Exploitation of a Hardened MSP430-Based Device - Braden Thomas - Ekoparty Security Conference - 2014
Ekoparty Security Conference via YouTube
Overview
Syllabus
Intro
Unnamed real estate lockbox
ekey Android app
Programmed auth flow
Must access firmware
Physical access
Board photos
Internals
Reverse-engineering steps
MSP430 firmware extraction
BSL Overview
Voltage glitching attack
Results of voltage glitching
BSL timing attack
Timing attack problems
Timing attack results
Modified attack results
Timing attack conclusions
MSP430 JTAG security
MSP430 1/2/4xx fuse
MSP430 firmware reversing
Firmware reversing finds
Manufacturer's crypto architecture
Syscode Key
Third authentication mode
Brute Force
Hardware backdoor
Flash write+erase attack
Conclusions/solutions
Taught by
Ekoparty Security Conference