Hacking is generally seen as a death knell for a consumer-level device. Once it’s hacked, it is essentially rendered useless and there is nothing that can be done but simply give in to the hackers. However, a research group known as the Explotee.rs has figured out ways to detect security problems before they start. They have focused on hardware hacking techniques, including a flash memory attack they have come up with that can help to find software bugs that don’t just show off weaknesses in one device, but in every other type of that device. So if one version of a device has a flaw found, this can also detect it in other models. The group showcased their flash memory hack at the Black Hat security conference and built it at DefCon. They presented 22 zero-day exploits in a variety of home automation devices – and discovered several of the exploits just using this hack.
The biggest surprise of their presentation was showing just how vulnerable something can be with a simple SD card reader, some wire, and a bit of soldering experience. They focused on eMMC flash because it is inexpensive and can be connected with just five pins. All it takes to access an eMMC flash device is soldering five wires to it – a clock line, command line, data line, power line, and a ground. Doing this allows them to read and write data to it and start reprogramming the device with the eventual goal being to control it. Now in theory, this could work on anything that uses flash memory – but fortunately, most devices use more pins than eMMC does. With it being limited to five wires, this does limit the kinds of devices that can be accessed with this method.
This method can be used for data recovery as well – so while things like this can be used for nefarious purposes, there are always benefits to being able to access things in ways that may not have been originally intended. This method can lead to people recovering photos thought to be lost forever, or things like backups of crucial digital documents. With the five wires in place on the flash memory chip, it could be easily connected to any SD card reader. SD cards and eMMC flash use similar protocols, and once you connect the eMMC flash to the SD card reader, it can be connected to a computer. Once this happens, a hacker can make copies of the OS, firmware and the software of the chip itself, and then look for software-side weaknesses in the code.
eMMC flash storage is used in a lot of smart devices. Tablets, cell phones, set top boxes, televisions, and even a smart refrigerator is likely to use it. Major cell phone companies like Samsung have used it before, with their S2-S5 all making use of it, and zero-day vulnerabilities being discovered in things like the Amazon Tap and VIZIO’s P6OUI smart TV. The group usually works with companies to patch devices, but used DefCon as a way to let users unlock their own hardware if they so desire. While most devices have high-level software that is encrypted, analyzing the firmware allows things like bugs and unknown backdoors to be found. This flash technique could easily expose a lack of thorough encryption, and while that may be a bad thing in the short term, knowing about it can at least allow a game plan to be created to prevent the problem from happening in the future. Ideally, exposing this issue should lead to a more robust level of encryption for flash memory.
The most worrisome part of all this is just how easy it can be to access the devices, but by pointing out today’s problems, tomorrow’s can hopefully be remedied. One benefit of this hacking method being shown off to the public is that it raises awareness of just how vulnerable our devices are and how important it is to keep things as safe as possible. Perhaps the most surprising piece of information was just how many phones could have been hacked. With the Samsung S line, over 110 million devices were sold within that line while eMMC flash storage was used. It would be one thing if it was a small cell phone maker – it would be bad, certainly, but on a small scale. With Samsung being one of the biggest cell phone manufacturers in the world, their devices being vulnerable instantly makes anyone who owns one of those devices on-edge.
Fortunately, with issues like this being brought to the forefront, device makers can figure out new ways to plug security holes like this before they become big issues. Samsung has seemingly saved themselves future headaches by not including eMMC storage on devices past the S5 – which is good for them. Hopefully, as time goes on, more manufacturers shift away from it. It may be cheap to use, but as this exploit shows, savings to the manufacturer today could potentially have long-standing consequences for both end users and the company if widespread issues were caused by a hack. Companies need to keep in mind that customers aren’t just dollar signs – they’re people. No one wants to have their data hacked, and if companies continue to use eMMC flash on major devices, they may very well have to deal with a PR nightmare if a widespread hack occurs.
The best long-term option for a company is to invest in other storage methods that aren’t as vulnerable. Doing so might cost more money in the short-term, but it would save them from dealing with many angry customers should a widespread hack be enacted due to eMMC storage. Luckily, nothing like this has happened yet – but that doesn’t mean it can’t still happen at some point. By locking things down, companies can give users peace of mind with their products and ensure a long-lasting relationship with the user. It is much easier to keep a happy customer than gain a new one, and by being pro-consumer even in a way such as this, they can gain trust that can pay off in the long run.