 Joe's Wetzels he will help held a talk on Harry Potter and a not so smart proxy war Taking a look at a covered CIA virtual fencing solution Enjoy the talk and give a huge round of applause for Joe. Joe's All right. Hello and everyone welcome everyone to my talk Harry Potter and the not so smart proxy war My name is Jos Wetzels and I'm a security researcher with midnight blue I primarily focus on embedded systems mainly an industrial control system Automotive and IOT and I previously worked on the protection of critical infrastructure at the University of 20 in the Netherlands So what triggered this talk the vault 7 release of documents? How many people here are familiar with the vault 7 documents? All right, that's quite a lot. So this this concerned almost 9,000 documents belonging to the CIA center for cyber intelligence mainly dated between 2013 and 2016 and most of them concerned exploits implants and TTPs for various kinds of targets Now most of these entries got in-depth coverage by the security community and the press all Except for one which is the protigo system. So how many people here are familiar with the protigo documents? Yeah, that's that's almost nobody and that's kind of the point so During the release WikiLeaks claimed that protigo was a suspected assassination module for GPS guided missile systems for example in drones used for Assassination and that it was installed on Pratt and Whitney aircraft Now this release consisted of four secret documents and 37 related proprietary manuals the project seems to have been maintained between 2014 and 2015 and what's interesting about them is that they're very different from the other projects in the vault 7 release There's no clear indication why these documents were in this particular release Now when I look through these documents Something felt off to me the claim that WikiLeaks put forward did not seem to hold when you look at the documents Now this is the architecture at a very high level of of this protigo system So on the top you have the actual protigo subsystem which consists of a master processor Something they call the tube smart switch and something they call the missile smart switch and this communicates over RS 422 With a programming box consisting of two other microcontrollers And one of the interesting things that you can immediately see is that there is interaction with a GPS beacon interface So far so good right all the missile systems terminology is there their stock of the missiles There's talk of the tube from which a missile launches and their stock of the color that holds it into place But number one this PWA term So this assertion by WikiLeaks that it was installed on Britain Pratt and Whitney aircraft seems solidly based on the PWA abbreviation in some of these documents now the problem with this is that Pratt and Whitney Manufacture engines they do not manufacture aircraft and it doesn't really make sense for these microcontrollers that are part of protigo To recite on the engine So I was thinking what could this PWA stand for and I think a much more likely Explanation is that it stands for printed wiring assembly, which is essentially a PCB after all the components are attached That seems to me like a more sensible explanation for this term And then there's the second kind of complication Which is also a giveaway for what I think that protigo is actually about there's mention of a suitcase There's mention of a bcu and a grip stock. So how many people here are familiar with the terminology of bcu and grip stock? Right, that's not a lot of people now. This is not typical air-to-surface or air-to-air missile terminology So I have an alternative hypothesis and that's that protigo is a manpets smart arms control solution So for those who don't know manpets like stinger missiles are shoulder portable systems That can be used to take down various advanced aircrafts And this is essentially how they work like at the base They have a launch tube and the missiles are typically delivered in a discardable launch tube Which after the the launch you throw away and that includes the side assembly and these tubes can be reused But that's usually done at a depot not on the battlefield and they're transported in a dedicated case Which seems to match this suitcase terminology that we saw earlier And then the missiles themselves look roughly something like this So at the front you have a seeker head Which typically works by infrared and that allows for passive homing It takes an IR signature of the target and then locks on to it And then you have the guidance and control steer section which essentially steers the The missile during its flight towards the target and then you have a warhead, which is the thing that goes boom And then you have this grip stock terminology that we saw so in manpets You get the missile which is a one-time use thing typically But the grip stock is something that is reusable between missiles and that is detachable It contains the trigger which you use to fire the missile and it contains the targeting electronics So they essentially get the signal from the seeker head It's re-routed to the targeting electronics in the grip stock and then makes all the kind of complicated Calculations and sends that data back to the missile before firing it And this is also where you insert the BCU which is the terminology that we saw earlier Which is a term that stands for battery coolant unit So it's a canister filled with something like liquid argon which shoots jet into the system for both power and cooling