ZAPZAP! BANGBANG! presented at Summercon 2017

by Rick Housley, Dr. Ang Cui,

Summary : Defeating Secure Boot Using Electromagnetic Pulses and badFET
We present our process of defeating secure-boot within a modern ARM-based IP Phone, Cisco 8861, using software defined radio and our custom EMP generator as an illustrative vehicle to discuss the following contributions:
* Dissection of a set of (yet undisclosed) vulnerabilities found in Broadcom-implemented trust zone execution environments.
* Our recent advancements in real-time tracking of control-flow of software running in modern embedded devices by the sensing and analysis of involuntary electromagnetic emanations.
* Our novel electromagnetic fault injection (EMFI) techniques capable of reliably and predictably altering computation of modern embedded devices by controlled applications of electromagnetic pulses. We discuss challenges and methods of achieving reliable control-flow modification in modern 1Ghz+ processors.
* Discussion of hardware and software design of badFET, a low-cost programmable electromagnetic pulse generator. It is our hope to release badFET as an open-source project to democratize EMFI research. (badFET is currently functional, but due to the nature of the device, it can cause serious injury or death. We plan to open-source the EMP generator portion of badFET if/when we build sufficient safety features into its design.)