Alexander Bolshev

alexander-pictureSpeaker Name: Alexander Bolshev

Title: How to fool an ADC, part II or attacks against sigma-delta data converters

Abstract
 
We live in the analog world but program and develop digital systems. The key element connecting these to worlds is ADC (analog-to-digital converter), small integrated circuit (IC) that transforms physical variable (amperage or voltage) into a bunch of bytes. Most modern systems, that interact with real world (like embedded systems, industrial control systems (ICS) and even a kettle in your kitchen) make decisions based on the value that has been received from ADC. Thus, it is important to use ADC and interpret its data correctly. Ignoring this fact, especially in the ICS and embedded world, could lead to decreasing safety of the process, and in the worst case – to the catastrophic conditions.
 
Let’s look at the ADC mechanisms from security perspective. Imagine that you have an ADC that monitors state of some analog process (e.g. industrial controller sending analog signal to the motor to change its speed). This ADC could be inside safety system that will shutdown motor in case of incorrect signal value. Will it be possible to generate such analog signal that will be misinterpreted by safety system? For example, could we supply signal that causes vibration issue in the motor (and will destroy it after some time), but is treated as a correct plain signal (e.g. constant 5V) by the safety ADC?
 

In the previous research we have proven that it is possible (at least with Successive approximation ADC). However, the most-popular industry type of the ADC is sigma-delta. In this talk, we will focus on its features, “design vulnerabilities” and attacks leading to the misinterpretations of the analog signal. Various exploit signal variants and crafting methods will be shown; we will review some of the popular “industry standard” ADC behaviors in case of such attacks. Also, we will discuss attack scenarios in the areas of ICS, embedded and Radio-Frequency systems. The talk will be concluded with possible consequences and mitigations.

About the Speaker

Alexander Bolshev is a Security Consultant for IOActive. He holds a Ph.D. in computer security and his research interests lie in distributed systems, mobile, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems hardware and ICS security. He has presented at conferences including Black Hat USA/EU/UK/Asia, ZeroNights, t2.fi, CONFIdence, and S4.