Sometimes you take a weird detour during security research; this is the tale of one of those incidents.
During a thorough investigation for the Pwn2Own competition into the SONOS One Smart Speaker product the presenter of this talk got completely side-trailed and nerdsniped into learning more about the exact details of the secure boot implementation of the underlying AMLogic system-on-a-chip and the SONOS proprietary flash encryption.
This talks starts by explaining the essentials of ARM Trusted Firmware Design and the roadblocks we hit once we started looking at the SONOS One product. Because the SONOS One proved to be such a fortress, we’ll start by looking at a “softer” target (a “smart clock” from Lenovo) to get a nice foothold on a ‘same same, but different’ system. We will detail a vulnerability that allows us to decrypt the Lenovo bootloader blobs without revealing the actual keys.
Next, we’ll cover the thorough analysis of the EL3 secure monitor code that gatekeeps access to interesting hardware peripherals like the OTP memory. We will look into bootstrapping some code that talks to the secure monitor and exploit a (0day) vulnerability in order to fully compromise the EL3 privileged context. Now we have some foothold on a less defensive system we’ll apply what we learnt to the SONOS One system. We’ll quickly figure out it won’t be as easy as the Lenovo clock.
We will use a (previously disclosed) DMA attack over the PCI express bus as a stepping stone into launching our EL3 exploit on the SONOS speaker. The only problem.. we don’t have access to the actual EL3 binaries on the SONOS, what now? Blind memory corruption exploitation time! Rest assured; we *will* manage to break the secure monitor running on SONOS. We will dump out all secrets from the OTP memory, and while we’re in the privileged context we will also dump the (protected) BootROM from the SoC.
The final part of the talk explains the modifications SONOS made to the Linux kernel LUKS encryption subsystem and how we can use the secrets we dumped from the protected OTP memory to be able to recover the actual AES(-XTS) keys that are used for encrypting the filesystem. No more speakers needed as an oracle! If you are interested in low level tinkering, hardware, (ARM) assembly and breaking modern privilege boundaries: this talk is for you!