SlideShare a Scribd company logo

Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

RootedCON, profile picture
RootedCON

The document discusses hardware hacking, focusing on embedded systems and techniques for information gathering, firmware dumping, and debugging via JTAG interfaces. It highlights both the challenges faced by attackers and defenders, and provides a shopping list of essential tools for hacking embedded systems. Additionally, it offers a range of resources and examples of devices to explore for hardware hacking.

TechnologyBusiness
1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Hardware hacking on your coach Intro to affordable embedded hacking Eloi Sanfelix <eloi@riscure.com> Javi Moreno <javi.moreno@nruns.com> #rootedHW
The life of a software security guy during the day
The life of a software security guy during the night
Hardware = FUN Source: http://www.flickr.com/photos/neimod/
This is NOT about....
... but more ... Source: http://dontstuffbeansupyournose.com
Overview
Info Gathering
Classic Embedded System
Mapping of the device 10
Open Source Info Gathering • Search the web – Part # / Chip model  Datasheets – Similar models – Exploits for similar devices – ...
Interfacing Embedded Systems
Interesting interfaces Interface Typical uses RS232 Shells , debug output Debug output, peripheral management, i2c / SPI serial EEPROM, ... JTAG Testing and debugging USB / Ethernet / SATA / Etc Same as your PC ;-)
Finding interfaces
Bus Pirate v3.x
Openbench Logic Sniffer
DEMO: Interfacing & sniffing
Dumping Firmware
How to obtain firmware? • Online firmware updates • Flash dumping – SPI for serial ROMs – Via debug access (e.g JTAG) – Desoldering + external flash readers • Commercial readers • Microcontroller-based dumpers
Placa ROMs
Binary Visualization
Firmware Reverse Engineering
Debugging
JTAG interface
Debugging with JTAG • Boundary Scan only: – Reading / Modifying memory – Checking control lines (inputs/outputs) • Using additional aids: – Private instructions – Debugging logic • ARM: EmbeddedICE • MIPS: EJTAG • Motorola: BDM
Debugging with JTAG (2) • Provides: – Hardware breakpoints – Hardware watchpoints – Register access • Example: EJTAG
DEMO: Meet the BUS BLASTER
Locating JTAG A B D C
Locating JTAG (2)
Locating JTAG (3)
Locating JTAG (4)
Image source: www.hirox-usa.com
BGA (2) • Drilling through the PCB Balls on CPU: Balls through PCB:
Can’t  debug?  Emulate! • You still can use emulators – Qemu – GXEmul – Skyeye – ...
Securing Embedded Systems
Secure Embedded System
Key security features Feature Description Internal boot code / core must assure Secure boot integrity of loaded firmware Security subsystem must assure integrity Runtime integrity of running code Debug interfaces must either be disabled Interface protection or (securely) protected Sensitive keys must be stored within the Key storage chipset and not readable to the application Content stored in external memory (RAM) during runtime must be protected External memory protection from attackers. (scrambling and maybe authentiaction) Need to withstand SCA/FI attacks in Protected crypto cores order to properly protect keys.
Conclusion • Embedded hacking = FUN • Attacker’s  challenges – Info gathering often difficult – Interfacing trickier than with software • Defender’s  challenges – Device running under hostile environment
Shopping list Item Price Arduino / Other dev boards 20-60€ each / 20 to 300€ Bus Pirate 25€ Bus Blaster / GoodFET 30€ / DIY Openbench Logic Sniffer / Saleae Logic Analyzer 40€ / 120€ Cables, solder, screwdrivers, probes, ... - DSO Oscilloscope Nano / Quad 70€ / 150€ USB Microscope ~20 € OpenVizsla (when available) 100 – 200 EUR
Some things to look at • Routers, modems, STBs, MFPs ... • Gaming consoles, modern TVs • PC parts • (Smart)phones • Smart meters, alarms, SCADA/PLCs... • Car or vehicle electronics • Home appliances, domotics • Gadgets
HW Hacking resources • Hack a day – www.hackaday.com • /dev/ttyS0 – www.devttys0.com • Bunnie’s  blog  – www.bunniestudios.com • Debugmo.de – debugmo.de • Pagetable – www.pagetable.com • HW  vendors’  forums:  SeedStudio,  Sparkfun  ,   adafruit.com, Dangerous Prototypes , ... • Fritzing – www.fritzing.org • [... The list goes on ...]
Thanks! Eloi Sanfelix (@esanfelix) Javi Moreno (@vierito5) eloi@riscure.com javi.moreno@nruns.com

