re-programmed on-site by the manufacturer or a technician. However, that might still be impractical or expensive if, for example, a very large number of devices were affected and/or the devices were at very remote locations.

A theoretical Example

To pick a specific application example, let’s have a look at an elevator / lift system: It consists of multiple microcontroller systems that are interconnected for example by CAN or CANopen and let us further assume they also feature a CAN/CANopen based bootloader mechanism.

A hacker installing ransomware replacing the existing bootloader with their own would need to

1. get access to the system (either physical by installing a sniffer or remotely through a hacked PC that is connected to the system)
2. know which microcontrollers are used
3. know how the CAN/CANopen bootloader mechanism works (with some CANopen profiles, some details about it are standardized)

This information might be stored on multiple PCs: with the manufacturers, distributors, technicians or operators of the system. If one or multiple of those get hacked, an attacker might have all this information readily available. Note that the risk of a rogue or disgruntled employee with inside knowledge is often underestimated. The information above will typically be accessible by many people.

With this information, a hacker would be able to generate and load his own ransomware loader replacing the original code in all devices, which would disable the system. Now buttons, displays and controls would all stop working and every affected device / microcontroller would require a restore of its original firmware. If the affected devices still have an on-chip bootloader and if it can be activated, then a technician could manually update all affected devices. For large elevator systems with 20 or more floors and multiple shafts this task alone could take days.

How likely is such an attack?

The sophistication level required for the attack described above is quite high. Not only does it require “traditional” hacker knowledge but also in-depth knowledge of embedded systems. At this time it might be unattractive to most hackers as there are possibly still many “easier” targets out there. However, with enough resources thrown at the task, a determined hacker group could achieve the tasks listed above.

What are possible counter measures?

The most basic pre-requisite for an attack as described here is the knowledge about the specific microcontroller and bootloader mechanism used. This information can be obtained by either monitoring/tracing the CAN/CANopen communication during the firmware update process or by access to a computer that has this information stored. Protecting these in the first place has the highest priority.

The designer has to make sure that the firmware update process is not easy to reengineer just by monitoring the CAN/CANopen communication of a firmware update procedure. Things that we can often learn just by monitoring a firmware reprogramming cycle:

1. How is the bootloader activated? Often the activation happens through a specific read/write sequence.
   Counter measure: Only allow authorized partners to activate the bootloader, best by using encryption such as CANcrypt or at least a challenge/response mechanism that is not repetitive.
2. What file format is used? “.hex” or binary versions of it can easily be recognized.
   Counter measure: Use encryption or authentication methods to prohibit that “any” code can be loaded by your own bootloader.
3. What CRC is used? Often a standard-CRC stored at end of the file or loadable memory.
   Counter measure: If file format doesn’t use encryption, at least encrypt the CRC or better use a cryptographic hash function instead of a plain CRC.

These counter measures are fall-back safeguards to protect the system if a higher security level has failed before. A hacker should not get bootloader access to a deeply embedded system in the first place. Ensure that all remote-access options to the bootloader level are well-secured.

It is a busy start into 2016 with several new products and the Embedded World 2016 coming up next week.

New product – CANopen Logxaminer
Last year, we spent a lot of time helping clients to evaluate long CAN trace recordings and searching for misbehaviour of CANopen devices as well as manually generating statistics about such behaviour. In order to simplify such trace evaluations we wrote a dedicated utility that evaluates CANopen trace recordings. It supports common file formats used by recording tools from PEAK, Vector and ESAcademy.

For more information about the CANopen Logxaminer, follow the link.

New book about CAN security
Within Q2/2016 we will publish a new book, this time about CAN security. Recent publicized hacks show that CAN/CANopen are quite vulnerable, once an intruder/attacker has access to the network. Our new book introduces a scalable method that addresses both authentication and encryption, is independent of the protocol used and free sample code will be provided. A more detailed announcement will be published in our blog at www.esacademy.com/blog next week.

New 2016 price list
Our new 2016 price list is now valid, for current prices visit our CANopen online stores in Europe or USA. Prices have been lowered for the low-level entry version of our CANopen Magic tool as well as for the CANopen Magic high-end version including DLL access for custom test tool developments.

Next week’s Embedded World 2016
This years show in Nuremberg from February 23rd to 25th has almost 1000 exhibitors. For a complete list see
www.embedded-world.de/en/ausstellerprodukte/exhibitorlist

You can meet Chris or me (Olaf) from ESAcademy at the PEAK system booth. Hall 1, booth 620.

If you can not make it to the show and are still interested in selected news and updates, follow Olaf at twitter.com/ESA_Olaf or re-visit our blog after the show for a summary of impressions.

