Secure Firmware Update Lab Session

Size: px

Start display at page:

Download "Secure Firmware Update Lab Session"

Laurence Cook
5 years ago
Views:

1 Secure Firmware Update Lab Session Shotaro Saito, Staff Application Engineer, Secure MCU Class ID: BL02I Renesas Electronics America Inc.

2 Shotaro Saito, Application Engineer 24 years in Embedded Systems Development In-Circuit Emulator / Debugger Development Debugger GUI Design Biometrics Enabled Smartcard Development 4 Years with Renesas Electronics In Charge of Secure MCU Development Kit and Tools Board ID Solution Support 2

3 Renesas Technology & Solution Portfolio 3

4 8/16-bit 32-bit Microcontroller and Microprocessor Line-up DMIPS, Superscalar Automotive & Industrial, 65nm 600µA/MHz, 1.5µA standby 500 DMIPS, Low Power Automotive & Industrial, 90nm 600µA/MHz, 1.5µA standby 165 DMIPS, FPU, DSC Industrial, 90nm 242µA/MHz, 0.2µA standby 25 DMIPS, Low Power Industrial & Automotive, 150nm 190µA/MHz, 0.3µA standby 10 DMIPS, Capacitive Touch Wide Industrial Format & LCDs Automotive, 130nm 350µA/MHz, 1µA standby 1200 DMIPS, Performance Automotive, 40nm 500µA/MHz, 35µA deep standby 165 DMIPS, FPU, DSC Industrial, 40nm 242µA/MHz, 0.2µA standby Embedded Security, ASSP Industrial, 90nm 1mA/MHz, 100µA standby 44 DMIPS, True Low Power Industrial & Automotive, 130nm 144µA/MHz, 0.2µA standby 4

8/16-bit 32-bit Microcontroller and Microprocessor Line-up 2010 2013 1200 DMIPS, Superscalar Automotive & Industrial, 65nm 600µA/MHz, 1.

5µA standby True Embedded Security and Integration 165 DMIPS, FPU, DSC 1200 DMIPS, Performance Automotive, 40nm 500µA/MHz, 35µA deep standby 165 DMIPS, FPU, DSC Industrial, 40nm 242µA/MHz, 0.

5 8/16-bit 32-bit Microcontroller and Microprocessor Line-up DMIPS, Superscalar Automotive & Industrial, 65nm 600µA/MHz, 1.5µA standby 500 DMIPS, Low Power Automotive & Industrial, 90nm 600µA/MHz, 1.5µA standby True Embedded Security and Integration 165 DMIPS, FPU, DSC 1200 DMIPS, Performance Automotive, 40nm 500µA/MHz, 35µA deep standby 165 DMIPS, FPU, DSC Industrial, 40nm 242µA/MHz, 0.2µA standby Industrial, 90nm 242µA/MHz, 0.2µA standby 25 DMIPS, Low Power Industrial & Automotive, 150nm 190µA/MHz, 0.3µA standby 10 DMIPS, Capacitive Touch Wide Industrial Format & LCDs Automotive, 130nm 350µA/MHz, 1µA standby Embedded Security, ASSP Industrial, 90nm 1mA/MHz, 100µA standby 44 DMIPS, True Low Power Industrial & Automotive, 130nm 144µA/MHz, 0.2µA standby 5

6 Enabling The Smart Society The Smart Society is explicitly exposed to adversaries who intend to gain profit by breaching its security: Challenge: In the smart society, the inter-connectivity takes the key role while anyone can take advantage of it including cyber criminals. Devices in the smart society need to be smart enough to deny rogue intrusion attempts. Solution: The Secure MCU solution prevents end-point devices in the smart society from being compromised with secure authentication scheme 6

7 Agenda Embedded security basics Knowing your opponents Attack vectors on embedded systems Security perimeter Board ID The best plug Lab session Preparing RX62N as target system Download sample firmware with remote security stack Penetration testing Q&A 7

