Maggie Jauregui 00:11
Nature is unpatchable, right, because we didn’t code it. It obeys its own laws. Our platforms are made of metal and wires and temperature will always affect it. And for the foreseeable future, the way our platforms and our devices work, this will always be a thing.
Camille Morhardt 00:27
Hi, and welcome to the InTechnology podcast. I’m your host, Camille Morhardt. And today I’m going to talk about hardware attacks with Maggie Jauregui. She’s a hardware security researcher–that means hacker–for Intel’s Security Threat Analysis and Reverse Engineering team, or iSTARE as they call themselves. This team was written up in Wired Magazine, which described their work as “analyzing and attacking Intel’s future generation of chips,” which she will talk more about. Maggie also sits on Black Hat’s Review Board, and she’s the president of security B-Sides Portland, Oregon, which is the nonprofit that puts together B-Sides PDX. She also shares her research in conferences like DEF CON, black hat, and CanSecWest, as well as others around the globe.
One thing that I am particularly interested in having her on for is because she’s known in the community as being great at communication, in addition to security research, and that can be rare in the field. She’s also friendly, accessible, and extraordinarily clever, which you’ll find out when we have a conversation. She also makes art out of computer hardware surprise, and maybe she’ll give us a glimpse of what she’s working on. If you’re listening to this on audio, I would suggest at some point clicking on Intel’s main channel of YouTube. So you can see what some of this amazing art that she builds herself is. Welcome to the podcast. Maggie.
Maggie Jauregui 02:01
Thank you so much for having me. Camille, that was a lovely intro.
Camille Morhardt 02:05
Well, one thing I was hoping that you might share with us is the keynote that you gave at ECO Party in Argentina a couple of years ago, where you spoke about your secret superpower joy, which you also attribute to Latin American culture. Can you tell us a little bit about how you think about those things? And how you put that together?
Maggie Jauregui 02:29
Absolutely. It was such an honor for me to a) be able to give a keynote in Spanish and to a Latin American community. And I spoke about both the challenges and the advantages of being Latin American in this industry specifically, because a lot of times it seems like a big challenge. It seems like there’s a language barrier and there’s a distance barrier. There’s also discrimination and just culturally, we tend to be a little more, “Yeah, whatever you say,” right. But I’ve found being Latin American to be actually one of my biggest advantages in my career, just our joy. And it might sound weird. But that was one of the things that I kind of butted heads with a lot in the industry in the beginning, because I felt like joy was kind of unacceptable in the workplace. Like, if you are a happy person, you are not serious about your job, you are not competent and you know, you might as well leave. But I learned recently that the cocktail of hormones that creates stress, or like a stressy environment–which are adrenaline, cortisol, and epinephrine–actually impairs memory interferes with decision making and it makes you lose focus. So if I’m a stressed engineer, I am worse engineer, I’m a stupid person. And if I’m happy if I managed to find a way to be excited and engaged, then we get to the other cocktail of hormones, which are dopamine, serotonin and oxytocin, that actually improve memory, that enhances decision making, and improves focus. So I am a smarter, I am the best engineer that I can be when I’m happy. And that has been the number one priority in my career, just leaving my house happy and coming back home happy and excited.
And I think as Latin Americans, we are kind of the life of the party, whether we want to or not in that big advantage. It also kind of gives permission for other people to be happy and relaxed and throw ideas out there and have I guess, maybe the courage to not feel stupid and throw something out there. Think outside the box. Also ingenuity, oh my gosh, Latin Americans, the things that they will come up with, they’ll fix a car with a hanger, they’ll take some of the stickers that are used as promo for just politics and things and meme-ify them and rearrange the letters and make funny jokes, stick it on their cart. And it’s one joke after the other. It’s amazing and that creativity is very useful in our field.
There’s a lot of camaraderie and like genuine wanting to build a community. It’s served me well in my career. So I wanted to, to highlight the things that have helped me then kind of my Latin superpowers there at Eco Party. And I also did a little workshop for PCB art. Let me see if I have it here. We did the logo for that year in PCB.
Camille Morhardt 05:34
Describe what that is, if somebody’s listening to the audio version of the podcast,
Maggie Jauregui 05:38
Yes, so this is a little round PCB board or like a little motherboard. And I used the different layers in the PCB to create a graphic image. I use the copper layer as the layer that prints out the words, and it’s the shape of the logo of Eco Party for a couple of years ago–it was like a Doge dog with glasses and a rocket speeding around it.
