DEGREE PROJECT IN COMMUNICATION SYSTEMS, SECOND LEVEL STOCKHOLM, SWEDEN 2015 Sanitization of embedded network devices Investigation of vendor’s factory reset procedures MAGNUS LARSSON KTH ROYAL INSTITUTE OF TECHNOLOGY INFORMATION AND COMMUNICATION TECHNOLOGY Sanitization of embedded network devices Investigation of vendor’s factory reset procedures Magnus Larsson [email protected] 2015-05-07 Master’s Thesis Examiner and Academic Adviser Gerald Q. Maguire Jr. KTH Royal Institute of Technology School of Information and Communication Technology (ICT) Department of Communication Systems SE-100 44 Stockholm, Sweden Abstract | i Abstract Embedded devices such as routers, switches, and firewalls commonly have sensitive information stored on them such as passwords, cryptographic keys, and information about the network around them and services that these device(s) provide. When disposing of or reselling this equipment in the secondary market it is crucial to erase this sensitive information. However, there is an important question that must be asked: Do the erase commands and routines offered by the device manufacturers actually erase the sensitive data? This thesis investigates methods and tools to determine the completeness of this erasure in some common network devices. These methods are used on a sample of networking equipment found to still contain sensitive information after being erased according to vendor recommendations. A computer program was developed to show how this information can be removed. The information in this document is useful for equipment owners, brokers and others looking to remarket their current equipment; all of whom want to minimize the risk of leaking sensitive data to other parties. Keywords Network device, router, switch, sanitization, forensics, flash, EEPROM, configuration erase, rommon. NVRAM, JTAG, programmer, RS-232, terminal, marker probability in data Sammanfattning | iii Sammanfattning Nätverksutrustning såsom routrar, switchar och brandväggar har ofta känslig information lagrad internt, som lösenord, kryptografiska nycklar, information om nätverket runt dem samt tjänster de tillhandahåller. Om denna utrustning ska säljas på andrahandsmarkanden eller på annat sätt byta ägare är det viktigt att all känslig information raderas. Men kan man lita på att raderings rutiner och metoder som tillhandahålls av tillverkaren verkligen raderar känslig data? Denna avhandling undersöker lämpliga verktyg och metoder för att granska vilken information som minnen i inbyggda system innehåller. Dessa metoder testas praktiskt på några system som visar sig ha kvar känslig information efter att de raderats enligt tillverkarens rekommendationer. Ett datorprogram som demonstrerar hur denna information kan undersökas och raderas finns med som en del av avhandlingen. Informationen i detta dokument är användbar för ägare av datakomutrustning, mäklare av sådana samt andra som vill minimera risken för att läcka känslig information vid återförsäljning av sin begagnade utrustning. Nyckelord Nätverksutrustning, router, switch informations sanering, flash, EEPROM, radera konfigurationer, rommon, NVRAM, JTAG, programmerare, RS-232 terminal, markör sannolikhet i data Acknowledgments | v Acknowledgments Thanks to: Professor Gerald Q. Maguire Jr, for all the valuable feedback and research help. You have the work capacity exceeding a 10 man around-the-clock research department! My wife Rubi, who hasn’t seen much of me lately. Thanks for your support. My friend Fahad, for providing feedback and listening to my boring talks about marker search probabilities. Ganesh and Dave, for keeping me company during all the hours in the Stril Networks lab. My father Tommy, for giving valuable feedback on how to better explain the math section. My grandmother Ingrid, who pushed me to eventually finish my degree. I will take you to the diploma ceremony in December! Thanks also to Tommaso De Vivo at xjtag.com for letting me use your JTAG figures and lending me your JTAG tool. Stockholm, May 2015 Magnus Larsson Table of contents | vii Table of contents Abstract ................................................................................................ i Keywords .......................................................................................................... i Sammanfattning ................................................................................ iii Nyckelord ........................................................................................................ iii Acknowledgments .............................................................................. v Table of contents .............................................................................. vii List of Figures .................................................................................... xi List of Tables ................................................................................... xiii List of Output Listings ..................................................................... xv List of Algorithms ........................................................................... xvii List of Erase Procedures ................................................................ xix List of acronyms and abbreviations .............................................. xxi Conventions ................................................................................... xxiii 1 Introduction ................................................................................... 1 1.1 Background ............................................................................................. 1 1.2 Problem definition .................................................................................. 2 1.2.1 Semantics of the word “erase” ..................................................... 2 1.2.2 Semantics of the word “sensitive information” ............................. 3 1.2.3 Semantics of the word “sanitization” ............................................ 3 1.3 Purpose ................................................................................................... 4 1.4 Goals ....................................................................................................... 4 1.5 Delimitations ........................................................................................... 4 1.6 Structure of the thesis ........................................................................... 5 2 Related work and useful technologies ....................................... 7 2.1 Storage media in embedded systems .................................................. 7 2.1.1 Electrically Erasable Programmable Read-Only Memory (EEPROM) ................................................................................... 7 2.1.2 Non-volatile Random Access Memory (NVRAM) ......................... 7 2.1.3 Flash memory .............................................................................. 7 2.2 Methods to inspect and erase nonvolatile memory .......................... 14 2.2.1 Vendor’s erase procedure .......................................................... 14 2.2.2 Configuration overwrite .............................................................. 14 2.2.3 Delete and overwrite free space ................................................ 14 2.2.4 JTAG .......................................................................................... 15 2.2.5 Other debug interfaces .............................................................. 18 2.2.6 Custom software method ........................................................... 18 2.2.7 Hidden debugging console ports ............................................... 19 2.2.8 External memory reader / programmer ...................................... 20 2.3 Previous work and useful information ............................................... 20 2.3.1 U.S. National Institute of Standards and Technology (NIST) ..... 20 2.3.2 Analog data remenance of Hard Disk Drives ............................. 21 2.3.3 Embedded system analysis ....................................................... 21 2.3.4 Cisco flash file systems .............................................................. 21 viii | Table of contents 2.3.5 Cisco boot sequence and configuration ..................................... 22 2.3.6 Cryptographic Erase .................................................................. 22 3 Research methods ..................................................................... 23 3.1 Device platform and erase procedure to be tested ........................... 23 3.2 Marker generation and the risk for a false positive ........................... 23 3.3 Configuration and marker injection .................................................... 25 3.4 Configuration erasure .......................................................................... 26 3.5 Memory recovery and marker search ................................................. 26 4 Investigation of sanitization completeness ............................. 27 4.1 Sanitization of the Cisco 1712 router .................................................. 27 4.1.1 Router overview and exterior interfaces ..................................... 27 4.1.2 Expansion cards: VPN card, ISDN and Ethernet switch ............ 31 4.1.3 ROM Monitor (Rommon) memory inspection ............................. 32 4.1.4 JTAG exploration of the CISCO1712 mainboard ....................... 44 4.1.5 BDM port access to the CISCO1712 ......................................... 45 4.1.6 Using a programmer to access the NVRAM