Fred’s Notes outlines attacking the Nest Hub (2nd Gen), an always-connected smart home display from Google, in order to boot a custom OS.
First, we explore both hardware and software attack surface in search of security vulnerabilities that could permit arbitrary code execution on the device.
Then, using a Raspberry Pi Pico microcontroller, we exploit an USB bug in the bootloader to break the secure boot chain.
Finally, we build new bootloader and kernel images to boot a custom OS from an external flash drive.
In order to exploit this bug in the Nest Hub bootloader, a USB Mass Storage device that supports larger-than-usual block size is needed. Raspberry Pi Pico is a $4 microcontroller with USB Device support. It also has the great advantage of being supported by TinyUSB, an open-source cross-platform USB Host/Device stack.
TinyUSB project provides a Mass Storage device example code that can turn a Raspberry Pi Pico into a customizable USB flash drive. From this starting point, we can build an exploitation device that will :
- inject payload into stack memory
- overwrite return address to execute payload
- display a cool logo
Hardware exploration led to uncovering an unexpected USB port. Software exploration revealed that it can boot from an USB Mass Storage device. Bug hunting exposed a stack overflow vulnerability in the DOS partition parser.
As a result, an attacker can execute arbitrary code at early boot stage (before kernel execution) by plugging a malicious USB device and pressing two buttons.
You can read the details in the post here.
No comments:
Post a Comment