purposes And the launch procedure looks something like this like you can picture on the right You attach the grip stock and maybe an identify friend or foe system to the launch tube Use the site to track the aircraft Then you get audio feedback from the identify friend or foe to see if if maybe it's a friendly aircraft And you don't want to fire on it Then if you've decided that the aircraft should be taken down You insert the BCU and you get audio feedback from the grip stock as soon as you have a target lock on and you pull the trigger That's essentially very roughly how these kind of systems work And I think this matches the kind of terminology in the protigo documents much better than a system that's installed on drones Now the core of what protigo does you can see on the left here It essentially limits the operational conditions for ensuring system operation ability to a Conjunction between the three situations that we see on the left It needs to be within border the GPS signal needs to be valid and the operational period might not must not have expired So what this essentially is is a geofencing solution So people who are not familiar with geofencing that's essentially any kind of system that restricts the usage of a particular System to a particular time and a particular place Why would the CIA want something like this and I must add that this is obviously speculation based on Very few documents, but I do think it is a more plausible hypothesis than the one that is that is currently out there Well, if you've been following the news a little bit especially around the terrible Syrian situation after the The situation deteriorated many of the rebels started facing serious Airpower both by the Syrian our army as well as by Russian allies Because the US has a vested interest in opposing the Assad regime and the Russians have a vested interest in supporting it a Situation emerged where voices started calling for maybe supplying these rebel forces with manpets to counter this kind of airpower Now this does come with some problems Especially if you're aware of the history of supplying manpets to what I'd like to call less than trusted third parties Man on the right went on to become very famous So during the end of the Cold War the the Americans they send stinger missiles to the Mujahideen In Afghanistan to counter Soviet air power That did end up working But the problem is that you then had the proliferation of this kind of powerful technology Among parties that went on to be not exactly allies so people started Talking about maybe implementing technical use controls in these kind of systems using GPS for example to limit The use of these these stinger missiles to a particular time and place to counter proliferation. I Think the most sensible candidate for something like this to have been developed is What came to be known as the timber sycamore program? So timber sycamore was a CIA program to supply Syrian rebels with weapons and training from 2012 to 2017 Supposedly in all the official communication that followed after its disclosure Manpets were barred from the program But there have been sources that claim that small batches of manpets have made it to rebel hands in Syria Now I have to say it is unclear to me whether protego was a part of this program whether it was even fielded Maybe it was just developed and never actually fielded But I do think this is a very good candidate for the kind of technology that you can see on those those documents So what's the Harry Potter connection? Well, it's mainly in the name and the name is another giveaway for the functionality of the system So within these documents two names come forward from Harry Potter The devil snare name and protigo and essentially protigo is a charm that protects the caster with a shield spell And the devil snare is a magical plan that constrains someone to a certain position, you know nice metaphor for a geofence So let's take a look at a little bit of technical analysis to delve into that This is the the actual block diagram from the the documents So if anyone with clearance is in the room, sorry There's three main microcontrollers there The main processor on the left the tube smart switch in the middle and the missile smart switch on the right Which are all pick 16-bit microcontrollers. I put some additional terms on there like 80 Which stands for anti-temper I be which stands for in-border EOM which stands for end-of-mission and under stock of the sigma dot which is missiles terminology for a tracking signal Now this is the heart of the smart fence and how it works So the way this these manpads work is that the missile after the seeker had has found Potential target sends the sigma dot signal over a wire to the grip stock where the actual Calculations need to be done by the targeting electronics So what the smarts fence mechanism does is it ensures that this switch is default open So no signal goes from the missile seeker to the grip stock unless certain conditions are met And that's the whole the whole core of the system. It closes only after these conditions have been met and otherwise not So how does that work you can see this on this this sequence chart After the conditions have been met after the BCU has been inserted It sends an encrypted signal to the tube smart switch to say set audio switch on which is terminology for close The smart switch and it then forwards it to the missile smart switch which ensures operation ability and The protection of the system relies on the fact that these channels for