Camille Morhardt 06:03
That’s very cool.
Maggie Jauregui 06:04
In hacker conferences, when you buy your ticket, you get a badge. And so instead of it being like your name badge or something, it’ll be a little motherboard that can sometimes turn on lights and or do something. So part of why I do this is creating badges for conferences. I’ve created a few for B-Sides and for other projects as well. That’s kind of where my motivation comes from.
Camille Morhardt 06:29
So, Maggie, earlier in your career, you actually demonstrated how to hack a piece of hardware–in this case, a hairdryer–with the frequency through the air–radio frequency–using a walkie talkie. Can you please describe that? (laughs)
Maggie Jauregui 06:45
That was a few years prior during DEF CON; it was my first ever technical presentation and I kind of loved that my first ever technical presentation was on the stage of the largest hacker conference, blowing up hair dryers with a walkie talkie. I figured out kind of by accident that I could explode and permanently disable the protection that the plugs of hair dryers have so you don’t electrocute yourself by accident with a hairdryer.
Camille Morhardt 07:13
Like the surge protectors.
Maggie Jauregui 07:16
Exactly. It measures the current going in and the current going out if it notices a tiny delta, then it’ll electromechanically open the circuit and turn it off. So I had a friend that was really excited about walkie talkies, and he got his walkie talkies and got me a bunch of batteries and one time we were going out and I thought I heard the thing buzz try to call him back. Nothing. So I went to the bathroom where I was getting ready and doing my hair. I press the call button. And when I pressed the call button, the plug on my hairdryer vibrated furiously exploded and smoked. And I was like “what?”
So I went to just any Goodwill I could find and bought a bunch of hair dryers and tried it again and again and again and learned that I was, in fact, inducing current onto the hairdryer from the walkie talkies with radio waves. And this works not only on hairdryers it works also in the circuit breaker and your circuit breaker box in your house. AFCIs instead of GFCIs. Same kind of mechanism so you can turn off somebody’s lights. And this is kind of what got me started on “hardware hacking is fun.”
Camille Morhardt 08:26
How does this work? Are you telling me if I bring a walkie talkie into my bathroom and turn it on? The hairdryer could explode? Or did you jig or something?
Maggie Jauregui 08:34
Not the hairdryer itself but the plug? The solenoid, the specific mechanism that protects you from potentially electrocuting yourself, might explode. And it depends, I think the newer ones would not and the patented ones, but the older ones did. So if it’s a cheap hairdryer, most likely.
Camille Morhardt 08:53
Okay, so from hairdryer hardware, then after that you will also did another keynote where you actually dealt with frequencies and giving power to a server that was no longer plugged in. Can you explain that one?
Maggie Jauregui 09:09
Moving from GFCIs was how can I affect a platform with a radio. So same kind of idea of using the electromagnetic fields of radio waves on a platform, I was able to modify the sensors, the temperature sensors, and make the fans go crazy. For example, I could power search a machine and turn it off. But a machine that was turned off and not even plugged into the wall, I could induce current through the power source onto the rails of the platform. So in that sense, it’s like the platform was plugged in but the platform wasn’t on per se.
But that’s part of the hacker mentality of “what can I do that’s not supposed to be used this way? We’re probably not supposed to be using radios to mess with platforms.” And in this vein of thought there’s also toothpick attacks, which are kind of one of my favorite types of attacks of how can you use things that are cheap and easily accessible? How can you make a system be in a state in which it doesn’t expect to be? because the platform never expects to be off, but with power to the components on the board.
Camille Morhardt 10:18
So what is the toothpick experiment?
Maggie Jauregui 10:32
So for example, on an EPROM device, they’re Erasable Programmable Read-Only Memory. So if you know the specific fields, where there is a crypto key or password or something, what people have done is to put like a clear duct tape over it, and color it with an erasable marker, and then go in with a toothpick and erase only the fields that they want to erase, and then shine a light on it; you don’t compromise the integrity of the whole thing, you just erase the fields that you want to erase, and then you can re-program your own password or key. Some people use conductive glue, instead of a fib, some people use laser pens to perform attacks. Attacks are getting cheaper. And if you know, the fundamental physics, the principles that govern how matter works, then it doesn’t have to be a scanning electron microscope that costs a million dollars, maybe you can do things in a much cheaper, easier way.
