Exploiting the Obvious But Not the Trivial: Unencrypted NAND Flash Memory

In this SySS (https://www.syss.de/) proof-of-concept video, SySS IT security expert Matthias Deeg demonstrates a rather obvious attack exploiting unencrypted NAND flash memory for gaining unauthorized root access.

Usually, exploiting unencrypted persistent storage (data at rest) in the form of hard disk or solid state drives with a popular interface like SATA is not that difficult due to readily available tools for accessing those kind of storage devices. However, when targeting raw NAND flash memory chips, for instance used in embedded devices, gaining read or write access to the data of these storage devices is sometimes more complex and not trivially done.

The challenge regarding NAND flash memory is to understand the used error correction and data format of the target platform in order to both read error-free data from and correctly write data back to the chip.

BCH (Bose–Chaudhuri–Hocquenghem) codes [1], which are a class of cyclic error-correcting codes, are a popular choice for error correction in NAND flash memory technology.

Based on the open source tool PMECC Reader and Decoder [2] by Mickaël Walter, Matthias Deeg developed the open source NAND Dump Tools [3] which can be used for decoding and encoding NAND dumps/images for different target platforms.

Thus, our NAND Dump Tools can be used in chip-off/chip-on attacks in order to extract error-free data from and write modified data to the NAND memory chip of a targeted device.

In this proof-of-concept video, such a chip-off/chip-on attack is exemplarily demonstrated against a SAMA5D4 Xplained Ultra evaluation board [4] for gaining root access to the embedded Linux operating system in an unauthorized way.

[1] BCH codes, Wikipedia, 2020
https://en.wikipedia.org/wiki/BCH_code

[2] PMECC Reader and Decoder, Mickaël Walter, 2018
https://www.mickaelwalter.fr/2018/06/...

[3] SySS NAND Dump Tools, Matthias Deeg, SySS GmbH, 2020
https://github.com/SySS-Research/nand...

[4] SAMA5D4 Xplained Ultra, Microchip
https://www.microchip.com/Development...


#hack #nand #attack