Hacking the Rigol MSO5000 series oscilloscopes

[Rerouter]

physical access is literally impossible to secure against, as if you deal with any external device or interface, you expose yourself, and all it takes is 1 corner case the designers didn't think of out of millions of possible attacks, and they are in, even if they are still trapped in userland, once there in, they have a wider attack surface and can keep driving the wedge forward.

E.g. a router I just got from a certain ISP will default into the root account of the UI if you give it a username of unicode zero width spaces. Its not null, and its not ascii whitespace, but later it gets stripped back to be an empty string, so it ends up getting into a part of the code that it wasn't meant to and I get access to more than I should.

[2N3055]

That is the old adage in security business. There is no security without physical security. Once you have access to physical box ....

What I want to say is that this whole "why is it hackable" is overthinked.
It is expensive to secure it and it would mean loss of sales. So they don't.

I spoke with people from big T&M manufacturers. They admit they sell mostly low end models with not much options. Also they make money on high end devices, maintenance contracts and such.
These companies are run by classic western businessman, that only look at profit margins. They could release basic software options for free and have minimum negative impact on option sales and probably increased sale of units, because they would be better value. But it is against their "religion".

Chinese seem to grasp this a bit better. Those who can and need to buy will buy options. Others will either buy nothing or buy cheapest version if they can unlock it.
And it might be that MSO5000 is not much more expensive to make than DS1000Z, and it's triple the price.
And they are happy with that profit margin.

[tv84]

They don't have to make it 100% secure, they just have to make it so you have to at least open it up and solder JTAG wires to the PCB to reprogram it (or whatever). That would reduce hacking massively and could probably be done with a couple of morning's work.

Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen   could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.

[Fungus]

Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen   could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.

They could start shipping them with a firmware that will only install signed firmware updates. That would prevent users from simply loading a modified firmware (at least for the first time).

[TopLoser]

Fungus, this is also not a definitive solution.

After the hack being discovered with a JTAG access, etc, etc, a patch could be done so that people can easily install it without requiring JTAG accesses, or a keygen   could be generated and there goes the neighborhood...

Once you have the capability to install FW updates and the FW is decompiled/decrypted it's extremely difficult to make it secure.

They could start shipping them with a firmware that will only install signed firmware updates. That would prevent users from simply loading a modified firmware (at least for the first time).

I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

But let’s see what happens next.

[Fungus]

I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

[Sprite_tm]

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

To be fair, in theory root-of-trust and signed firmware should indeed stop all software-based attacks from happening when implemented 100% correctly, so you're right there. On the other hand, in practice it never seems to be implemented 100% well: there's data loaded from unsecured sources (e.g. the user partition) using insecure parsers, network connectivity is implemented badly, there's a bug in partition checking code, you name it. I'll not go into the personal-attack-y bits of the conversation between you two, but I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.

[Fungus]

I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.

Sure, my point was only that it's a lot less difficult to require people to at least open up the case and solder wires to the board if they want to hack it, thus voiding the warranty (or at least creating fear of loss of warranty, depending on local laws).

Checking the digital signature of an update file before installing it isn't difficult. Disabling the command shell access on the Ethernet port isn't difficult either.

Just those two things would reduce hacking by a significant amount.

(and increase Siglent sales proportionally)


nb. I didn't say "prevent" hacking.

[luma]

If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?

[mrpackethead]

If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?

Actually i think the opposite. Understanding the rationale behind why they have taken a particular approach is critial to being able to keep ahead of them.    Knowing how your opponent thinks and behaves is critical in a war. 90%+ of 'hacking' is possible becuase Humans have taken a particular course of action. 

[Romain]

If I might make an observation - short of Rigol jumping on this forum and explaining exactly what their stance is w/r/t hacking their products, everything else is just idle speculation and contributes essentially nothing to the larger effort. Everyone has an opinion, but none of it matters in the end.  They're going to do what they're going to do in future releases and our guesses about the rationale won't better prepare us to deal with new approaches for firmware mods when new firmware releases land.

The S:N here is getting pretty deep into the noise end of the spectrum and the issue will never be definitively answered without Rigol telling us directly, so can we maybe just put the issue to rest and get on with hacking the scope?

Actually i think the opposite. Understanding the rationale behind why they have taken a particular approach is critial to being able to keep ahead of them.    Knowing how your opponent thinks and behaves is critical in a war. 90%+ of 'hacking' is possible becuase Humans have taken a particular course of action.

"Your opponent"? are you serious??
Rigol is actually on *our* side by not putting the effort into securing their scopes (and yes it is INTENTIONAL, whether it is by lack of care, or to voluntary help the community. We will never know for sure, but it makes no difference anyway).
As many pointed out, it is not hard to put a first level of dissuasion...