these communications Which is an internal serial bus are encrypted and as such required the presence of keys Which is why they included key erasure functionality. So when do these keys get erased? After you enter the border once so you go to the target where you want to deploy your system and you enter this There's geofence border Then the keys get erased if you had detect an anti-tempering event you detect low batteries Or if you go out of the border or the mission ends and then the main processor key as well as the tube smart switch keys are both Erased they're also raised if a missing missile is detected. So if you remove the missile from the tube So these are the status indication leads and I think these these would be mounted on the suitcase and they indicate the status in Which the missile is in? Why is this probably there because operators need to know the system is good to go before running up to an aircraft and then figuring out Oh, it doesn't work too bad This is the message format It's not terribly important But this is send over the serial buses and the inner core of the message which is 1 to 8 bits is is encrypted Unencrypted messages are allowed but only for one message type and that's the case if the nonce is set to zero So these are the messages that are sent between this programming box and the protigo subsystem and the only interesting ones in my opinion Are the ones that allow you to reprogram the main processor or change the beacon state configuration or enter tactical mode And these are the messages that are sent internally between the microcontrollers Closing the audio relay detecting anti-tempering missile missing that kind of stuff So let's do a brief security analysis And I have to to say that this is again hypothetical because the CAA did not provide me with any missiles So I'm going to be talking at a very high level But this is the general attack plan that I would imagine people attacking these kind of systems going through Hypothetically this is what a protigo life cycle looks like so you start by programming the device With key material which is loaded into the firmware images You switch it to storage mode, then you ship it to a covert facility in or near the the theater of operations The programming box which I imagine to be handled by a CAA officer is then used to configure the geo and the time fence Which is requested by by this less than trusted third party It enables tactical mode you hand it over to these guys and then if it is stolen It's rendered inoperable outside of the fence conditions or if the mission period expires without use you return it to the facility And you can set it again for another go And this is the cryptographic architecture underpinning it and you can really make up a lot of this out of the documents So the keys are generated using a key gen application. They're written into the firmware images The programming box itself does not contain any keys Maybe it queries them from some kind of a back end. Maybe they're entered using some kind of a key loading device It's unclear to me The keys that are loaded into the protigo system consist of a one single one-to-eight bit key which is Stare between all the microcontrollers on this manpets the missile smart switch key never actually does get erased And interestingly there is one maintenance key So they mentioned that there is a maintenance key that's embedded in the firmware images Which is identical for all the protigo instances. So not just one manpets, but all the missiles Why is this the case? Well, I think that if you have a Event which erases the keys for example the expiry of the mission period Then you still need to be able to reconfigure a new mission period and if there's no keys You cannot communicate over this programming interface So there's probably a maintenance key that exists as a fallback that if the actual mission key is no longer there You can still reconfigure this new situation but from a security point of view having a global maintenance key among all these these manpets is not a Good idea in my opinion So what does the attack surface look like it looks like something like this you might go for attacking the GPS You might go for physical tampering you might try to extract or modify the keys or the the system logic So if we were to go for physical tampering these would be the most likely candidates in my opinion You might try to mess with the beacon interface signals to try to cause a default true evaluation regarding of the the actual fence Conditions or you might try to target with the swing the smart switch itself by ensuring that it's normally closed regardless of the fence conditions Now in these kind of systems, there's bound to be anti-temper measures obviously So these might consist of things like metal shielding or they might consist of encapsulation Into coatings that are resistant to to tampering or might cause damage to the components You should try to remove it there might be a light sensors So as soon as you open up the device, you know, it triggers an anti-tempering event or as soon as you apply a certain kind of pressure to the PCB it might ensure that the keys are erased and there might be active meshes there, which is essentially a grid of very Thin wires that as soon as you break them or you short them cause an anti-tempering event and these might be exist at an IC level, but they might also exist at a Enclosure level or they might be woven through the encapsulation To make things even worse Now there's many well explored invasion techniques