Issue link: https://read.uberflip.com/i/1173420
Tests of the motherboard in the defense equipment, indicate that it uses a legacy BIOS supporting a maximum password length of eight charac- ters and a backfill of 24 zeros. Team 2 creates an automated fixture to cycle power and test passwords using a dictionary attack. Every word in the english dictionary is tested as a potential password. The fixture tests four passwords, cycles the power, and then repeats. This allows a password test rate of 600,000 per day, about seven passwords per second. The dictionary attack completes in 16 hours, no password found. A second dictionary attack with combinations of words, numbers, and special characters begins. As the dictionary attack continues, the 50 purchased SSDs arrive and Team 2 takes 20 SSDs, dissembles them and identifies the internal components. The drives are processed to de-lid the NAND controller. Team 3 comes online and begins investigating the Printed Circuit Board (PCB). A 4x5 pattern of pads is determined to be programming ports utilized during SSD production. With the NAND con- troller de-lid complete, Team 3 discovers connections from the pad pat- terns to the exposed controller die using high magnification, X-ray, and micro-probing. Several of the pads are identified as a scan chain port. With probes in place and the drive powered, Team 3 uses the scan port to read the encrypted contents on the NAND media. While cycling power, Team 2 notices that the controller reads specific NAND locations immediately after power is applied. The controller boot code has been located. In further experiments with the purchased SSDs, Team 2 notes that the controller writes to the NAND media each time the ATA pass- word is configured. Great news! Team 2 believes they have found the storage location of the ATA password hash. Progress is accelerating. With samples of the SSD configured with a known password, it will be a matter of hours to identify the password hashing algorithm. Soon the teams will be ready to retrieve data from the captured SSD. Team 4 comes online. An engineer in Team 4 recognizes the XYZData COTS SSD. This particular manufacturer implements a master password to aid customers with forgotten passwords. The engineer accesses the engineering archive, finds the master password, and tests it on one of the sample drives. It works. The battle is over. The attackers now have a way to bypass the password on the captured SSD. Meanwhile the second dictionary attack running on the captured SSD completes, the password has been discovered. The drive authenticates, and all data contained on the SSD is accessible. The better scenario Like scenario 1, an unfriendly nation state gains control of some critical defense equipment. The difference in this scenario is that the captured defense equipment incorporates a Defense Grade SSD. As in scenario 1, the equipment is powered off when captured and the attack team moves the defense equipment to a well equipped engineering lab to begin reverse engineering and data recovery. When the equipment is powered up, it prompts for a password. The engineers break into teams and proceed with a data recovery plan. The drive is determined to be an SSD manufactured by a company called DG1data. Team 1 downloads a product flyer from the company web- site but the full data sheet isn't available online. Team 1 contacts their overseas source and requests the full data sheet and the purchase of 50 SSDs. The next day, the overseas source emails a data sheet and indicates that they are working with DG1data to purchase 50 drives. The engineers review the data sheet and determine that the drive is an encrypting Defense Grade SSD. The data sheet indicates it has mul- tiple key management modes, and is FIPS and CC certified. Features of the SSD are described but there isn't enough technical detail to safely proceed with a full scale reverse engineering effort. The engineers don't find a TPM (Trusted Platform Module) in the equipment. The team has never seen a drive like this; it might present a challenge. Team 1 asks the overseas source for additional technical documentation. The overseas contact says that DG1data requested information about end use, and asked for a NDA. The source indicates that they are going to need to use other methods to access additional technical data and purchase samples. Meanwhile Team 2 has completed X-rays of the SSD and decides that disassembly can safely proceed. Once dissembled, the engineers identity a NAND controller, NAND media, power supplies, and several other components. All the Ball Grid Array (BGA) devices are under-filled with a hard opaque epoxy which will make probing difficult. A rectangular array of PCB pads on the PCB is thought to be to be the programming points used during SSD production. The PCB has no sur- face traces, all signals route internally. Team 2 begins collecting high definition X-rays and creates a full PCB netlist of signal traces in the design. Five days pass; no new information is received from the overseas source however the engineering teams have made progress. Team 1 determined that the drive has an ATA password active but it was deemed too risky to run a dictionary attack. Defense Grade SSDs have severe penalties; the SSD might erase the NAND media when an authentication failure limit is reached. De-lid of the NAND controller completed without damage and micro-probing using the netlist has allowed reading the contents of external memories as well as the entire encrypted contents of the NAND media. 7