Schneier on Security

Clive Robinson • November 18, 2022 2:23 PM

@ ALL,

The problem arises because TTE does something incredibly dumb.

It takes an existing and well established technology that has a “channel” (MAC destination address) that has no “in-band-signalling” and forces it to have “in-band-signalling” (Two fields TTE specific fields of, Critical Trafic Marker and Virtual Link ID). BUT lays no requirment on equipment designed with the existing protocols of “no in-band-signalling” to be upgraded to “With in-band-signalling” so the stable door is left open.

I’ve discussed in-band-signaling and out-of-band-signalling[1] on this blog a number of times in the past and highlighted a number of issues that arise. Overloading an established specification without requiring all parts of a system to recognise the overload is a fairly obvious and basic mistake.

The fact the TTE spec alows this is realy stupid as it’s a know way for vulnerabilities to occure thus exploits to happen.

In this case the little “pinch of magic” used to exploit it is something else I’ve discussed on this blog in the past and it’s “EM Active Fault Injection” that I discovered and researched back in the 1980’s to attack the likes of electronic wallets and pocket gambling machines. I’ve even described how to get signals to get from wire to wire inside a shielded and supposadly issolated piece of equipment…

Fun side note : The self oscilating single transistor circuit they show, I used back in 1977 to make what you might call a “light-saber”. I’d originally used a relay wired in self oscilating mode and an autotransformer that I’d made as a highly illegal “Spark Gap Transmitter” but it sucked power from the bateries. I made the saber using the rubber handle from a wheel barrow and a three foot fluorescent tube –instead of the spark gap– with a thin return wire running down the outside of the tube I glued in place with my then favourit glue “evostic”, and then slid a clear plastic tube over the florescent tube (obtained from Transalantic Plastics in Surbiton). As it was a very high voltage there was no real current so I used 40AWG wire. Also because the tube was “directly struck” I did not have to use the heater wires, so it would not burn out. My fellow students at school thought it was rather good, not so the physics master a Mr Mugglton who realised it’s “high-voltage stops heart” potential, as well as the RF noise it generated wiped out near by radios and took the Victorian attitude of “We are not amused”.

[1] The simplest examples most programmers know are “C-Strings” that use 0x00 for inband signalling to indicatecthe end of a string and “Pascal-Strings” that use an out of string byte that has the stringlength in it. Some also know the nightmares that occure with C-strings when that inband signal gets misused or lost by a bit flip etc. It’s the basis of many serialization issues resulting in errors that are infact vulnerabilities that then only require an exploit to be developed ranging from an annoying denial of service attack to a full take over…