Anelok: rfkill concept for the next board version

Werner Almesberger werner at almesberger.net
Sun May 11 02:37:21 EDT 2014


Bas Wijnen wrote:
> I would think you are talking about what's actually going through the air
> here.

Yes, for example BTLE has a not-quite-secure encryption mode. So we
could accept to use that, and be immediately compatible with other
devices.

Or we could require a key exchange mode that is more secure but also
more painful for users. Or we could require an encryption layer on
top of all this, which would need a special application on the other
end.

Or we could wait for the BT folks to get it right :) I'm not talking
about impossibilities there - there seems to be a good communication
flow between those who have to evolve the standard and those who
understand why the current situation is not good enough and what to
do about it.

> The code in the RF SoC is just as hard to change for an attacker as
> the code in the MCU, right?

Not at all. The RF SoC can be commanded to erase all its Flash,
after which it drops all protections and you can load whatever code
you want.

The KL26 is much better protected. There, you can disable that "bulk
erase" operation. There are still ways around it, though: you can
set up a "backdoor" key that lets you bypass the protection. Or you
can choose to not have that. Likewise, there is also a Freescale
backdoor key, but you can also tell the chip to ignore it. We don't
know whether that is really happening. We also don't know whether
there are more keys, e.g., for the NSA and other TLAs.

> How is it easy to change its firmware?  Don't you need to hack into the MCU
> first, or break the device open?

Changing the RF SoC's firmware isn't very hard. Once you get access
to three signals, two of which may be exposed on nice and large test
pads, you can load whatever code you want.

What's much harder is preventing the MCU from detecting any tampering.
And, as I described above, the MCU is our impenetrable citadel.

> But forget it once and all is lost anyway.

Yes, you'd need rather tight opsec.

> They can more
> easily detect any of the other identifiable transmitters that most people
> carry, the most likely candidate being the cell phone.

I was thinking of the sort of people who don't carry cell phones for
just that reason :-)

But yes, it's difficult to guess the requirements of people living
in such extreme conditions. I would hope that a bit of inside
information might eventually trickle in my general direction once
Anelok is on the market, but for now, we can only guess.

But then, if we can push the threshold for some sort of attack
beyond the ridiculously high, that's never a bad thing :)

> If only destruction is required, it may even be done without opening the
> device using a focused wide beam,

Hmm, the changes I described would also require the creation of new
connections, but that's an interesting aspect.

Defense strategies could include blocking the attack or making sure
no amount of wire cutting could effectively compromise the system's
integrity.

Luckily, it seems that you need fairly fancy equipment for it.

- Werner



More information about the discussion mailing list


interactive