Author Topic: Hacking the Rigol MSO5000 series oscilloscopes  (Read 360794 times)

sjm, ToThePub and 3 Guests are viewing this topic.

Offline Rerouter

  • Super Contributor
  • ***
  • Posts: 4672
  • Country: au
  • Question Everything... Except This Statement
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #675 on: January 27, 2019, 02:19:17 pm »
physical access is literally impossible to secure against, as if you deal with any external device or interface, you expose yourself, and all it takes is 1 corner case the designers didn't think of out of millions of possible attacks, and they are in, even if they are still trapped in userland, once there in, they have a wider attack surface and can keep driving the wedge forward.

E.g. a router I just got from a certain ISP will default into the root account of the UI if you give it a username of unicode zero width spaces. Its not null, and its not ascii whitespace, but later it gets stripped back to be an empty string, so it ends up getting into a part of the code that it wasn't meant to and I get access to more than I should.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 3350
  • Country: hr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #676 on: January 27, 2019, 02:29:58 pm »
That is the old adage in security business. There is no security without physical security. Once you have access to physical box ....

What I want to say is that this whole "why is it hackable" is overthinked.
It is expensive to secure it and it would mean loss of sales. So they don't.

I spoke with people from big T&M manufacturers. They admit they sell mostly low end models with not much options. Also they make money on high end devices, maintenance contracts and such.
These companies are run by classic western businessman, that only look at profit margins. They could release basic software options for free and have minimum negative impact on option sales and probably increased sale of units, because they would be better value. But it is against their "religion".

Chinese seem to grasp this a bit better. Those who can and need to buy will buy options. Others will either buy nothing or buy cheapest version if they can unlock it.
And it might be that MSO5000 is not much more expensive to make than DS1000Z, and it's triple the price.
And they are happy with that profit margin.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 2013
  • Country: pt
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #677 on: January 27, 2019, 08:27:38 pm »
They don't have to make it 100% secure, they just have to make it so you have to at least open it up and solder JTAG wires to the PCB to reprogram it (or whatever). That would reduce hacking massively and could probably be done with a couple of morning's work.

Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen ;)  could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11910
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #678 on: January 27, 2019, 10:32:28 pm »
Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen ;)  could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.

They could start shipping them with a firmware that will only install signed firmware updates. That would prevent users from simply loading a modified firmware (at least for the first time).
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1912
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #679 on: January 27, 2019, 10:47:07 pm »
Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen ;)  could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.

They could start shipping them with a firmware that will only install signed firmware updates. That would prevent users from simply loading a modified firmware (at least for the first time).

I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

But let’s see what happens next.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11910
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #680 on: January 28, 2019, 02:22:49 am »
I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?
 

Offline Sprite_tm

  • Newbie
  • Posts: 3
  • Country: cn
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #681 on: January 28, 2019, 01:05:55 pm »

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

To be fair, in theory root-of-trust and signed firmware should indeed stop all software-based attacks from happening when implemented 100% correctly, so you're right there. On the other hand, in practice it never seems to be implemented 100% well: there's data loaded from unsecured sources (e.g. the user partition) using insecure parsers, network connectivity is implemented badly, there's a bug in partition checking code, you name it. I'll not go into the personal-attack-y bits of the conversation between you two, but I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.
 
The following users thanked this post: tv84

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11910
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #682 on: January 28, 2019, 01:21:32 pm »
I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.

Sure, my point was only that it's a lot less difficult to require people to at least open up the case and solder wires to the board if they want to hack it, thus voiding the warranty (or at least creating fear of loss of warranty, depending on local laws).

Checking the digital signature of an update file before installing it isn't difficult. Disabling the command shell access on the Ethernet port isn't difficult either.

Just those two things would reduce hacking by a significant amount.

(and increase Siglent sales proportionally)


nb. I didn't say "prevent" hacking.
 

