Do you want to hack your Xbox One for FREE GAMES?? Well you can’t. The reason for that is that someone did a really good job protecting the device’s boot sequence.
But this isn’t a story of “that one time that someone did a good job”; it’s a collective of all the other stories, when people screwed up.
Secure boot is a process where boot images and code are authenticated before they are allowed to be used in the boot process. Optimally, this creates a chain of trust engulfing all code run on embedded device. This prevents rogue code from executing within the system without the manufacturers approval. Examples include DRM on gaming consoles, root-prevention in smart phones and protection from supply-chain attacks. But not only high-end systems like phones and PCs are using Secure Boot these days – it is used to protect many devices, from smart homes and cities to automotive ECUs from malicious intent.
As embedded vulnerability researchers who are exploiting Automotive and IoT devices, one of our primary targets are secure boot solutions. The earlier in the boot process we manage to manipulate code executed by the system, the greater the power of our attack becomes. Bypassing software protections placed at later stages of the boot process, our only limitations remain hardware protections.
In this talk we will give an overview of common secure boot mechanisms and examples of vulnerabilities found within these systems. We will share our methodology in analyzing boot processes and exploiting them. This talk is based on research we conducted on numerous IoT and Automotive systems and our findings within.