Stealthy Information Leakage through Peripheral Exploitation in Modern Embedded Systems

Embedded systems are being aggressively integrated in every aspect of modern life, with uses ranging from personal devices to devices deployed in critical systems, such as autonomous vehicles, aircrafts, and industrial control systems. Embedded systems handle sensitive information, which can be potentially exposed leveraging their poor security posture. In this paper, we present a novel attack vector that automates stealthy information leakage from modern embedded systems. Specifically, we leverage the Device Tree, a data structure that describes the hardware profile of a system, to extract detailed information about the target system. Utilizing this information, we introduce a stealthy attack that attempts to bridge the air-gap by transferring data from memory directly to analog peripherals. The attack resides solely in the peripherals, completely transparent to the main CPU, by judiciously short-circuiting specific components. We implement this attack on a commercial Programmable Logic Controller (PLC), leaking information over the available LEDs. We evaluate the presented attack vector in terms of stealthiness, and we demonstrate no observable overhead on both CPU performance and DMA transfer speed. Furthermore, we propose a generalized defense scheme for peripheral exploitation attacks by establishing a hardware root of trust through JTAG debugging. Our methodology keeps track of peripheral traffic through JTAG-enabled monitoring, alerts the system for possible malicious behavior and handles the threat removal. We test our defense in terms of imposed performance overhead and overall potency, achieving solid detection of the underlying attack at a low performance cost.