Camille Morhardt 11:26
Can you tell us a little bit more about physics behind that?
Maggie Jauregui 11:30
So it’s everything, right, from temperature and how that affects conductivity. And being able to observe, maybe what components are heated up at a given time can give you ideas of the flow of execution of a system. Light is able to conduct electricity, as well, and we can use things like lasers to make certain input and do fault injection attacks as well. Rowhammer, for example, used accessing the same memory cells over and over again, to cause EM interference. So electromagnetism, and finding ways to mess with that because not only does current create an electromagnetic field, but an electromagnetic field can induce a current to the way I was doing with radios, for example.
Cold boot attacks, like memory cells maintain their contents, after you turn up a platform from a few seconds to up to a few minutes with residual power that’s still there. So if you get it fast enough and freeze it, then you’re able to access things that you shouldn’t be able to access when a platform is off, right? And depending on what platform that is and what information is in there that might be very valuable information.
So I like to think that nature is unpatchable, right? Because we didn’t code it. It obeys its own laws. Our platforms are made of metal in wires and wires are little antennas. So temperature will always affect it. And for the foreseeable future, the way our platforms and our devices work, this will always be a thing. And of course, there are things that we can do about it right? This is why teams like iSTARE exist because you can add canaries or redundancy or encryption or different types of fuses and things to make it harder. I always say that there’s no such thing as security, just varying degrees of insecurity. So we’re trying to do is to raise the bar.
Camille Morhardt 13:20
Can you give us like a 101 in a couple minutes on “what is electromagnetism? And how do computers use it?
Maggie Jauregui 13:28
So, electromagnetism is actually one of four fundamental forces of nature; we have gravity, we have electromagnetism, and then we have internal atomic forces. And EM fields are not only related to our electrical or electronic devices; they are things that occur in nature. Our planet is a big magnet with its electromagnetic fields, our hearts and our brains have electromagnetic fields. Our nerves work by sending electrical signals that transmit information to each other. So we have harnessed the power of electromagnetism to communicate.
Electromagnetism is the way magnetic and electrical forces work together in a very specific way. Where if the electrical field is going one way, and the magnetic field is going in one direction, then our current will flow one way. We flip the magnetism then it’ll flow the other way. And that is kind of magic to me, s till, like after years of studying it, it’s just the way that matter works.
Camille Morhardt 14:39
So you can change the direction of the current depending on if you can flip the direction of the magnet. What are you doing with that?
Maggie Jauregui 14:46
Then you would be able to change it, for example, AC current. It’s flipping sides, it’s going positive, negative. And that’s why our wave goes up and down.
Camille Morhardt 14:56
And DC current?
Maggie Jauregui 14:57
DC current just goes one way.
Camille Morhardt 14:59
Right, AC, alternating and direct current. Okay, going back. And I haven’t thought about this in a long time and yet, it’s how all of our compute systems run. Can you explain what a transistor is?
Maggie Jauregui 15:13
Of course! It’s one of the most revolutionary inventions on the planet; it really has transformed the way humans live and how humans communicate. I think maybe you are also from my time before computers were a widespread thing where, you know, you have to pay a lot of money per minute for a phone call. And if it was long distance, like forget about it right? Now, we are so connected, and we’re using silicon, a semiconductor that is almost 30% of Earth’s crust. So we’re using crystals and the forces of nature electromagnetism to communicate.
A semiconductor can be either a switch a zero, or a one, or an amplifier, they were initially used for radios to amplify, like radio signals, so we could hear it from far away. We use them more as switches now in platforms. Our systems are managing a bunch of information to load all the firmware, all of the software that we run, and all the operations we’re asking it to do. So being able to do zeros and ones is the name of the game pretty much. And the semiconductors are interesting elements, because there’s something considered metalloids—they’re between the metals and the insulators. And they can, under certain circumstances conduct electricity. And what we’ve done is we have “doped” them with other elements, in order to motivate them to move in a specific direction. And when we apply a small amount of current or field of electricity, then they turn on. So we can decide when they’re on and when they’re off. And that’s what gives us the ability to compute.
Camille Morhardt 17:10
And so these metalloids are like an example is silica, right? I’m just looking at the periodic table of the elements right now. And then another one, you said the first transistors with what’s it called?
