Most advice for proper IoT firmware cybersecurity will mention the need for secure boot or secure data in transit. Let’s look at a side-channel attack that can harm both: timing attacks.
We are constantly jolted by time – minutes until the next web call or old photograph reminding us of our age. Cops and robbers use time. The police use time to corroborate or disprove a suspect’s alibi. Robbers have used time of the year to pull off coordinated theft. Hackers can use micro-timing to pull off fascinating hacking stunts in a computing device.
Introduction – Weaponizing Time
Timing attacks can break the privacy guarantees of a device. Timing attacks can reveal a secret RSA private key under the right circumstances. Once the key is stolen, an interloper can mount an active MiTM (man-in-the-middle) attack to eavesdrop on a legitimate device or service communications.
The CPU Meltdown and Spectre flaws broke privacy guards within a system. The time difference between CPU’s cache memory and main memory read access time allows an attacker to infer inaccessible values within protected memory — an attacker can “read” private data in memory.
A third example of breaking privacy is bypassing iPhones’ data wipe feature. The firmware code for checking a correct passcode responded faster than processing a failed passcode. An attacker can use the time difference to quickly power down before the iPhone applies a strong lock. A similar flaw likely exists in other implementations, such as a passcode-protected JTAG interface.
A timing attack combined with other techniques creates a potent concoction to implement a remote code execution attack. An attacker in some situations may use timing information to steal address space data to subvert a device through a zero-day vulnerability utilizing ROP or JOP attacks for remote code execution (RCE). Alternatively, a well-timed power glitch can skip past a memcmp() test result for verifying cryptographic hash value during the secure boot process to allow untrusted code to execute, as demonstrated in the Xbox 360 boot hack.
Conclusion – Counter Awareness
Randomization and doing more work (compute instructions) than is necessary are some of the techniques to counteract timing attacks. Secondary code integrity checks are advisable too. There are numerous examples of timing attacks found in the wild. A little awareness and proper development tools can help mitigate some of these threats.