upvote

points

by Jerrrrrrrry5 hours ago |
comments
upvoteby Retr0id3 hours ago|
next
[-]
No? It is crowbar voltage glitching, but you're significantly underselling it here. The glitching does not affect key comparisons.

It's a double-glitch. The second glitch takes control of PC during a memcpy. The first glitch effectively disables the MMU by skipping initialization (allowing the second glitch to gain shellcode exec). (I am also skipping a lot of details here, the whole talk is worth a watch)

reply
upvoteby btown4 hours ago|
prev|
next
[-]
It's fascinating - how does one defend against an attacker or red-team who controls the CPU voltage rails with enough precision to bypass any instruction one writes? It's an entirely new class of vulnerability, as far as I can tell.

This talk https://www.youtube.com/watch?v=BBXKhrHi2eY indicates that others have had success doing this on Intel microcode as well - only in the past few months. Going to be some really exciting exploits coming out here!

reply
upvoteby PUSH_AX3 hours ago|
parent|
next
[-]
> how does one defend against an attacker or red-team who controls the CPU voltage rails

The xbox does have defences against this, the talk explicitly mentions rail monitoring defences intended to detect that kind of attack. It had a lot of them, and he had to build around them. The exploit succeeds because he found two glitch points that bypassed the timing randomisation and containment model.

reply
upvoteby poemxo3 hours ago|
parent|
[-]
I hope Apple is paying attention, since their first gen AirTags are vulnerable to voltage glitching to disable the speaker and the tracking warning.
reply
upvoteby mikepurvis2 hours ago|
parent|
next
[-]
It's pretty trivial to just open it up and disconnect the speaker too. I took one apart to make a custom wallet card out of it and broke the speaker in doing so; the rest of it worked perfectly fine (though obviously the warning would still work).
reply
upvoteby Vexs3 hours ago|
parent|
prev|
next
[-]
They're also, as it turns out, vulnerable to a drillbit
reply
upvoteby tjoff1 hours ago|
parent|
prev|
[-]
Isn't airtags completely and utterly broken, or has anything changed?
reply
upvoteby bri3d3 hours ago|
parent|
prev|
next
[-]
It's not new - fault injection as a vulnerability class has existed since the beginning of computing, as a security bypass mechanism (clock glitching) since at least the 1990s, and crowbar voltage glitching like this has been widespread since at least the early 2000s. It's extraordinarily hard to defend against but mitigations are also improving rapidly; for example this attack only works on early Xbox One revisions where more advanced glitch protection wasn't enabled (although the author speculates that since the glitch protection can be disabled via software / a fuse state, one could glitch out the glitch protection).
reply
upvoteby mox11 hours ago|
parent|
prev|
next
[-]
Just so you know, hardware hackers have been doing this for 20+ years. Hacking satellite TV (google smart card glitching) was done the same way.

Its more that its really hard to do security when the attacker has unlimited physical access.

reply
upvoteby sabas1233 hours ago|
parent|
prev|
next
[-]
> It's an entirely new class of vulnerability, as far as I can tell.

It is know as voltage glitching. If you're interested our research group applies to Intel CPUs. https://download.vusec.net/papers/microspark_uasc26.pdf

reply
upvoteby thebruce87m2 hours ago|
parent|
prev|
next
[-]
The microcontrollers I worked on 15 years ago had low voltage detection:

https://en.wikipedia.org/wiki/Low-voltage_detect

reply
upvoteby msla4 hours ago|
parent|
prev|
next
[-]
You can't. Console makers have these locked-down little systems with all the security they can economically justify... embedded in an arbitrarily-hostile environment created by people who have no need to economically justify anything. It's completely asymmetrical and the individual hackers hold most of the cards. There's no "this exploit is too bizarre" for people whose hobby is breaking consoles, and if even one of those bizarre exploits wins it's game over.