More Related Content

PPTX
Hardware Hacking Primer
Yashin Mehaboobe
 
PDF
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
codebits
 
PDF
Taking the hard out of hardware
Ronald McCollam
 
PDF
Hardware hacking
Tavish Naruka
 
PDF
Internet of things - with routers
Tavish Naruka
 
PDF
Building Trojan Hardware at Home
E Hacking
 
PPTX
Nodemcu - introduction
Michal Sedlak
 
PPTX
Programming esp8266
Baoshi Zhu
 
Hardware Hacking Primer
Yashin Mehaboobe
 
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
codebits
 
Taking the hard out of hardware
Ronald McCollam
 
Hardware hacking
Tavish Naruka
 
Internet of things - with routers
Tavish Naruka
 
Building Trojan Hardware at Home
E Hacking
 
Nodemcu - introduction
Michal Sedlak
 
Programming esp8266
Baoshi Zhu
 

What's hot (20)

PDF
Cigarette VS Bubble Gum
Naruenart
 
PPTX
IoT Hands-On-Lab, KINGS, 2019
Jong-Hyun Kim
 
PPTX
Intel Edison: Beyond the Breadboard
yeokm1
 
PDF
Introduction to ESP32 Programming [Road to RIoT 2017]
Alwin Arrasyid
 
PDF
How to Make an Eight Bit Computer and Save the World!
elliando dias
 
PDF
Linux Kernel Exploitation
Scio Security
 
PPT
Arduino Meetup with Sonar and 433Mhz Radios
roadster43
 
PDF
How to Install ESP8266 WiFi Web Server using Arduino IDE
Naoto MATSUMOTO
 
PDF
Controlling USB Flash Drive Controllers: Expose of Hidden Features
xabean
 
PDF
Kernel entrance to-geek-
mao999
 
PPTX
Esp8266 - Intro for dummies
Pavlos Isaris
 
PDF
lesson2 - Nodemcu course - NodeMCU dev Board
Elaf A.Saeed
 
PDF
Republic of IoT - Hackathon Hardware Kits Hands-on Labs
Alwin Arrasyid
 
PPTX
Esp8266 Workshop
Stijn van Drunen
 
PPTX
Everything you wanted to know about Internet of Things & Galileo
BeMyApp
 
PPTX
[5]投影片 futurewad樹莓派研習會 141218
CAVEDU Education
 
PDF
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
CODE BLUE
 
PDF
Let's begin io t with $10
Makoto Takahashi
 
PDF
Espresso Lite v2 - ESP8266 Overview
The World Bank
 
PDF
Making wearables with NodeMCU - FOSDEM 2017
Etiene Dalcol
 
Cigarette VS Bubble Gum
Naruenart
 
IoT Hands-On-Lab, KINGS, 2019
Jong-Hyun Kim
 
Intel Edison: Beyond the Breadboard
yeokm1
 
Introduction to ESP32 Programming [Road to RIoT 2017]
Alwin Arrasyid
 
How to Make an Eight Bit Computer and Save the World!
elliando dias
 
Linux Kernel Exploitation
Scio Security
 
Arduino Meetup with Sonar and 433Mhz Radios
roadster43
 
How to Install ESP8266 WiFi Web Server using Arduino IDE
Naoto MATSUMOTO
 
Controlling USB Flash Drive Controllers: Expose of Hidden Features
xabean
 
Kernel entrance to-geek-
mao999
 
Esp8266 - Intro for dummies
Pavlos Isaris
 
lesson2 - Nodemcu course - NodeMCU dev Board
Elaf A.Saeed
 
Republic of IoT - Hackathon Hardware Kits Hands-on Labs
Alwin Arrasyid
 
Esp8266 Workshop
Stijn van Drunen
 
Everything you wanted to know about Internet of Things & Galileo
BeMyApp
 
[5]投影片 futurewad樹莓派研習會 141218
CAVEDU Education
 
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015
CODE BLUE
 
Let's begin io t with $10
Makoto Takahashi
 
Espresso Lite v2 - ESP8266 Overview
The World Bank
 
Making wearables with NodeMCU - FOSDEM 2017
Etiene Dalcol
 

Viewers also liked (12)