Offline luma

  • Regular Contributor
  • *
  • Posts: 91
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #683 on: January 28, 2019, 03:18:44 pm »
If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?
« Last Edit: January 28, 2019, 04:51:27 pm by luma »
 
The following users thanked this post: Sparky, KeBeNe, TopLoser, tcottle, RobBarter, el_man, wulfman, Shodge, sparkv, skip

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2831
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #684 on: January 28, 2019, 06:38:04 pm »
If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?

Actually i think the opposite. Understanding the rationale behind why they have taken a particular approach is critial to being able to keep ahead of them.    Knowing how your opponent thinks and behaves is critical in a war. 90%+ of 'hacking' is possible becuase Humans have taken a particular course of action. 
On a quest to find increasingly complicated ways to blink things
 

Offline Romain

  • Regular Contributor
  • *
  • Posts: 62
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #685 on: January 28, 2019, 06:55:21 pm »
If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?

Actually i think the opposite. Understanding the rationale behind why they have taken a particular approach is critial to being able to keep ahead of them.    Knowing how your opponent thinks and behaves is critical in a war. 90%+ of 'hacking' is possible becuase Humans have taken a particular course of action.
"Your opponent"? are you serious??
Rigol is actually on *our* side by not putting the effort into securing their scopes (and yes it is INTENTIONAL, whether it is by lack of care, or to voluntary help the community. We will never know for sure, but it makes no difference anyway).
As many pointed out, it is not hard to put a first level of dissuasion...
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11910
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #686 on: January 28, 2019, 06:58:11 pm »
Rigol is actually on *our* side by not putting the effort into securing their scopes (and yes it is INTENTIONAL, whether it is by lack of care, or to voluntary help the community. We will never know for sure, but it makes no difference anyway).

I agree. It's completely intentional, and not by "lack of care".

There is no "battle", it's just a puzzle for us to figure out how to do it.

(while keeping up the pretense of us being naughty people so they can still sell at full price to big companies, etc.)
« Last Edit: January 28, 2019, 07:00:44 pm by Fungus »
 

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2831
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #687 on: January 28, 2019, 07:00:11 pm »
Quote
"Your opponent"? are you serious??

The orignal quote was

Quote
Knowing how your opponent thinks and behaves is critical in a war.

I did not say Rigol was my opponent, however i'm sorry if you read it that way.   It was more a figure of speech.   The point i was trying to make is that in many cases security measures are 'got around' by understanding both technical and non-technical aspects of the person/company/organisation that implemented then.   Understanding why Rigol has choosen to take a certain path, is as important as knowing what they did.
On a quest to find increasingly complicated ways to blink things
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1912
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #688 on: January 28, 2019, 11:20:32 pm »
I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

It wouldn’t be appropriate to discuss that here.
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1912
  • Country: fr
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #689 on: January 29, 2019, 05:07:30 pm »
While we're waiting for Rigol to release a firmware update I stitched together some xray images of the keyboard and main board. Better than the previous ones, I tweaked a few settings. Large images, you can zoom in quite a way...

keyboard
https://www.dropbox.com/s/tjjrnx9i91khw7n/rigol%20kb.png?dl=0

Main board
https://www.dropbox.com/s/asoofgz8equzzc1/rigol%20mb.png?dl=0

« Last Edit: January 30, 2019, 01:16:09 am by TopLoser »
 
The following users thanked this post: Sparky, KeBeNe, ebclr, tv84, Romain, supercilious, sparkv, skip

Offline voltsandjolts

  • Supporter
  • ****
  • Posts: 1072
  • Country: gb
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #690 on: January 31, 2019, 05:28:24 pm »

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

To be fair, in theory root-of-trust and signed firmware should indeed stop all software-based attacks from happening when implemented 100% correctly, so you're right there. On the other hand, in practice it never seems to be implemented 100% well: there's data loaded from unsecured sources (e.g. the user partition) using insecure parsers, network connectivity is implemented badly, there's a bug in partition checking code, you name it. I'll not go into the personal-attack-y bits of the conversation between you two, but I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.

