With the explosion of internet-of-things (IoT) and connected, industrial IoT (IIoT), and connected, smart home devices, it is getting harder and harder to find things that don’t have some sort of embedded operating system and connectivity today. While connected devices can streamline productivity and provide a variety of benefits, they also expose you to risk.
If it’s a connected device running an operating system, there is a very good chance that an attacker can find a vulnerability to exploit to compromise the device and gain access to your network. That is true even in a best case scenario where secure development principles and basic security best practices are followed. In many cases, though, it is human error or a misconfiguration that leaves the door open for attackers—as IOActive researcher Ethan Shackelford recently discovered when researching the security of embedded Linux systems.
In this case, the misconfiguration has to do with the JTAG interface on some embedded devices. Shackelford explains, “Often cited as providing “ultimate control” over a device, JTAG debugging usually provides the user with full read/write privileges over device memory (and by extension over MMIO) as well as the ability to read and write control registers.”
In other words, the JTAG interface is very useful for development and testing, but probably not something you want to have enabled on an embedded device in active use. Shackelford describes how manipulating an open JTAG interface can be a relatively simple process on some devices and points out that things are more complicated with embedded Linux platforms. Basically, on a Linux system the firmware is not straightforward—it is a complex system that includes a multi-stage bootloader, the Linux kernel image, and a variety of filesystems. He also stresses that storage is typically managed and mounted by the Linux kernel, which is more challenging than working with memory-mapped storage, and the memory management unit (MMU) is often more robust and makes it more difficult to access memory and correlate locations in physical memory.
All of that makes it sound like embedded Linux devices are relatively safe. Everything seems more complex and difficult. For an attacker, though, that is almost an invitation—a challenge to conquer. Shackelford shares, “However, operating in a Linux environment does have its perks: rather than the more complex task of manipulating device operation directly over JTAG in a way specific to the particular device being tested as is the case for bare-metal operating systems, leveraging JTAG on any Linux-based device typically revolves around a uniform goal: access to a root shell. This uniformity means that a similar group of techniques can be used to gain access in any case where a Linux-based device has an enabled JTAG interface.”
Shackelford then proceeds to walk through how he was able to access embedded Linux devices using OpenOCD (Open On-Chip-Debugger) and a JTAG hardware adapter to interact with the device’s TAP controller. The process is not trivial, but at the same time Shackelford demonstrates that someone who knows what to look for and knows what they’re doing can navigate through the system and take control.
If you want to see the details of how Shackelford does it, check out his blog post. Thankfully, we have companies like IOActive and security researchers like Shackelford exploring devices and environments and pushing boundaries to uncover vulnerabilities and exploits so we can mitigate or resolve issues before an attacker can use them against us.