Also via the IC backside, which I will not explore in this talk But I think one of the most interesting things here is that the keys are stored in flash and not in battery-backed SRAM And that's interesting because of an attacker can bypass enough Anti-tempering measures to be able to cut the right enable line to the flash They might at a later point be able to prevent erasure If the keys are stored there The issue for an attacker here is that these kind of methods are quite knowledge and capital intensive And you're also working on a system with an active warhead in there. So that that's probably nerve-wracking The bigger issue in my opinion is that these secret signals might be unencrypted And if they're unencrypted that would mean that even if I open up the device and I ensure that the smart Switches default closed and the keys are erased then it might be possible for the the seeker to still get a lock on and get The firing signal from the grip stock So I'm not sure if this is the case, but if they are unencrypted that that would not be very good So I'm not I'm not sure how hard tampering with that switches. It's just speculation But there's nothing indicating that these signals are encrypted as well Then there's the the route of going logical tampering So we want to bypass the fence and then in this rough attack tree You can see that we can either try to change the fence parameters We can try to reprogram the main processor firmware or we can try to attack the GPS So let's try to explore what's involved here Now in both cases we will need to first understand the protocol because well We understand it from the league documents, but in an ideal situation an attacker would not So we'd have to reverse engineer the firmware, which we would have to be able to extract either from the Protego system itself or maybe from the programming box But that's not very likely because then we would have to steal it from a CA officer Now the same goes for for obtaining the keys Which you would either have to extract from the microcontrollers or again the programming box Now I think that the conclusion here is that most of these approaches will likely require you to Sacrifice at least one manpads for research and then try to generalize it to other manpads that might be in your possession So when trying to extract or modify the keys and firmware, there's four main approaches Now you can go for the debugging interfaces. You can go for a side channel analysis You can go for invasive attacks or you can go for exploiting software bugs Now some of these approaches might trigger anti-tempering measures, but the maintenance key never gets erased and it's global So if I'm capable of extracting this that's a very interesting route to go down These are the debugging interfaces for the microcontrollers that are used in protego It's the the pixie 16 bit which uses in-circuit serial programming and you can use that to read or write to internal memory Now there is an issue Microchip does have code guard, which is its own readout and write protection. This is configured via fuses in the microcontroller and a violation of its policies will trigger a security reset and It offers three levels of segmentation You have the boot segment where you have your secure bootloader Then you have the secure segment where you can put secure IS errors or small lookup tables or something like that And then you have the general segment for all the rest and the privileges go from high to low there Now this is the memory layout of the protego microcontrollers You have the the firmware in the executable flash and that's essentially checked with a version number and a 16 bit CRC during startup After that you have the key and the key number Which is also checked with a checksum, which is also CRC and what's really Interesting to me is that there's no mention of firmware authentication whatsoever here There's no mention of a hardware root of trust or a secure element. There's really nothing beyond code guard That's that's the core protection here an interesting disclaimer from microchip is that Regarding code guard there are dishonest and possibly illegal methods used to breach the code protection feature imagine that All of these methods to our knowledge require using the microchip products in a manner outside the operating specifications Contained in microchips data sheets most likely the person doing so is engaged in the theft of intellectual property Well, that's very confidence inspiring So the microcontrollers that are used in protego only offer code guard basic Which only supports a single general segment for read and write protection So there's no separate segment for bootloaders or keys or whatsoever. I didn't delve into code guard security In depth for the newer microcontrollers of pick because I didn't have the time for that But interestingly older families code protection suffered from what they called the heart of darkness attack What you basically did here is that you could erase the The memory on a per block basis and that would reset the security settings only for that block So for the first block the boot block you would overwrite it with a dumper and upon execution That would dump the rest of the microcontroller memory And then you would at later stage overwrite one of the other blocks in another known good And then dump the boot block that way and you would be able to extract it I'm not sure if that applies to these microcontrollers as well But might be an interesting avenue of approach Another way to try and obtain the keys would be using side channel attacks I'm not going very in depth here. I'm assuming people are familiar with simple differential and correlation power analysis Interestingly for the for the pick microcontrollers the ones that they chose here is there's no hardware crypto And there's no hardware based side channel Countermeasures there There's probably in my opinion also no software countermeasures like blinding and masking or anything like that Because they might affect power consumption in an adverse manner And that's that's an issue for protigo because there are extreme power constraints here because you only draw power from the BCU Or a battery that is in the grip stock And in this case you would target the maintenance key extract it and then apply it again to a different man pads Invasive attacks would be another route the pick microcontroller families I believe 12 and 18 suffered from an attack where if you decap them down to the die level and you shown UV light on the Floating gate you would be able to reset the security fuses and quite reliably because the fuses were quite far away from the rest of Internal memory and this apparently applies as well to the pick 24 I've never seen a public write-up, but when googling this there was a Chinese company offering the capability to to bypass readout protection on these microcontrollers And I believe that that would probably be an approach like this. So if that applies, that's quite serious Then there's the route of software vulnerabilities That would be using a memory corruption bug or a state machine logic bug in order to either exfiltrate the cryptographic keys Or maybe try to cause a scent switch close message while it should not be sent There's very little to say about how applicable this is But there are software change requests with leak documents and they mention things like when BCU power is applied and the missing Missile is active the arrays does not occur now They caught stuff like this, but if bugs like that slipped into production attackers might be able to exploit it I don't think this is a very viable approach for the kind of attackers that that would be going off Because the attack surface that is exposed on on a software level is very minimal and doing any kind of a full black box Vulnerability research or exploit development here is is hellish. So you would need to be able to extract the firmware anyway So I don't think this is a very viable route What's more viable in my opinion is attacking GPS because the core security decision of protigo is based on GPS derived info location and time Now for those unfamiliar with GPS a little bit of a 101 GPS is part of of a set of systems known as GNSS Global navigation satellite system. There's also Russian GLONASS the European Galileo and the Chinese Baidu Protigo in my opinion probably uses the plain course acquisition codes because in GPS You have five bands and the L1 and the L2 band consist of a course acquisition Acquisition civilian code and a encrypted precision code for military systems I don't think protigo uses that because that would mean that the system needs access to these military cryptographic keys and You don't want that in a system like this because it needs to be handed out to a Less than trusted third-party and it also does not aid plausible deniability. So that means it uses plain signals Threat number one here would be GPS jamming because if the GPS is unavailable Maybe key erasure does not occur or even worse for the people using these missiles if the GPS is unavailable The manpets won't fire which is quite interesting for for opposing air forces here Now a naive approach would be to use just overpowering noise on the L1 and the L2 bands But this might be detected through signal anomalies or it might be corrected for For example through using multi-source correlation from different GNSS system Systems using noise filtering stuff like that and that might trigger key erasure So instead you might want to go for a smart GPS jamming approach where you combine your jammer with info from the GNSS system and then you trigger short and spart bursts which are aligned with specific portions of the message Such as the preamble the time mark or the CRC and that's far harder to detect Another approach to attacking GPS will be using spoofing because GPS is an unauthenticated and weak signal Which allows for replay or forging and that's become much easier over the years through commercial and as they are solutions So you would collect an infant signal move the manpets to a faraday cage and then continue replaying it in a loop Now again, there could be countermeasures here such as detecting anomalies and signal strength latency loss of lock Using multi-source correlation or using an internal reference clock to detect jumps in time I do think there is an issue with implementing stuff like this in protigo because active countermeasures would again drain power here So an attacker that that that would try to bypass stuff like this would try to use a carry-off attack Where you try to carefully align the spoofed signal and gradually increase the power over time to take over the signal Without causing a loss of lock or triggering these countermeasures. So it's not unovercomable conclusion This does not only apply to protigo everything I said is essentially embedded system security 101 This applies to all kinds of geofencing solutions like theft prevention in armored trucks ankle monitors uov area denial and livestock management So you might in the future see cyberpunk