Looking forward to seeing some of you in Nuremberg

Olaf Pfeiffer

This year the Embedded World (www.embedded-world.de) in Nuremberg expects 30k+ vistors from 35+ countries. Show days are from 24th to 26th of February. For companies “into CAN” one of the hot topics is CAN FD – more and more products (microcontrollers as well as interfaces) are now available supporting the new standard supporting higher data rates. You can see the Bosch CAN FD demonstrator at the CiA booth (booth 608 in hall 1). This demo includes our CANopen Magic software connected to a CAN FD bus using the latest PEAK CAN interface. If you have questions and would like to meet us, come over to our partner PEAK System (booth 606, hall 1, just next to the CiA booth). Looking forward to seeing you!

The new LPC4000 family of microcontrollers from NXP Semiconductors combines two powerful ARM Cortex cores in one microcontroller. The integrated Cortex-M4 and Cortex-M0 can run asymmetrically at up to 150MHz and have access to internal memory of up to 1MB Flash and 264k of RAM.
A multilayer bus matrix with 4 separate RAM blocks ensures that both microcontrollers have independent, fast access to “their” memory, minimizing wait-states.
Next to the “usual” LPCxxx peripherals the new devices also feature high-speed USB and an AES decryption engine for security.
There are several applications that benefit from a dual core solution. If a lot of communication is required, like handling complex communication protocols with specific timing requirements, a dual-core solutions allows using one core as a communication co-processor, clearly separating communication and process handling.
For more information, see NXP’s web pages.

MicroCANopen Plus and MicroCANopen Plus Add-in Manager have been updated. The highlights in the new version of the embedded CANopen stack are:

• More clarity and easier maintenance in user-configurable files by dividing call back functions into multiple files
• More flexibility by adding many more data call backs for SDO accesses
• Framework support to guard Object Dictionary entries with auto-generated minimum and maximum values from EDS/DCF file

Customers with ongoing maintenance agreement with us are entitled to a free upgrade. In this case, please download the new version from

CANopenStore.com/support.php

using the activation code(s). For those projects using auto-generated code, also update CANopen Architect EDS to the latest version.

The process to update embedded firmware libraries that become part of a bigger project can be complicated. For that reason, we have developed tools and to ease this on-time task.

Contact us if you are interested in obtaining or need assistance in performing the update.

Texas Instruments have released a lost cost evaluation board for their MSP430 microcontroller family and Value Line series. Utilizing free code-limited compilers, the board with cables costs $4.30 direct from Texas Instruments, with free shipping. This represents a very low-cost way to get started with this microcontroller family.

Visit the Texas Instruments site MSP430 LaunchPad (MSP-EXP430G2) to learn more.

I was visiting Embedded World this week and in regards to microcontrollers the trend towards 32bit continues. When it comes to marketing presence at a trade show, obviously less than 32bit where not “it” this year. Not only chip manufacturers, but also most of the development tools primarily focused on 32bit solutions. And the next impression one gets walking the aisles: ARM processors are the first choice in this arena, with a focus on the Cortex-M generation. At this year’s Embedded World, no other microcontroller architecture had a marketing presence anywhere near that of ARM. Read more…

Whenever a new microcontroller generation comes out, developers and engineers look out for evaluation boards. In order to be able to test the microcontroller, it needs to be mounted on a PCB that has the required glue logic, power circuitry and connectors. For generations, these test boards were mostly “bare-naked” – without housing and only featuring components needed to test the microcontroller in certain types of applications. Over the last years more “attractive” variations of such boards have come to market, for example some looking like a custom USB stick.

Last year, Raisonance released products following a slightly different concept they named Primers, and the Primer2 won an EETimes product of the year 2009 award. These boards feature a complete housing, making them more attractive for various prototype developments. Through staging several design contests, many applications have been implemented and are now shared on the product’s web page. Applications include an alcohol meter, a CAN monitor, a GPS displaying OpenStreetMap data, various games and many more. Read more…

A few years back, Al Gore was speaking at the Embedded Systems Conference. His key note also included the call upon us engineers to do more to ensure that embedded systems use less power. With the billions of microcontrollers out there, all the milliwatts that we can potentially save in each one do add-up. Although many microcontroller manufacturers already offer multiple power saving options on their devices, it is not always easy to get exact values. Any change in clock rate, also on any of the peripherals, immediately has an affect on the overall power consumption. But how much do we really save by reducing the clock to a communication peripheral?

This year, one of the Embedded Awards given out every year at the Embedded World is for a product that helps engineers with measuring the power consumption of their system dynamically. The PowerScale by Hitex not only allows measuring a system’s current power consumption – it makes that information available via an API so that debuggers can include the information into the trace recording or other displays.

This allows engineers to easily determine which code areas have an impact on the overall power consumption. The power-saving effect of reducing clock rates or disabling unused peripherals becomes immediately visibile.

Various adapter probes including a USB and Power-over-Ethernet Probe are available to allow for an easy connection of the up to four channels to the target hardware.