A security researcher at Juniper Networks has uncovered a new class of attack threatening electronic devices like routers or mobile phones.
The vulnerability lies in Arm and XScale microprocessors, both widely used in "embedded" devices. "There are interesting quirks in the ARM and XScale architectures that make things very easy for an attacker," said the Juniper senior researcher Barnaby Jack.
Jack claimed the technique he developed is “100% reliable, and it results in code execution on the device”.
An attacker could launch this type of attack to run unauthorised software on a device connected to the network. In theory, criminals could use this approach to steal sensitive information from mobile phones or redirect internet traffic on routers, say from a user's online bank account to a hacker site set up to steal account and password information.
It's an alternative to hacker techniques like buffer overflow attacks, which attempt to trick the processor into running code that has been snuck into the computer's memory.
Jack plans to disclose details on this attack – and the things that device makers can do to avoid it – at the CanSecWest security conference being held later this month in Canada.
He said he came up with the technique after spending several months cracking open and soldering test equipment onto a range of embedded devices. By taking advantage of a standard integrated circuit testing interface, called Joint Test Action Group (JTAG), Jack was able to sneak a peek at the systems' processors and get a close-up look at how they worked.
"With every hardware device, there has to be a way for developers to debug the code and all I did was take advantage of that," he said. "As I was digging deeper into the architecture, I saw a couple of subtleties which could allow for some interesting things.”
JTAG is widely used because it gives engineers a way to debug software on embedded systems, but it presents a security risk as well, said Peter Glaskowsky, an analyst with the Envisioneering Group.
Though some companies are able to cut off the JTAG interface on their products, Jack said it was enabled in 90% of the devices he examined.
"It's definitely an issue," Glaskowsky said. "Some chips won't turn it off because they want it for later diagnostics if there's a problem with them."
Often, it's simply too expensive for hardware makers to shut down JTAG access, said Joe Grand, a hardware hacker and president of electronics design firm Grand Idea Studio.
Though there hasn't yet been a large amount of research into the kind of hands-on hacking techniques being pioneered by people like Jack and Grand, it appears this is about to change.
The tools and devices required to hack embedded systems are becoming less expensive and hardware hacking is developing a cachet in the security research community, Grand said. He will offer hardware hacking workshops at this year's Black Hat USA conference.
"It's exciting for the hacking community to say, 'I'm sick of software. Let's look at the hardware,'" he said.
Barnaby Jack has no plans to slow down his work.
"I'm looking at my microwave oven right now, but I don't think there's much I could do with that," he said.