Uncategorized

Hacking emSecure?

Written by Rolf Segger on .

On October 24th of 2021, we were contacted by the Moscow based security company BI.ZONE Research Lab.
BI.ZONE is a security research firm, checking software and computer systems for vulnerabilities.
They were trying to find weaknesses in J-Link.

What they found

They told us they know J-Link because they use it extensively in their work and also for hobby projects (J-Link EDU).
It turned out they did a really good job of analyzing the firmware update procedure and found that we use emSecure to protect J-Links against firmware modifications and cloning. They concluded:

“The vendor’s focus is on preventing the mass cloning of devices … we have not found any vulnerabilities during our research that would enable the creation of … fake devices .…”

They did, however, find two weak spots:

  1. The firmware is protected by a digital signature, but the first part of it, which contains interrupt vectors and the firmware identification string, is not. The license features in a dedicated area of memory are not protected by a digital signature
  2. The combination of these allows downloading a “hacked” firmware with a piece of code in the unprotected part that can reprogram the license features and add licenses.

They opened a discussion with us in order to give us the opportunity to address this. We added a feature check to the PC software, to recognize a J-Link EDU with a modified license.
In the email discussion, we eventually agreed with them that this is more of a weakness in the licensing system than a security issue.

Why we’re not worried

When designing the J-Link, we saw no need to protect the licenses in the J-Link.
 Our business model is primarily trust based. We are aware that in some cases, J-Link EDUs are used for commercial development by some of our customers. The same with Embedded Studio, our IDE.
Embedded Studio is covered by SEGGER’s Friendly License, which means that it can be used free of charge for non-commercial purposes, including education. We know that this can be abused and we are aware that sometimes it is, unfortunately. However, we trust our customers and don’t want to change this model. We do not want to take away a great piece of software from students and hobbyists around the world.
With that said, we don’t like the perception of “Vulnerabilities in J-Link licensing system” so we will eliminate it in a new revision of J-Link.

Conclusion

BI.ZONE Research Lab has been very fair and ethical in their research and in their discussions with us.
We are impressed with what they have done and their level of analysis.

This also reaffirms that everything protected by the digital signature cannot be modified, so both the clone check (“anti-cloning”) as well as the firmware integrity check work well.

emSecure is like a good vault: Everything protected by it is safe and sound. But if you put things on top of the vault instead of into it, i.e. not include them in the signature check, then they are not protected.

We learned one good lesson from all of this:
It is best to protect everything in an Embedded System by a digital signature, not just the parts you feel are most valuable. Or in our vault analogy: Put all valuables into the safe, not just the crown jewels.

Here is the link to the article on the BI.ZONE Research Lab web site, which is very detailed and certainly worth reading.

Stay safe & secure!