And if you predict the next dozen bizarre things someone might try, you both miss the thirteenth thing that's going to work and you make a console so over-engineered Sony can kick your ass just by mentioning the purchase price of their next console. ("$299", the number that echoed across E3.)

reply
upvoteby xnyan3 hours ago|
parent|
[-]
> You can't

It's a moot point, they are not trying to prevent it. They only need to buy enough time to sell games in the lifespan of the hardware, which they did.

> all the security they can economically justify...

It seems like they did a perfect job, it lasted long enough to protect Microsoft game profits.

reply
upvoteby phantom7844 hours ago|
parent|
prev|
next
[-]
Could a chip detect this and reset?
reply
upvoteby mkipper3 hours ago|
parent|
next
[-]
I'm not at all familiar with the Xbox One, but this is a feature that's generally available if you're designing "closed" hardware like a console. Most SoC these days have some sort of security processor that runs in its own little sandbox and can monitor different things that suggest tampering (e.g. temperatures, rail voltages, discrete tamper I/O) and take a corrective action. That might be as simple as resetting the chip, but often you can do more dramatic things like wiping security keys.

But this exploit shows that it's still almost impossible to protect yourself from motivated attackers with local access. All of that security stuff needs to get initialized by code that the SoC vendor puts in ROM, and if there's an exploit in that, you're hooped.

reply
upvoteby johncolanduoni3 hours ago|
parent|
prev|
[-]
Yes, and the Xbox One has mechanisms to do just that. But they turned out to not be fully sufficient.
reply
upvoteby jolan3 hours ago|
parent|
[-]
This attack is on the early models that didn't have those protections enabled. The researcher surmised that later models do indeed have anti-glitching mechanisms enabled.
reply
upvoteby _kidlike3 hours ago|
parent|
prev|
next
[-]
not a new vulnerability class.

Extremely impressive feat nonetheless!

reply
upvoteby ActorNightly3 hours ago|
parent|
prev|
[-]
Basically if someone has physical access to device, its game over.

You can do things like efuses that basically brick devices if something gets accessed, but that becomes a matter of whether the attacker falls for the trap.

reply
upvoteby tverbeure2 hours ago|
parent|
next
[-]
> Basically if someone has physical access to device, its game over.

It took more than a decade to exploit this vulnerability and even then there are fairly trivial countermeasures that could have been used to prevent it (and that are implemented in other platforms.)

Nothing is unhackable, but it requires a very peculiar definition of "game over".

(And as others have pointed out: only early versions of this Xbos One where vulnerable to this attack.)

reply
upvoteby selectively51 minutes ago|
parent|
prev|
next
[-]
This hasn't been true for the time a typical American high school senior has been alive. Please stop repeating things people said years ago.
reply
upvoteby beachy3 hours ago|
parent|
prev|
[-]
Only if they leave a door open, which they did here.

If your argument is that you can't hope to close every door, then AI will make it easier to close all the doors in the future.

reply
upvoteby robotnikman9 minutes ago|
parent|
[-]
>then AI will make it easier to close all the doors in the future.

AI could also make it easier to open the doors too.

reply
upvoteby braunshedd3 hours ago|
prev|
next
[-]
The Xbox 360 was hacked in a simpler but nearly identical way [1]! Amazing that despite the various mitigations, the same process was enough to crack the Xbox One.

[1] https://consolemods.org/wiki/Xbox_360:RGH/RGH3

reply
upvoteby hedora4 hours ago|
prev|
[-]
The earliest example I know of for this is CLKSCREW, but security hardware (like for holding root CA private keys) was hardened against this stuff way before that attack.

Has anyone heard of notable earlier examples?

reply
upvoteby bri3d3 hours ago|
parent|
[-]
In terms of fault injection as a security attack vector (vs. just a test vector, where it of course dates back to the beginning of computing) in general, satellite TV cards were attacked with clock glitching at least dating back into the 1990s, like the "unlooper" (1997). There were also numerous attacks against various software RSA implementations that relied on brownout or crowbar glitching like this - I found https://ieeexplore.ieee.org/document/5412860 right off the bat but I remember using these techniques before then.
reply