PDF
Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...
RootedCON
 
PDF
Modulo 5
Cesar Zarate
 
PDF
José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...
RootedCON
 
PDF
Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]
RootedCON
 
PDF
Guillermo Grande y Alberto Ortega - Building an IP reputation engine, trackin...
RootedCON
 
PDF
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]
RootedCON
 
PDF
Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]
RootedCON
 
PPTX
Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...
RootedCON
 
PDF
Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]
RootedCON
 
PDF
Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...
RootedCON
 
PDF
BSides DFW2016-Hack Mode Enabled
pricemcdonald
 
PDF
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
RootedCON
 
Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...
RootedCON
 
Modulo 5
Cesar Zarate
 
José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...
RootedCON
 
Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]
RootedCON
 
Guillermo Grande y Alberto Ortega - Building an IP reputation engine, trackin...
RootedCON
 
Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]
RootedCON
 
Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]
RootedCON
 
Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...
RootedCON
 
Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]
RootedCON
 
Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...
RootedCON
 
BSides DFW2016-Hack Mode Enabled
pricemcdonald
 
Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]
RootedCON
 

Similar to Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012] (20)

PDF
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
Felipe Prado
 
PDF
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
PPTX
Pentesting embedded
antitree
 
PDF
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
PPTX
Making and breaking security in embedded devices
Yashin Mehaboobe
 
PPTX
Armadillos - or how to bypass code readout protection on microcontrollers
Andrew Tierney
 
PDF
Bsides Puerto Rico-2017
Price McDonald
 
PDF
BlackHat 2009 - Hacking Zigbee Chips (slides)
Michael Smith
 
PPTX
RTOS based Confidential Area Security System
ajinky gadewar
 
PPTX
Project_updated
Shaikh Zaid
 
PDF
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
Silvio Cesare
 
PPTX
1334420 634648164164717500
sumit tiwari
 
PPT
Vectors
Yashin Mehaboobe
 
KEY
Jailbreaking iOS
Kai Aras
 
PDF
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Priyanka Aash
 
PDF
From Silicon to Software - IIT Madras
Aanjhan Ranganathan
 
PDF
Thesis Donato Slides EN
Marco Santambrogio
 
PPTX
ROM Hacking for Fun, Profit & Infinite Lives
Ulisses Albuquerque
 
PDF
FPGA Camp - Intellitech Presentation
FPGA Central
 
PDF
BSides Indy 2017 - Hardware Hacking - Abusing the Things
Price McDonald
 
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
Felipe Prado
 
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
Pentesting embedded
antitree
 
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
Making and breaking security in embedded devices
Yashin Mehaboobe
 
Armadillos - or how to bypass code readout protection on microcontrollers
Andrew Tierney
 
Bsides Puerto Rico-2017
Price McDonald
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
Michael Smith
 
RTOS based Confidential Area Security System
ajinky gadewar
 
Project_updated
Shaikh Zaid
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
Silvio Cesare
 
1334420 634648164164717500
sumit tiwari
 
Vectors
Yashin Mehaboobe
 
Jailbreaking iOS
Kai Aras
 
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Priyanka Aash
 
From Silicon to Software - IIT Madras
Aanjhan Ranganathan
 
Thesis Donato Slides EN
Marco Santambrogio
 
ROM Hacking for Fun, Profit & Infinite Lives
Ulisses Albuquerque
 
FPGA Camp - Intellitech Presentation
FPGA Central
 
BSides Indy 2017 - Hardware Hacking - Abusing the Things
Price McDonald
 

More from RootedCON (20)

PDF
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
RootedCON
 
PDF
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
RootedCON
 
PDF
Rooted2020 hunting malware-using_process_behavior-roberto_amado
RootedCON
 
PPSX
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
RootedCON
 
PDF
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
RootedCON
 
PPTX
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
RootedCON
 
PPTX
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
RootedCON
 
PPTX
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
RootedCON
 
PDF
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
RootedCON
 
PDF
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
RootedCON
 
PPTX
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
RootedCON
 
PPTX
Rooted2020 virtual pwned-network_-_manel_molina
RootedCON
 
PDF
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
RootedCON
 
PDF
Rooted2020 todo a-siem_-_marta_lopez
RootedCON
 
PPTX
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
PDF
Rooted2020 live coding--_jesus_jara
RootedCON
 