[Fungus]

Rigol is actually on *our* side by not putting the effort into securing their scopes (and yes it is INTENTIONAL, whether it is by lack of care, or to voluntary help the community. We will never know for sure, but it makes no difference anyway).

I agree. It's completely intentional, and not by "lack of care".

There is no "battle", it's just a puzzle for us to figure out how to do it.

(while keeping up the pretense of us being naughty people so they can still sell at full price to big companies, etc.)

[mrpackethead]

"Your opponent"? are you serious??

The orignal quote was

Knowing how your opponent thinks and behaves is critical in a war.

I did not say Rigol was my opponent, however i'm sorry if you read it that way.   It was more a figure of speech.   The point i was trying to make is that in many cases security measures are 'got around' by understanding both technical and non-technical aspects of the person/company/organisation that implemented then.   Understanding why Rigol has choosen to take a certain path, is as important as knowing what they did.

[TopLoser]

I’m tempted to say that if Rigol employed you as their security expert they would end up with a product just as exposed as the one they are already shipping...

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

It wouldn’t be appropriate to discuss that here.

[TopLoser]

While we're waiting for Rigol to release a firmware update I stitched together some xray images of the keyboard and main board. Better than the previous ones, I tweaked a few settings. Large images, you can zoom in quite a way...

keyboard
https://www.dropbox.com/s/tjjrnx9i91khw7n/rigol%20kb.png?dl=0

Main board
https://www.dropbox.com/s/asoofgz8equzzc1/rigol%20mb.png?dl=0

[voltsandjolts]

Maybe you could point out the errors?

How would a signed-firmware-only requirement fail to prevent users from loading modified firmware?

To be fair, in theory root-of-trust and signed firmware should indeed stop all software-based attacks from happening when implemented 100% correctly, so you're right there. On the other hand, in practice it never seems to be implemented 100% well: there's data loaded from unsecured sources (e.g. the user partition) using insecure parsers, network connectivity is implemented badly, there's a bug in partition checking code, you name it. I'll not go into the personal-attack-y bits of the conversation between you two, but I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.

Sprite is right.
If the Microsoft budget couldn't prevent the XBox being hacked, what hope have Rigol of securing a scope.
https://arstechnica.com/gaming/2007/03/8954/

[Fungus]

If the Microsoft budget couldn't prevent the XBox being hacked...

a) The Xbox hacker's budget was proportionally higher, too. 
b) The Xbox was designed to load and execute 3rd party software.

[Martin72]

Guessing the 5074 is outselling the other models.  TEquipment could you tell us if Rigol accidently left their devices very insecure or was it deliberate?

What do you want? A definitive statement from the head of Rigol? 

I´d just ask them, together with other questions.
These questions were answered, the "special one" was ignored.

[JohnT]

Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?
>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.

[maginnovision]

Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?
>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.

It's entirely possible it's broken later. Don't buy it NOW for a guarantee you can keep it hacked once the larger bugs are worked out.

[Fungus]

Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?

99.999% yes. "Hackability" is a Rigol sales technique and has been for many years. They've never made the slightest effort to prevent it..

>>The concern here would be not having access to future bug fixes or feature improvements without unhinging the full feature workaround if this hack is patched in later firmware updates.

What you do is wait a few hours  for somebody to patch the new firmware so it won't lock up your 'scope.

But it's not going to happen. If Rigol ever does that their sales will die off overnight.

[JohnT]

Fungus, I like your optimism and outlook but $1000 is a lot of money for me to not be certain. I am a little concerned that Rigol are displeased with all the goings on as they attempted a fix by updating the password recently. I was hoping that the username/password would remain unchanged on a given scope regardless of later firmware updates but that seems not to be the case based on Maginnovision's inputs. Another concern is denial of being able to roll back the firmware to an older version should a newer firmware prove a pain to hack. I guess all bets are off when you tinker.

[mrpackethead]

If you are worried, about an update, just dont' update it untill the collective borg has dealt to it.  Seriously its only goign to be a matter of a few days at worse.

[The Doktor]

Can someone please offer some inputs on a concern, I am really interested in this scope but only with the 'workaround' in place.

If a current MSO5000 scope can be made full featured by logging in with a given username/password (i.e. this hack), will it always be the case even if I'd want to update the firmware in the future?

99.999% yes. "Hacability" is a Rigol sales technique and has been for many years. They've never made the slightest effort to prevent it..

They stopped the hack on 1 of their spectrum analyzers a while back.

[JohnT]

If you are worried, about an update, just dont' update it untill the collective borg has dealt to it.  Seriously its only goign to be a matter of a few days at worse.

So true. I was feeling a little rushed to buy a potentially buggy (manufacturing maturity, hardware and software) product that I believe was released only two months ago. I think now I'll be waiting on this purchase to see how it's hackability evolves over time. 'The Donktor' just commented that they stopped a hack on a spectrum analyzer a while back, so I may be taking a gamble waiting.