Trojans can hide in AVR bootloaders
If there's one thing we've learned over the years, it's that if it contains a silicon chip, it could carry a virus. One group's research focused on hiding a Trojan in an Arduino AVR bootloader, proving that even our small hobbyist microcontrollers are insecure.
The specific goal of the research was to hide a Trojan inside the bootloader of an AVR chip itself. This would allow the Trojan to remain present on something like a 3D printer even if the main firmware itself was reinstalled. The Trojan would still be able to affect printer performance from its vile hiding place, but would be harder to notice and remove.
The target of the work was the ATmega328P, commonly used in 3D printers, especially those using Marlin firmware. For the full technical details, you can dive in and read the research paper for yourself. Simply put, however, the modified bootloader was able to use the chip's IVSEL register to allow the bootloader to run after booting via an interrupt. When an interrupt is called, execution jumps to the special code of the Trojan-infected bootloader, before then returning to the program's own interrupt to avoid raising suspicion. The Trojan can also execute after the program's interrupt code, which increases the flexibility of the attack.
Simply reflashing a program on an affected chip will not flush out the Trojan. Instead, the chip must have its boot loader specifically rewritten in a clean version to remove the offending code.
Not a super dangerous hack, overall. Typically, flashing a malicious bootloader would require physical access to the chip. Also, there's not much to be gained by inserting code on the average 3D printer. However, it's nonetheless a good example of what bootloaders can really do, and a reminder of what we all need to be careful of when operating in security-conscious fields. Stay safe there!
If there's one thing we've learned over the years, it's that if it contains a silicon chip, it could carry a virus. One group's research focused on hiding a Trojan in an Arduino AVR bootloader, proving that even our small hobbyist microcontrollers are insecure.
The specific goal of the research was to hide a Trojan inside the bootloader of an AVR chip itself. This would allow the Trojan to remain present on something like a 3D printer even if the main firmware itself was reinstalled. The Trojan would still be able to affect printer performance from its vile hiding place, but would be harder to notice and remove.
The target of the work was the ATmega328P, commonly used in 3D printers, especially those using Marlin firmware. For the full technical details, you can dive in and read the research paper for yourself. Simply put, however, the modified bootloader was able to use the chip's IVSEL register to allow the bootloader to run after booting via an interrupt. When an interrupt is called, execution jumps to the special code of the Trojan-infected bootloader, before then returning to the program's own interrupt to avoid raising suspicion. The Trojan can also execute after the program's interrupt code, which increases the flexibility of the attack.
Simply reflashing a program on an affected chip will not flush out the Trojan. Instead, the chip must have its boot loader specifically rewritten in a clean version to remove the offending code.
Not a super dangerous hack, overall. Typically, flashing a malicious bootloader would require physical access to the chip. Also, there's not much to be gained by inserting code on the average 3D printer. However, it's nonetheless a good example of what bootloaders can really do, and a reminder of what we all need to be careful of when operating in security-conscious fields. Stay safe there!
What's Your Reaction?
