Silicon Labs is a chip manufacturer known for producing chips with various network-focused features such as Bluetooth and Zigbee. These chips are the base of a large number of connected objects, and compromising them means compromising all of these connected objects insofar as they use the vulnerable functionality. Our investigation led us to examine Silicon Labs' open-source SDK, specifically the Gecko SDK, which boasts a state-of-the-art of secure over-the-air (OTA) update capabilities. While looking at the code that is handling the parsing of the firmware update, we discovered a vulnerability which can be used in combination with a weakness in the update mechanism to gain persistent code execution on the device, bypassing Secure Boot enforcement and firmware signature verification.
Our presentation will begin by delving into the inner workings of OTA firmware upgrades. We will subsequently delve into the specifics of the vulnerability we pinpointed, particularly outlining our discovery process employing fuzzing techniques. To conclude, we will delve further into the realm of exploiting embedded systems. We'll conclude this talk by looking to go deeper inside the exploit world on embeded systems, which mechanism make harder an exploitation and how we can handle this.
Lastly, we will showcase our successful bypass of the Secure Boot mechanism.
Benoît Forgette, Passionate about how systems work since my childhood and with an initial education in computer science, I gradually moved to the security of these systems and the electronic part of these equipments.Today, I work as a Cybersecurity Engineer in software and hardware reverse engineering at Quarkslab, where my daily work consists in disassembling equipments sent by our clients, then inspecting all their attack surfaces (hardware, radio, software, cloud). Then, we help our clients to find the best way to protect their systems and their equipments.
In this work, the part that seems to me the most interesting is the automation/instrumentation/hijacking part. It is fascinating to see how much it is possible to hijack a piece of equipment from its original purpose. This is even more impressive when we talk about physical equipment which has an impact on its environment.
Sami Babigeon, Currently working at Quarkslab as an intern, sami is a fervent arch linux user.