Rootkit vulnerability in PSoC 4 series

Ask the Community
Close
Ask the Community
nav search Icon
Forums gray-arrow gray-arrow
Resources gray-arrow gray-arrow
About gray-arrow gray-arrow
Groups gray-arrow gray-arrow
nav-user Account

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob

Rootkit vulnerability in PSoC 4 series

Anonymous
Not applicable
‎Aug 21, 2017 02:13 PM
‎Aug 21, 2017 02:13 PM

About 6 months ago, someone posted a comprehensive explanation of an apparent vulnerability in PSoC 4 devices. The vulnerability would allow attackers to load malicious code to flash and then mark it as reserved for supervisor, allowing the code to survive chip erases and to run pretty much undetected. As he explains well, this potentially leads to all sorts of attack vectors, like replay attacks for touch screen devices.

Exploiting PSoC4 for fun and profit - Dmitry Grinberg

Reading the Unreadable SROM: Inside the PSoC4 | Hackaday

According to the author, Cypress has not responded to the problem. That was 6 months ago. Has anything been done by Cypress to mitigate or remove this vulnerability? It would seriously reduce the range of suitable applications for this chip, so it seems unlikely nothing was done.

0 Likes
Subscribe
3 Replies

Re: Rootkit vulnerability in PSoC 4 series

Anonymous
Not applicable
‎Aug 22, 2017 07:49 AM
‎Aug 22, 2017 07:49 AM

Heh, I think I've read that post too. Ultimately, I determined that you either need: Physical access to the device, or software update access to the device (either through firmware updates, or hardware reprogramming). Thus, if you do not have update-able firmware, then it is a non-issue. And if you do have firmware update-able code, then it comes down to how well you protect that update process. The vulnerability is mainly aimed at Cypress' supervisory code that controls the chips/core directly. It can be modified by the developer's application code, but ultimately, unless they have the ability to write code to the chip, they will not be able to access the vulnerability.

0 Likes

Re: Rootkit vulnerability in PSoC 4 series

user_284806
Level 2
Level 2
First like given
In response to Anonymous
‎Aug 22, 2017 10:09 AM
‎Aug 22, 2017 10:09 AM

Also depends on where you get your chips from, and the path they travel to your hands.

Anyways, I guess this issue is a problem only for really specific applications (or high volume), such as military / aerospace and the like, and I bet you can verify your chips (although, of course, is added work which may not justify given the availability of other options on the market). I know there's a thread about this in the forum (where the discoverer of the issue also comments).

0 Likes

Re: Rootkit vulnerability in PSoC 4 series

Anonymous
Not applicable
In response to user_284806
‎Aug 22, 2017 03:23 PM
‎Aug 22, 2017 03:23 PM

Good point about the travel path; If you are shipping or receiving it from someone, then it could be suspect 😕 Although, this is part of the checksum verification I suppose (not foolproof by any means, but makes it less easy to fool)

Here's the forum thread here (that you mentioned): Double the flash in low-end PSoC4 for free

Theoretically, if you used the exploit yourself to fully use the entire flash space (supervisory as well) to write your application code, then any attempts to apply rootkits or similar things would cause  corruption of the image as a whole. >:)

But still, security checking of the code would be required for extremely secure applications

On the other hand, if I was a wealthy organization with a security requirement, I would probably develop my own security hardware and software measures to instigate the prevention of rootkit installments.

0 Likes