A security researcher at Juniper Networks plans to demonstrate a new class of attack that can be used to compromise electronic devices like routers or mobile phones.
The vulnerability lies in the Arm and XScale microprocessors, two chips that are widely used in these embedded devices. "There are interesting quirks in the ARM and XScale architectures that make things very easy for an attacker," Juniper's Barnaby Jack said. The technique he had developed was "100 per cent reliable, and it results in code execution on the device", he said.
An attacker could launch this type of attack to run unauthorised software on a device connected to the network. In theory, criminals could use this kind of attack to steal sensitive information from mobile phones or redirect Internet traffic on routers, say from a user's online bank account to a hacker site set up to steal account and password information.
It's an alternative to hacker techniques such as buffer overflow attacks, which attempt to trick the processor into running code that is snuck into the computer's memory.
Jack came up with the technique after spending several months cracking open and soldering test equipment onto a range of embedded devices. By taking advantage of a standard integrated circuit testing interface, called Joint Test Action Group (JTAG) he was able to sneak a peek at the systems' processors and get a close-up look at how they worked.
"With every hardware device, there has to be a way for developers to debug the code and all I did was take advantage of that," he said. "As I was digging deeper into the architecture, I saw a couple of subtleties which could allow for some interesting things."
JTAG is widely used because it gave engineers a way to debug software on embedded systems, but it presented a security risk as well, Envisioneering Group analyst, Peter Glaskowsky, said.
Though some companies were able to cut off the JTAG interface on their products, Jack said it was enabled in 90 per cent of the devices he examined.
"It's definitely an issue," Glaskowsky said. "Some chips won't turn it off because they want it for later diagnostics if there's a problem with them."