Maggie Jauregui 17:11
Germanium.
Camille Morhardt 17:12
Germanium, okay. And then what you’re doing is whether the electrons are more or less stable, those ones, depending on how they’re binding with what you’re saying you’re doping with some. What are some of the other elements that you would dope with to create like an unstable or more stable position for the electrons?
Maggie Jauregui 17:31
So silicone has four valence electrons–which means if it’s a little electron, then it has two on the top and bottom and two on the sides. And when they joined with other silicon electrons, they kind of hold hands. Electrons like to be in pairs–they’re in pairs at the top of the bottom and the sides; and they’re happy, they’re stable. They have their little net, they’re not missing anything, they’re not have anything extra.
In order to motivate them a little more to have movement of electrons, we will dope them with elements that have three or have five. So if silicone has four, we’ll dope pieces of it with the elements of Group 13 with three, and that’ll create a hole or a space where somebody is missing a handshake, and somebody wants to fill this electron spot. Eventhough all of the atoms are stable, and they have the same number of electrons and protons, there is that missing pair that it would like to bond with. So in that sense, it’s missing an electron, and we call it “P doping.” And then on the other side, we have the “N doping”. So we will dope or combine the silicone with elements of group number 15, which have five; meaning we have one extra everyone is in their pear, and comfortable except for this extra electron that kind of wants to go somewhere. That’s how we motivate electrons to flow.
Camille Morhardt 19:06
And what does that do then when the electrons flow?
Maggie Jauregui 19:08
We are creating current. If we put an N doped silicon next to a P doped silicon, there will be something called the depletion zone between them. If the electrons flow in that border, the extra electrons on Group 5 will tend to flow to the missing electrons on Group 3, and that will stabilize that little area. So there’s less motivation for the rest of them to move. So there’s a resistance that needs to be overcome in order for atoms to continue to flow in that direction.
So if you apply a little bit of voltage, then it’ll be happy to continue flowing. And what we want is either a yes or no, to be able to control states between a yes or no. Then we’ve put together NPN or PNP type of transistors that–the ones that we use the most are NPN–they’ve gone through a crazy transformation from the first ones, you would look more like the insides of a light bulb. And they’ve slowly gotten smaller and smaller. We’ve advanced so much in lithography and in physical organizations have them to make them smaller and smaller and more efficient every time.
Camille Morhardt 20:26
So do you want to talk a little bit about what you do in the iSTARE L ab and what other people in the lab are doing?
Maggie Jauregui 20:34
Absolutely. iSTARE focuses on advanced hardware attacks of many types. And they work with Intel product teams to especially look at the foundational technology changes, years before the products even hit the market, to try to think forward in where’s this product gonna be in however many years? f this is new, could it be vulnerable to XY and Z? And kind of proactively try to perform attacks in order to make sure that our products are solid, and that we have confidence behind them. I’m new to the team, but I’m very excited to learn alongside them and to perform some of these attacks myself.
Camille Morhardt 21:18
In your opinion, what is the most interesting hardware attack that you know of? I suppose one you can talk about publicly. (laughs)
Maggie Jauregui 21:27
Plunder Volt, I thought was really kind of changing the game. Because what we like to do with hardware attacks is maybe initially it takes you destroying your platform and delayering it and decapping it and trying to understand your system and take microscopy pictures. But then once you understand it, you can figure out ways to make it happen from a software level or in easier way. Or once you have the key, then it’s game over all of the keys for that particular device are the same. You’ve won. It’s exciting and there’s all kinds of attacks, right? There’s, like we said, temperature and light. And there’s different types of attacks that can be passive, where we’re just measuring power, or inspecting a chip under a microscope, or there’s really cool attacks. That’s another one. The Ben-Gurion Labs in Israel have done some really interesting work of using acoustics to listen to a system to extract keys and do interesting things. That to me is fascinating. And then there’s active ones where we’re using lasers or glitching with voltage or EM.
We do a really cool training–Joe Fitzpatrick has really great hardware hacking training. that was the first hardware training that I ever took. And sometimes I help him teach classes at Black Hat or other conferences. And one of the class bits that I liked the most is the side channel attack. He’ll have a little number pad, where you know that the passwords 1-2-3-4. So you get to measure with a little logic analyzer, if you put it right how long it takes for it to compute it. If you put three numbers right and one wrong, how long does it take? And so timing attacks are also very interesting. And then he’ll program a secret password, and you have to guess it. But now you can, because you know how much time it takes for each one, if it’s right, or if it’s wrong.