cattle rustlers using technology like this Is any of this stuff attacked in practice? Well, yes, especially true GPS jamming because it's very accessible You don't need a lot of technological knowledge You spend ten bucks on AliExpress and you buy a jammer and then you use it For example as a car thief or a cargo thief, which does happen And in conclusion protigo, I don't think it is a GPS guided aircraft assassination module I think it is a manpads geo fencing solution for a covert arms supply program It's unclear to me where when or if it was ever fielded timber sycamore would have been a good candidate and Interestingly, it utilizes commercial off-the-shelf technology in a similar fashion to commercial systems A geofence is a geofence and possible Achilles heels here would be the unencrypted secret signals a lack of secure boot and firmer Authentication the existence of a global maintenance key and its reliance on civilian GPS without any clear electronic warfare countermeasures And that's it. If you have any questions, you can ask them now or ask them over Twitter Thank you very much You all know the procedure we have eight microphones in the room So please line up behind the microphone or also you can ask questions on the internet and Our awesome signal angels will relay the questions into the hall Right now we have one question at microphone number four. Please go ahead Hi, thank you for your talk When the device uses the military Version of GPS is GPS spoofing then still possible I'm not sure about it because I haven't looked really into the details of like the precision codes. I Have read articles that it would still be possible in some scenarios the Because of the way key management happens there, but I can't really answer that question in detail because I haven't really investigated that All right, we have another question at microphone number two over there, please. Hi. Thank you for the presentation I was wondering you talked about GPS spoofing to keep the system working It seems like there's a very practical attack where you could disable the man pads by spoofing GPS and Pretending to be outside the fence when it's actually still inside Yeah, yeah, that's I think like if the attacker model is not a Less than trusted third party trying to take these manpads and you know used against civilian airliners But instead from the perspective of the manpads user the adversary would be a opposing air force Then using simple GPS jamming would be sufficient to ensure that these cannot fire which in my opinion is a Little bit iffy because GPS jamming is not that that hard All right another question at microphone number four go ahead, please Yeah, thank you very much I actually have two questions. So first is Like okay, well you found the documents. So actually what motivated you to do all of this research You know like it's a lot of work like the documents which you found Analysis which you've done and you have a very busy person. So It's a lot of work. That's question number one and question number two is all of these designs which you've been showing like Key management certain security decisions design of this like of the electronics How does it compares to you to all the industrial equipment? You looked at did you see what is more smarter more intelligence more? Is it better than in the industry or not? So with regards to the first question, it's I think curiosity and using the little spare time You have to somehow still sit behind a PC That's the main answer to be honest and the second answer is Well, I can't really say a lot about how it compares because there is a degree of speculation in this research Like I have looked at the documents and I can extrapolate from the security features that I know the microcontrollers to have and stuff like that So it's hard to compare Definitely But it would say that that the interesting thing is that the microcontrollers used are not secure microcontrollers They do not have a secure element They are not intended for a high security purposes and I'm not sure why they chose these Maybe it's because this was only during a development phase Maybe it was because of the power consumption constraints, but it would not be my first choice So I would say yeah, it compares badly in a sense All right, we have a question from the internet. Go ahead signal angel Do the rebels in these conflicts have reasonable access to the resources needed to crack the system? I'm sorry. I didn't quite get that would the less trusted parties have resources to crack something like this Okay, well they would have now I think I think that's that's that's that's the problem like To be honest these less than trusted third parties like these are not stupid people like they don't I don't think these are people who have The kind of resources for doing really invasive attacks with focused iron beams and God knows what? But GPS spoofing and GPS jamming are not complicated attacks They're relatively easy to figure out and as soon as you know This is a system that works on the basis of GPS, which is not hard to figure out You can try to develop an attack like that. So I think even without these leaks Fielding a system like this is is I don't think a very good solution to that proliferation question So I think getting around this this kind of stuff if it works like the documents seem to to hint that it works Yeah, they could probably get around it All right signal angel. Do you have anything else from the internet? Nope, okay? Then thank you very much for this great talk Joe's vessels