8 Embedded Security Basics 8

9 Knowing Your Opponents (1) Competitors Reverse engineering, vulnerability research, etc. Let s see what they got this time that we can mimic Counterfeiters Cloning Oh, they make it hard this time but we can still crack it Hackers Pure curiosity (raison d être of them) I ll run my homebrewed app on PS3. EULA? What is it? Fame, promotion and job opportunity He s very popular as iphone and PlayStation3 jailbreaker (Geohot vs. Sony, 2010) I could hack your server. Why don t you hire me as your CSO? (Marriott Hotel, Nov. 2011) 9

10 Knowing Your Opponents (2) Opponents in the real world They do ANYTHING for making a profit This is fake Samsung Galaxy SIII BTW, this Apple store is FAKE! 10

11 Attack Vectors (1) Communication Interface JTAG Widely available on popular MCUs Serial (RS-232C) Console hacking starts from here Ethernet Remote hacking from the other side of the Earth USB Stuxnet, PS3 jailbreak utilize USB dongle/memory stick I2C, SPI, SMBus, etc. 11

12 Attack Vectors (2) Physical penetration Opening enclosure Trace cut/jumper Add/remove/replace devices (i.e. MOD chips) Compromising device Break/dissolve device packaging Reconnect blown fuse with micro probe 12

13 Security Perimeter 13

14 Security Perimeter (1) What we protect and what we don t We can prevent this But we cannot prevent this Defining End-Point as security perimeter The target should not be cloned (Hardware/Software) The target eco system should be protected 14

15 Security Perimeter (2) End-point security Remote intrusion Altered meter Unauthorized charging Sophisticated theft Unauthorized access Remote intrusion Remote intrusion Denial-of-service 15

16 Security Perimeter (3) Target system definition RX63N RDK Represents network enabled device Application Console application with update feature Protection profile The application (RX63N side) Not to be altered Not to be extracted Update scheme (Server side) Unauthorized system is properly rejected False attempt is rejected and logged Adding secure MCU to RX63N RDK makes it easy 16

Board ID Proven Security Enhancement Board ID Tiny secure microcontroller (4.

2mm) Embedded secure element Credentials are stored in tamper proof memory section

transaction with modular multiplication coprocessor Turn-key Solution Pre-loaded

17 Board ID Proven Security Enhancement Board ID Tiny secure microcontroller (4.2mm x 4.2mm) Embedded secure element Credentials are stored in tamper proof memory section Hardware protection against known attacks Cryptographic coprocessor Fast RSA transaction with modular multiplication coprocessor Turn-key Solution Pre-loaded firmware for authentication specific application Outsourcing security measures Firmware update mandates Board ID on RX63N RDK Counterfeit target without Board ID is rejected 17

18 Lab Session 18

19 Lab Session Material RX63N RDK 32bit microprocessor demo kit Board ID Module Authentication specific module Authentication server Provides firmware update service ONLY AFTER proper authentication is done The Goal Utilize the Board ID module to perform secure firmware download to the RX63N demo kit from the Authentication Server Lab Procedure Follow the lab procedure (takes approximately 40 minutes) 19

20 Questions? 20

21 Enabling The Smart Society in Review The Smart Society is explicitly exposed to adversaries who intend to gain profit by breaching its security: Challenge: In the smart society, the inter-connectivity takes the key role while anyone can take advantage of it including cyber criminals. Devices in the smart society need to be smart enough to deny rogue intrusion attempts. Solution: The Secure MCU solution prevents end-point devices in the smart society from being compromised with secure authentication scheme Do you agree that we accomplished the above statement? 21

22 Please Provide Your Feedback Please utilize the Guidebook application to leave feedback or Ask me for the paper feedback form for you to use 22

23 Renesas Electronics America Inc.

RL78 Project Configuration Tips

RL78 Project Configuration Tips Renesas Electronics America Inc. Renesas Technology & Solution Portfolio 2 Microcontroller and Microprocessor Line-up 2010 2012 32-bit 8/16-bit 1200 DMIPS, Superscalar Automotive