[Security] Krux firmware 24.07.0, 24.09.0 and 24.09.1 can be "hacked" with using a SD card

[tadeubas]

We have been developing the firmware in a way to enhance the security of the devices for some time now.

For example, the version 24.03.0 brought:

• Screensaver that grab the attention of the user when the device is left powered on.
• Optimized Settings Storage to only store settings if a setting is changed from the defaults.
• Wipe device that remove settings, stored encrypted mnemonics and any single bit of information left in user's flash space.
• Better Deletion of Mnemonics Stored on SD card that overwrite the memory area making it impossible to recover the previously stored data.
• Reproducible Builds which allows any trusted developer to create the firmware themselves and confirm to the community that the released firmware complies with the code openly available for review.
• Entropy quality estimators to better inform users about the robustness of the mnemonic being created by dice roils or camera.

And the version 24.07.0:

• Dice Rolls Pattern Detection to warn users about patterns within rolls.
• PSBT warns that inputs doesn't contains fingerprint, fee percentage is greater than 10%, path differs from the loaded wallet's path.
• PSBT shows more information like multisig policy when descriptor is not loaded, fee percentage and sats/vB.
• Auto Shutdown to turn device off when idle for too long.
• Hide Mnemonics to disable backup tools and hide private key data when a wallet is loaded.
• Python real-time compiler and REPL disabled to enhance security of the firmware.

But while experimenting with Krux Apps (to sign Nostr events, enable games and additional OpSec features) I've discovered a way to tamper a device in memory firmware using the SD card. This "hack" could pass undetected by the user even with the new Tamper detection feature. It appears to work only when the real-time compiler and REPL were disabled on version 24.07.0, so it doesn't appear to work on version prior to 24.07.0.

Place the os.mpy (48 bytes) file in the root directory of a SD card and connect this SD card to a Krux device, then restart Krux and it will freeze with the K logo on the screen. When connected to the device via terminal (using Maixpy IDE for example) you will see the FAKEEEEE print statement.

Terminal output example (notice the FAKEEEEE text):

[MAIXPY] Pll0:freq:728000000                                                    
[MAIXPY] Pll1:freq:26000000                                                     
[MAIXPY] Pll2:freq:45066666                                                     
[MAIXPY] cpu:freq:364000000                                                     
[MAIXPY] kpu:freq:1625000                                                       
[MAIXPY] Flash:0xef:0x17                                                        
[MaixPy] gc heap=0x802081b0-0x803881b0(1572864)                                 
FAKEEEEE                                                                        
Traceback (most recent call last):                                              
  File "_boot.py", line 143, in <module>                                        
  File "_boot.py", line 53, in check_for_updates                                
  File "_boot.py", line 51, in check_for_updates                                
AttributeError: 'module' object has no attribute 'stat'

The flaw is exploited using the current Maixpy / Micropython implementation. It enables the import of Python libs from the Virtual File System (VFS) layer, so the SD card /sd path can be used to import a lib like os for exemple. When this file is present on the SD card, any import os instruction in the firmware code loads the corresponding os lib found into the SD card first instead of trying to import from flash internal memory. @jdlcdl and @odudex tried to fix this with some commits, but the permanent fix was to disable the import of any python code from VFS, fixed with this Micropython commit and this Maixpy commit

NOTE that the .mpy file could't be uploaded to Github because of its extension, so a .txt suffix was added (rename the file by removing the .txt suffix before placing it on a SD card).

FILE: os.mpy.txt