And then there’s the more destructive ones that those are a little, I really admire, but those are solvents and things that can maybe melt your brain so I stay a little bit more away from them. But delayering and being able to physically look at the insides of a chip is really cool. I find them exciting in different ways.
Camille Morhardt 23:48
Most of the what you’re describing, of course, physical properties of the universe, and that and you’re using them to affect this. So a lot of what you’re describing, I’m hearing that proximity is a requirement for this and I’m wondering with the fact that frequencies travel through the air, is there an ability to do remote attack on hardware or is there kind of like a dissipation level do you need to be within a certain range?
Maggie Jauregui 24:14
It depends on the attack. Most of the destructive ones need to be physical because you need to open it up and look inside. But more and more. Yeah, there is definitely the opportunity for attacks to happen more remotely or with a system without opening it? Definitely, yes.
Camille Morhardt 24:35
How would that work, then? I mean, I know you did walkie talkies, within, you know, I don’t know, 30 feet or something of the hairdryer. How would somebody stage that using, I don’t know, cellular– other kinds of radio frequencies that are traveling around.
Maggie Jauregui 24:50
So induction is a fun thing, because an EM field can create a current, or a current can create an EM field. And I guess it’s a common misunderstanding about how electricity works, that we think there are just electrons going on a wire, and the electrons come from the power plant and arrive to my house, all from a single wire. And that’s not how it happens. And it’s actually gapped in a lot of places by transformers and things that use induction to transport the electricity. So, with a strong enough EM field, you can disturb electrical systems, always, right? And there have even been people who have presented like weapon type prototypes that could disabled infrastructures and do more damage. So being physically connected is not a requirement for EM to do it’s magic.
Camille Morhardt 25:44
You’re aware of all different kinds of attacks that can happen. Does that sort of keep you up at night? Or are you just excited about possibilities? Like, how do you go about your day and being aware of so many things that can happen that other people don’t even know about?
Maggie Jauregui 26:02
I have found a really powerful career motivation in this industry in understanding that there are kind of evil forces at play and the more we put valuable information, valuable assets tied to our information–and most everybody now has a bank account and a phone–and the more we put our valuable information on information systems, the more there’s interest in people getting access to those, and there has to be another force that balances that out. And I really appreciate that companies have teams dedicated to this. And its proactive work, trying to predict, trying to balance this out. So, in that, I feel really happy to be a part of teams and conferences that really foster education, and foster bringing together new ideas and highlight the things that are happening currently. That’s why I’m so passionate about community, as well, and do to hundreds of hours worth of volunteer work for both Black Hat and B-Sides, because it’s so important.
I feel peace from the sight of knowing that there are so many people working on the other side. I also feel like the bad side of it is not something necessarily to be scared of always. There’s the push and pull. And the bad side has motivated us to evolve our platforms significantly and to improve them and to enhance them. And I think it drives the evolution of technology, as well. So I am excited for the drive and the changes. And that was another thing I mentioned in my keynote, where a lot of people feel very defeated in a field like this, where they’re bringing up the same issues generation after generation; it’s usually very similar issues. Sometimes people aren’t willing to fix them. It can be hard to feel like you’re swimming up water all the time. But I think that’s part of why I like it. It’s never going to be done. Like we said it’s nothing’s ever going to be completely secure. And it’s just the process of evolving and trying to be better all the time.
Camille Morhardt 28:30
Your first language is Spanish, right?
Maggie Jauregui 23:32
Correct.
Camille Morhardt 28:33
Where did you grow up?
Maggie Jauregui 28:35
I grew up in Guadalajara, Mexico.
Camille Morhardt 28:38
Okay, so I wonder if you would give us a final parting thought but maybe in Spanish?
Maggie Jauregui 28:44
(Thanks Camille in Spanish.)
Camille Morhardt 28:51
Thank you, as well. I really appreciated having you on and it’s been a great conversation. Maggie Jauregui who is a hardware researcher in Intel’s iSTARE Lab and known for, as you demonstrated today, super brilliant and also accessible and a great communicator. Your explanations have been wonderful.
Maggie Jauregui 29:14
Thank you so much, Camille, this was fun.
The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