Sprite is right.
If the Microsoft budget couldn't prevent the XBox being hacked, what hope have Rigol of securing a scope.
https://arstechnica.com/gaming/2007/03/8954/
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11910
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #691 on: January 31, 2019, 06:11:23 pm »
If the Microsoft budget couldn't prevent the XBox being hacked...

a) The Xbox hacker's budget was proportionally higher, too.  :popcorn:
b) The Xbox was designed to load and execute 3rd party software.

 

Offline Martin72

  • Super Contributor
  • ***
  • Posts: 1746
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #692 on: January 31, 2019, 10:02:33 pm »
Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?

What do you want? A definitive statement from the head of Rigol?  :-//

I´d just ask them, together with other questions.
These questions were answered, the "special one" was ignored.

Offline JohnT

  • Contributor
  • Posts: 8
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #693 on: February 01, 2019, 12:08:11 am »
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?
>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.
 

Offline maginnovision

  • Super Contributor
  • ***
  • Posts: 1961
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #694 on: February 01, 2019, 12:28:29 am »
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?
>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.

It's entirely possible it's broken later. Don't buy it NOW for a guarantee you can keep it hacked once the larger bugs are worked out.
 
The following users thanked this post: TopLoser, JohnT

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11910
  • Country: 00
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #695 on: February 01, 2019, 01:00:43 am »
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?

99.999% yes. "Hackability" is a Rigol sales technique and has been for many years. They've never made the slightest effort to prevent it..

>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.

What you do is wait a few hours  for somebody to patch the new firmware so it won't lock up your 'scope.

But it's not going to happen. If Rigol ever does that their sales will die off overnight.
« Last Edit: February 01, 2019, 09:55:46 am by Fungus »
 

Offline JohnT

  • Contributor
  • Posts: 8
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #696 on: February 01, 2019, 01:25:25 am »
Fungus, I like your optimism and outlook but $1000 is a lot of money for me to not be certain. I am a little concerned that Rigol are displeased with all the goings on as they attempted a fix by updating the password recently. I was hoping that the username/password would remain unchanged on a given scope regardless of later firmware updates but that seems not to be the case based on Maginnovision's inputs. Another concern is denial of being able to roll back the firmware to an older version should a newer firmware prove a pain to hack. I guess all bets are off when you tinker.
 

Offline mrpackethead

  • Super Contributor
  • ***
  • Posts: 2831
  • Country: nz
  • D Size Cell
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #697 on: February 01, 2019, 02:15:50 am »
If you are worried, about an update, just dont' update it untill the collective borg has dealt to it.  Seriously its only goign to be a matter of a few days at worse.

On a quest to find increasingly complicated ways to blink things
 

Offline The Doktor

  • Regular Contributor
  • *
  • Posts: 82
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #698 on: February 01, 2019, 02:53:04 am »
Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?

99.999% yes. "Hacability" is a Rigol sales technique and has been for many years. They've never made the slightest effort to prevent it..



They stopped the hack on 1 of their spectrum analyzers a while back.
 
The following users thanked this post: egonotto, supercilious, JohnT

Offline JohnT

  • Contributor
  • Posts: 8
  • Country: us
Re: Hacking the Rigol MSO5000 series oscilloscopes
« Reply #699 on: February 01, 2019, 03:21:23 am »
If you are worried, about an update, just dont' update it untill the collective borg has dealt to it.  Seriously its only goign to be a matter of a few days at worse.
So true. I was feeling a little rushed to buy a potentially buggy (manufacturing maturity, hardware and software) product that I believe was released only two months ago. I think now I'll be waiting on this purchase to see how it's hackability evolves over time. 'The Donktor' just commented that they stopped a hack on a spectrum analyzer a while back, so I may be taking a gamble waiting.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf