4-Day Real-World IoT & Embedded Device Hacking
- 14 October 2019 - 17 October 2019
- Hosted By
- The Westin Grand
- Friedrichstraße 158-164, 10117 Berlin, Germany
View on Google Maps
In this 4-day training students will learn how to attack real, on-the-market and supposedly secure devices that have sold millions of units and are widely used. Often, these devices are used in critical and/or sensitive applications.
The training focuses on teaching how to perform a hardware security analysis, starting with basic firmware analysis and going as deep as performing a man-in-the-middle attack on in-device busses.
A big focus is on identifying inherently insecure architectures: Devices that can not be made secure from a hardware perspective, for example because of design-mistakes or the selection of insecure chips.
The devices the students will hack range from point-of-sale terminals, over bitcoin wallets and automotive control systems up to industrial controllers as used in power plants.
The training also covers how the conducted attacks can be prevented and how secure devices architectures can be constructed.
In this class students will learn how to find hardware security issues on real-world embedded devices:
- Tools for embedded device analysis
- Basic firmware analysis
- Finding & abusing debugging capabilities (JTAG, SWD, Serial consoles)
- Dumping memory devices & ICs
- Identifying & extracting secrets from dumps
- Analyzing busses
- MITM attacks on in-device busses
- Attacks on devices with secure-elements
- Basic side-channel attacks
- Processors and their (in)security features
- Class Outline
Day 1 is a crash course into the world of embedded device hacking and covers
Basic firmware analysis
- From firmware blob to extracted filesystem
- Identifying encrypted/unencrypted firmware
- Determining hardware-details from a firmware dump
- Finding vulnerabilities using static analysis
- Logic signals
- Basic signal analysis using a logic analyzer
- Signal trainer: Identifying unknown signals
- Probing on real devices
- Embedded protocols (SPI, I2C, UART, etc)
On day 2 we will start looking at devices from the real world and how to abuse design decisions made in the production of them.
- Identifying components
- Understanding a device architecture
- Building a basic hardware threat model
- Introduction to our custom and off-the shelf hardware and software tools
- Hands-on hacking
Finding debug interfaces (Consoles, finding undocumented JTAG & SWD pinouts, etc)
- Using OpenOCD to dump firmware
- Analyzing dumped firmware & flash contents
- Extracting secrets from dumps
- How does a secure device look?
We don't have JTAG, SWD, or a serial console - what now? On day 3 we will look at attacks on in-device bus systems, such as I2C and secure-elements - and how to abuse them to our advantage.
Introduction to secure-elements
- ISO7816 (Smartcard protocol) and 1-wire
- Analyzing 1-wire communication
- Common Secure-Elements/Authentication chips and their pitfalls
- Case-studies of real-world secure-element issues
Hands-on embedded man-in-the-middle attacks
- Introduction to the MITM hardware & software tools
- Building a Python-based MITM attack tool for different protocols
- Man-in-the-middle attack on a secure-element
- TOCTTU (Time of check to time of use) man-in-the-middle attack for bypassing secure-boot
Day 4 focuses on two other layers of security: The processors and side-channels.
Most software developers just assume the hardware to do the correct thing, but often issues exists in the processors themselves that can be exploited to gain code-execution or bypass security checks.
A side-channel attack (SCA) is a weakness in the underlying hardware or firmware that unintentionally leaks secret data stored on the device.
- Understanding of software security testing (pen-testing, red-teaming)
- Familiarity with the scripting language Python
- Basic understanding of embedded development
- Basic understanding of software attacks
Thomas Roth is a security researcher and founder of leveldown security. His main focus is on mobile and embedded systems with published research on topics like TrustZone, payment terminals, and embedded security. In recent years, his main focus has been on critical infrastructure and communication, with published research on industrial control systems, industrial IoT devices and secure communication. In 2018, Thomas Roth and his research was named as one of the 30 under 30 in Technology by the Forbes Magazine and was named TCCA Young Engineer of the Year 2018.