Thursday, August 15, 2013

Using JTAG to attack DVRs at the chip level?

We've had a ton of success using a "JTAG attack" to do physical dumps of mobile phones for later analysis with tools like FinalMobile and Cellebrite. The attack works like this, there are these IC debug ports on the phone's "mother board." Except for some of the very lowest end systems, essentially all embedded systems platforms have a JTAG port to support in-circuit debugging and firmware programming as well as for boundary scan testing. So, you connect to it, talk to it, and get it to spill its secrets. Like I said, we've been able to do this with phones when the handset was damaged, but the chips and board were still OK (smashed screen, etc.). When the board's damage, we can do a "chip-off" exam, but I digress.

So, I've been thinking. DVRs work the same way in terms of the motherboard having these test points. Why not talk with the encoders to find out what they're doing, then use this in my analysis of the dump of the DVR data. Whilst I've still got to run this by legal, I think I'm in the clear as I'm not "leaking" proprietary code to competitors, or publishing the code, or monetizing my findings - simply finding out what the chip says is going on and bouncing it off the dump of the hard drive. Essentially, I want to find out what the encoder is doing with the incoming signal - compression, file type, container, etc - after I parse the dump of the chip's info. I think it has practical applications for authentication in terms of getting a "fingerprint" from the chip as to how it encodes then testing a file against that fingerprint to see if it could have come from that encoder ... and so on. Challenging the provenance of files is the latest attack on evidence, so it would be nice to have a tool to deal with it.

There's a cool tool out there that I think is up to the job. It's called JTAGulator. Once my legal team signs off on the initial test protocols, it'll get fun. Eventually, once tested and validated, I'd like to be able to use this in actual casework (when necessary).

I don't know if I can pull it off, but I'm excited to try. As with all theories and scientific endeavors, it starts with an idea, moves on to testing, validation, peer review, and eventually to publication and implementation. So, I'm just at the idea phase on this. Stay tuned.

No comments: