Markus Kammerstetter

Vanity, cracks and malware: insights into the anti-copy protection ecosystem

Today, a large amount of software products include mechanisms to counter software piracy. However, most protection mechanisms can be easily circumvented by applying software patches (cracks) or license key generators (keygens) with seemingly no financial incentives. Our research shows that the distribution of cracks and keygens not only allows miscreants to generate revenue (e.g. through advertising or malware infections), but it also leads to high risks for the end-users of pirated software. We collected more than 43,900 download links and analyzed more than 23,100 (3,551 unique) real-world cracks, showing that these tools are heavily used by criminals to spread malware. Our results indicate that even state of the art virus scanners can not fully protect users from these threats. Moreover, we conducted a manual analysis, showing how many cracks and keygens actually work and how much effort is necessary to acquire them. In addition, we made our data-set publicly available to the research community.

From old to new: Assessing cybersecurity risks for an evolving smart grid

Abstract Future smart grids will consist of legacy systems and new ICT components, which are used to support increased monitoring and control capabilities in the low- and medium-voltage grids. In this article, we present a cybersecurity risk assessment method, which involves two interrelated streams of analyses that can be used to determine the risks associated with an architectural concept of a smart grid that includes both legacy systems and novel ICT concepts. To ensure the validity of the recommendations that stem from the risk assessment with respect to national regulatory and deployment norms, the analysis is based on a consolidated national smart grid reference architecture. We have applied the method in a national smart grid security project that includes a number of key smart grid stakeholders, resulting in security recommendations that are based on a sound understanding of cybersecurity risks.

Prospect: peripheral proxying supported embedded code testing

Embedded systems are an integral part of almost every electronic product today. From consumer electronics to industrial components in SCADA systems, their possible fields of application are manifold. While especially in industrial and critical infrastructures the security requirements are high, recent publications have shown that embedded systems do not cope well with this demand. One of the reasons is that embedded systems are being less scrutinized as embedded security analysis is considered to be more time consuming and challenging in comparison to PC systems. One of the key challenges on proprietary, resource constrained embedded devices is dynamic code analysis. The devices typically do not have the capabilities for a full-scale dynamic security evaluation. Likewise, the analyst cannot execute the software implementation inside a virtual machine due to the missing peripheral hardware that is required by the software to run. In this paper, we present PROSPECT, a system that can overcome these shortcomings and enables dynamic code analysis of embedded binary code inside arbitrary analysis environments. By transparently forwarding peripheral hardware accesses from the original host system into a virtual machine, PROSPECT allows security analysts to run the embedded software implementation without the need to know which and how embedded peripheral hardware components are accessed. We evaluated PROSPECT with respect to the performance impact and conducted a case study by doing a full-scale security audit of a widely used commercial fire alarm system in the building automation domain. Our results show that PROSPECT is both practical and usable for real-world application.

Breaking Integrated Circuit Device Security through Test Mode Silicon Reverse Engineering

Integrated Circuit (IC) device manufacturing is a challenging task and often results in subtle defects that can render a chip unusable. To detect these defects at multiple stages during the IC production process, test modes are inserted (Design For Testability). On the downside, attackers can use these test modes to break IC device security and extract sensitive information such as the firmware implementation or secret key material. While in high security smart cards the testing circuits are physically removed during production for this reason, in the majority of digital ICs the testing modes remain intact. Often they are undocumented, well-hidden and contain secret test commands. Utilizing search algorithms and/or side channel information, several attacks on secret testing modes have been presented lately. Accordingly, countermeasures that frequently rely on obfuscation techniques have been proposed as more advanced cryptographic methods would require significantly more space on the die and thus cause higher production costs. In this work, we show that limited effort silicon reverse engineering can be effectively used to discover secret testing modes and that proposed obfuscation based countermeasures can be circumvented without altering the analysis technique. We describe our approach in detail at the example of a proprietary cryptographic game authentication chip of a well known gaming console and present an FPGA implementation of the previously secret authentication algorithm.

Architecture-driven smart grid security management

The introduction of smart grids goes along with an extensive use of ICT technologies in order to support the integration of renewable energy sources. However, the use of ICT technologies bears risks in terms of cyber security attacks which could negatively affect the electrical power grid. These risks need to be assessed, mitigated and managed in a proper way to ensure the security of both current and future energy networks. Existing approaches have been either restricted to very specific components of the smart grid (e.g., smart meters), or provide a high-level view only. We therefore propose an architecture-driven security management approach for smart grids which goes beyond a mere abstract view without focusing too much on technical details. Our approach covers architecture modeling, risk identification and assessment as well as risk mitigation and compliance checking. We have proven the practical usability of this process together with leading manufacturers and utilities.

Communications for AnyPLACE: A smart metering platform with management and control functionalities

Recent developments under the term Smart Grid change how users consume electricity and interact with the power grid. Smart metering and energy management are developments that transform the yet passive energy consumer to a participant that is actively involved in the energy market by using variable energy tariffs or by demand-response services. But such functionality demands a platform that integrates all smart devices in the users property, connects to external services and electricity providers, and has interfaces that provide information and control to the user. AnyPLACE will develop such platform. Based on the latest legislation in the European member states, it will incorporate smart meters and create links to external service providers. Furthermore, it connects the devices in the property of the end-user in order to be able to fully monitor and control the energy consumption. This paper presents the AnyPLACE idea and the problems that are solved on the communications aspect. It provides an in-depth analysis of current European legislation in the context of smart metering and provides the requirements that need to be realized by the platform. Additionally, it proposes a strategy to create a solution that can be used in any place of Europe. The paper also incorporates the security and privacy requirements in different domains and sketches a solution and architecture to fulfill these by incorporating existing open source implementations as provided by the openHAB project.

Efficient High-Speed WPA2 Brute Force Attacks using Scalable Low-Cost FPGA Clustering

WPA2-Personal is widely used to protect Wi-Fi networks against illicit access. While attackers typically use GPUs to speed up the discovery of weak network passwords, attacking random passwords is considered to quickly become infeasible with increasing password length. Professional attackers may thus turn to commercial high-end FPGA-based cluster solutions to significantly increase the speed of those attacks. Well known manufacturers such as Elcomsoft have succeeded in creating worlds fastest commercial FPGA-based WPA2 password recovery system, but since they rely on high-performance FPGAs the costs of these systems are well beyond the reach of amateurs. In this paper, we present a highly optimized low-cost FPGA cluster-based WPA-2 Personal password recovery system that can not only achieve similar performance at a cost affordable by amateurs, but in comparison our implementation would also be more than 5 times as fast on the original hardware. Since the currently fastest system is not only significantly slower but proprietary as well, we believe that we are the first to present the internals of a highly optimized and fully pipelined FPGA WPA2 password recovery system. In addition, we evaluated our approach with respect to performance and power usage and compare it to GPU-based systems. To assess the real-world impact of our system, we utilized the well known Wigle Wi-Fi network dataset to conduct a case study within the country and its border regions. Our results indicate that our system could be used to break into each of more than 160,000 existing Wi-Fi networks requiring 3 days per network on our low-cost FPGA cluster in the worst case.

Open and Secure: Amending the Security of the BSI Smart Metering Infrastructure to Smart Home Applications via the Smart Meter Gateway

This paper describes an implementation to enable interaction between smart home solutions and Smart Meter Gateways (SMGWs). This is conducted in the example of the approach of the AnyPLACE project to interconnect openHAB with the HAN interface of the SMGW. Furthermore, security issues in the combination of those two realms are addressed, answered and tested so that in addition to the open character of the solution, it is still secure.

Resilience Against Physical Attacks

The types of physical attacks on smart grid devices range from simple approaches, such as exploiting open interfaces, over side-channel attacks, to sophisticated methods such as fault attacks or integrated circuit (IC) reverse engineering. The basic methods to counteract such attacks include a system design, where information is also protected inside a device, and where no unwanted interfaces are exposed. Hardware security modules can be used to store secret data, such as key material, in a way that is more difficult to access by an attacker. They can be also used as a trust anchor for providing tamper resistance, and to prove a device’s integrity to a third party. A new alternative, and a main focus of this chapter, are physical uncloneable functions, where the individual characteristic of physical parameters of a piece of hardware are used to derive individual fingerprints used as a cornerstone for future encryption approaches.

The Evolution of the Smart Grid Threat Landscape and Cross-Domain Risk Assessment

Future power grids will make extensive use of information and communication technology (ICT) to integrate renewable energy sources and support novel functionalities. Consequently, smart grids provide a much larger surface for cyber-attacks, which makes cybersecurity risk assessment a task of major importance for the security and resilience of future energy supply. Risk assessment in smart grids is, however, challenging due to their cyber-physical nature and the mix of legacy systems and new components. This chapter investigates different types and potential impacts of cybersecurity threats to smart grids, focusing on different smart grid domains in three comprehensive case studies. The challenges of risk assessment in future power grids are reflected, and different risk assessment frameworks proposed to date are discussed, including their applicability to smart grids.