PDF
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
RootedCON
 
PDF
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
RootedCON
 
PDF
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
RootedCON
 
PDF
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
RootedCON
 
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
RootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
RootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
RootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
RootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
RootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
RootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Rooted2020 live coding--_jesus_jara
RootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
RootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
RootedCON
 

Recently uploaded (20)

PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Approach and Philosophy of On baking technology
30anthuong17
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

  • 1. Hardware hacking on your coach Intro to affordable embedded hacking Eloi Sanfelix <eloi@riscure.com> Javi Moreno <javi.moreno@nruns.com> #rootedHW
  • 2. The life of a software security guy during the day
  • 3. The life of a software security guy during the night
  • 4. Hardware = FUN Source: http://www.flickr.com/photos/neimod/
  • 5. This is NOT about....
  • 6. ... but more ... Source: http://dontstuffbeansupyournose.com
  • 10. Mapping of the device 10
  • 11. Open Source Info Gathering • Search the web – Part # / Chip model  Datasheets – Similar models – Exploits for similar devices – ...
  • 13. Interesting interfaces Interface Typical uses RS232 Shells , debug output Debug output, peripheral management, i2c / SPI serial EEPROM, ... JTAG Testing and debugging USB / Ethernet / SATA / Etc Same as your PC ;-)
  • 19. How to obtain firmware? • Online firmware updates • Flash dumping – SPI for serial ROMs – Via debug access (e.g JTAG) – Desoldering + external flash readers • Commercial readers • Microcontroller-based dumpers
  • 25. Debugging with JTAG • Boundary Scan only: – Reading / Modifying memory – Checking control lines (inputs/outputs) • Using additional aids: – Private instructions – Debugging logic • ARM: EmbeddedICE • MIPS: EJTAG • Motorola: BDM
  • 26. Debugging with JTAG (2) • Provides: – Hardware breakpoints – Hardware watchpoints – Register access • Example: EJTAG
  • 27. DEMO: Meet the BUS BLASTER
  • 28. Locating JTAG A B D C
  • 33. BGA (2) • Drilling through the PCB Balls on CPU: Balls through PCB:
  • 34. Can’t  debug?  Emulate! • You still can use emulators – Qemu – GXEmul – Skyeye – ...
  • 37. Key security features Feature Description Internal boot code / core must assure Secure boot integrity of loaded firmware Security subsystem must assure integrity Runtime integrity of running code Debug interfaces must either be disabled Interface protection or (securely) protected Sensitive keys must be stored within the Key storage chipset and not readable to the application Content stored in external memory (RAM) during runtime must be protected External memory protection from attackers. (scrambling and maybe authentiaction) Need to withstand SCA/FI attacks in Protected crypto cores order to properly protect keys.
  • 38. Conclusion • Embedded hacking = FUN • Attacker’s  challenges – Info gathering often difficult – Interfacing trickier than with software • Defender’s  challenges – Device running under hostile environment
  • 39. Shopping list Item Price Arduino / Other dev boards 20-60€ each / 20 to 300€ Bus Pirate 25€ Bus Blaster / GoodFET 30€ / DIY Openbench Logic Sniffer / Saleae Logic Analyzer 40€ / 120€ Cables, solder, screwdrivers, probes, ... - DSO Oscilloscope Nano / Quad 70€ / 150€ USB Microscope ~20 € OpenVizsla (when available) 100 – 200 EUR
  • 40. Some things to look at • Routers, modems, STBs, MFPs ... • Gaming consoles, modern TVs • PC parts • (Smart)phones • Smart meters, alarms, SCADA/PLCs... • Car or vehicle electronics • Home appliances, domotics • Gadgets
  • 41. HW Hacking resources • Hack a day – www.hackaday.com • /dev/ttyS0 – www.devttys0.com • Bunnie’s  blog  – www.bunniestudios.com • Debugmo.de – debugmo.de • Pagetable – www.pagetable.com • HW  vendors’  forums:  SeedStudio,  Sparkfun  ,   adafruit.com, Dangerous Prototypes , ... • Fritzing – www.fritzing.org • [... The list goes on ...]
  • 42. Thanks! Eloi Sanfelix (@esanfelix) Javi Moreno (@vierito5) eloi@riscure.com javi.moreno@nruns.com