Have you ever looked at a physical device and wondered what was possible? How does it work? Why is it secure? What does information flowing between components look like using a logic analyzer? And most importantly, can we hack it?
This course is all about hardware exploration, from understanding how common devices are designed and manufactured up to manipulating each component to behave how you want it to behave, and not how the manufacturer anticipated.
For manufacturers, understanding how controls are subverted is vital in designing more robust and secure devices. For security personnel, understanding how to attack devices and how to review a device for security is critical for working with the new wave of connected devices. For developers, this class will teach the methods used by hackers and teach them to defend against them.
The devices the students will hack in this course range from access control systems (such as used in some embassies and power plants), connected cameras, smart lightning controllers, industrial gateways and more.
The training focuses on teaching how to perform a hardware security audit, starting with basic firmware analysis and going as deep as performing a man-in-the-middle attack on in-device busses.
Finally, we also look at how the conducted attacks can be prevented and how more secure device architectures can be designed.
Learn how to hack fingerprint access control systems, smart cameras, wearables, bitcoin wallets and more.
In this class students will learn how to find hardware security issues on real-world embedded devices:
- Building a hardware security lab
- Tools for embedded device analysis
- Basic firmware analysis
- Finding & abusing debugging capabilities (JTAG, SWD, Serial consoles)
- Dumping memory devices & ICs
- Identifying & extracting secrets from dumps
- Analyzing busses
- Man-in-the-middle attacks on in-device busses
- Attacks on devices with secure-elements
- Basic side-channel attacks
- Processors and their (in)security features
- Security engineers getting into IoT/embedded security
- Hardware designers
- Everyone who is curious about securing the Internet-of-Things
Day 1 is a crash-course into the world of embedded device hacking and covers:
Basic firmware analysis
- From firmware blob to extracted filesystem
- Identifying encrypted/unencrypted firmware
- Determining hardware-details from a firmware dump
- Finding vulnerabilities using static analysis
- Logic signals
- Basic signal analysis using a logic analyzer
- Signal trainer: Identifying unknown signals
- Probing on real devices
- Embedded protocols (SPI, I2C, UART, etc)
On day 2 we will start looking at devices from the real world and how to abuse design decisions made in the production of them.
- Identifying components
- Understanding a device architecture
- Building a basic hardware threat model
- Introduction to our custom and off-the shelf hardware and software tools
- Finding debug interfaces (Consoles, finding undocumented JTAG & SWD pinouts, etc)
- Using OpenOCD to dump firmware
- Analyzing dumped firmware & flash contents
- Extracting secrets from dumps
- How does a secure device look?
We don't have JTAG, SWD, or a serial console - what now? On day 3 we will look at attacks on in-device bus systems, such as I2C and secure-elements - and how to abuse them to our advantage.
Introduction to secure-elements
- ISO7816 (Smartcard protocol) and 1-wire
- Analyzing 1-wire communication
- Common Secure-Elements/Authentication chips and their pitfalls
- Case-studies of real-world secure-element issues
Hands-on embedded man-in-the-middle attacks
- Introduction to the MITM hardware & software tools
- Building a Python-based MITM attack tool for different protocols
- Man-in-the-middle attack on a secure-element
- TOCTTU (Time of check to time of use) man-in-the-middle attack for bypassing secure-boot
On day 4 we focus on two other layers of security: The processor and unintentional side-channels. Most software developers just assume the hardware to do the correct thing, but often issues exists in the processors themselves that can be exploited to gain code-execution or bypass security checks. We also look at side-channel attacks: Unintentional information leakage, for example through the power consumption of a device, can cause secrets to leak from devices or be used to bypass access protections.
Processor security features
- Fuses, crypto accelerators, read-out protection
- Boot ROM issues
- Timing side-channels
- RF side-channels
- Power side-channels
- Exploiting a timing side-channel
- Bring-your-own/choose-your-own target lab