Recently, Panic Software announced that they had opened up an HDMI display adapter cable for the latest family of Apple iOS devices, which use a proprietary I/O port named Lightning. Inside the HDMI adapter, the engineers at Panic Software found an ARM system on a chip (SoC) that apparently accepts a compressed video signal from the iOS device and decompresses it to HDMI for the display side.
Many were surprised to see that microprocessors have become so commonplace that even the cable that connects our devices would itself contain its own CPU. Perhaps we shouldn’t have been surprised. Intel introduced the Thunderbolt interface in 2011, and it also uses a chip within its cables, also known as active cables.
Your I/O cable could be a man-in-the-middle
Purchasers of the iOS HDMI display adapter expected it to perform like any other HDMI display cable, which is as a “dumb” carrier of a signal. But at this point we can no longer make such assumptions – advances in processor miniaturization have enabled every device, even a cable connector, to incorporate its own CPU. As chips have become smaller and more cost- and power-efficient, more hardware devices have begun to incorporate them in order to implement internal functionality. The user is often unaware that what seems like a commodity dumb device is actually, effectively, a small computer on the inside, running its own code in firmware. Security researchers ought to be thinking about the implications of this.
Security researcher Travis Goodspeed presented at Chaos Communications Congress 29C3 late last year, introducing work he had done to demonstrate that a USB-attached mass storage device with custom firmware can be made to detect its environment and host, and even detect and deny attempts to forensically image it. His presentation invalidated the widely held (but naïve) assumption that a block storage device is just a dumb device, and that it would always simply obey the commands from the host. Travis showed that a drive can actually be aware of its environment, aware of the data it is storing, and actively subvert attempts to access its true stored data.
Researcher and Dartmouth College professor Sergey Bratus reportedly exclaims, “It’s not a bus; it’s a network!” with regard to the attack surface of computing devices. He and his colleagues published a paper last year which enumerated the ways in which device interconnect buses (e.g., USB) are just as much attack surfaces as the network interface.
We can no longer treat a storage device read operation as forensic evidence
This is not the first paper to discuss the potential of attacks against USB hosts, drivers, or device firmware, but Sergey’s paper does represent a shift that is happening with regard to recognizing the importance of securing these vectors and the need for tools and devices to properly research them.
All devices that access an interface of your computer, no matter how small, ought to be treated like computers
New device interconnect exploration tools are needed
Along those lines, at Recon 2012, Travis Goodspeed released a rapid prototyping device to be used to explore USB endpoint security, called the Facedancer. He generously donated a Facedancer to Digital Operatives, and we hope to do something interesting with it and write more soon here about our experience with implementing subversive USB devices.
It is 2013 and our storage devices have internal processors and firmware; our input devices have internal processors and firmware; our high-speed I/O cables have internal processors and firmware; our laptop batteries have internal processors and firmware. Nearly all of these have been basically overlooked by the security research community, mostly because of proprietary and undocumented implementations and because the firmware is difficult to access. New tools are needed and there is a clear opportunity here for exciting new research. This is a problem we hope to work on ourselves. We’ll be back to share more here soon.