Hardsploit is a framework and hardware device that allows security researchers to audit and pentest hardware devices like IoT systems. It functions as a bridge between hardware interfaces and software testing tools. The framework includes a programmable hardware board with 64 I/O channels that can communicate over various protocols to analyze components, dump memory, and exploit vulnerabilities found in hardware. The goal of Hardsploit is to advance the field of hardware security testing and evaluation.

1. HARDSPLOIT
Framework for Hardware Security Audit
a bridge between hardware & a so0ware pentester

2. Who am I ?
• Julien Moinard
- Electronic engineer @opale-security (French company)
- Security consultant, Hardware & SoDware pentester
- Team project leader of Hardsploit
- DIY enthusiast
16/03/2016 2

3. Opale Security in 1 slide
16/03/2016 3

4. Internet of Things & Privacy concern ?
• Any IoT object could reveal informa@on about
individuals
• Wearable Technology: clothes, watches, contact
lenses with sensors, microphones with cameras
embedded and so on
• Quan@fied Self: pedometers, sleep monitors, and so
on
• Home Automa@on: connected households using smart
fridges, smart ligh<ng and smart security systems, and
so on
• …
16/03/2016 4

5. Internet of Things & Privacy concern ?
• Last news : (you can update this slide every week L)
Firmware can be read without
any problem (SPI memory)
VTech was hacked in November, exposing
millions of accounts.
In response, the firm took some essen<al
services offline, meaning products could
not be registered on Christmas Day.
16/03/2016 5

6. Iot Eco-system (20000 feet view)
• Privacy Risk level : Where?
HF communica<on (ISM
Band) + Wifi + 3G-5G ,
Bluetooth, Sigfox, Lora etc..
Classical wired connec<ons
Central servers, User
Interface, API, Backoffice etc.
IoT devices
16/03/2016 6

7. SOFTWARE
To secure it:
• Security products (Firewall, An<virus, IDS,…)
• Security services (Pentest, Audit, …)
• Tools (Uncountable number of them)
HARDWARE
To secure it:
• Few or unimplemented solu<ons (Encryp<on
with key in a secure area, an<-replay
mechanisms, readout protec<on, …)
Security speaking,
hardware is the new soDware ?
16/03/2016 7

8. • 1/ Open it
• 2/ Fingerprint all the component if you can else automa@c brute forcing
• 3/ Use those that may contain data (Online / Offline analysis ?)
• 4/ Perform read | write opera@on on them
• 5/ Reverse engineering, find vulnerabili<es and exploit them
Hardsploit & hardware hacking
basic procedure
16/03/2016 8

9. Global Purpose
16/03/2016 9

10. Why ?
• Because chips contain interes<ng / private data
• Passwords
• File systems
• Firmware
• …
16/03/2016 10

11. How ?
• A hardware pentester need to know electronic buses and he need to be
able to interact with them
1-Wire
JTAG / SWD UART
CAN
PARALLEL
Custom
16/03/2016 11

12. Hardsploit framework
Same hardware but a sofware update is needed to add a new protocols
Hardsploit
IoT target
Input / Output
database Module (SWD, SMBus, I2C, SPI, etc..)
16/03/2016 12

13. Hardsploit bus indenSficaSon & scanner
(in progress, not published yet)
Hardsploit
IoT target
Input / Output
Database of pagerns
Database of components Module (I2C, SPI, etc..)
IO hardware mixer
Scanner
16/03/2016 13

14. Tool of trade
FUNCTIONALITIES BUSPIRATE JTAGULATOR GOODFET HARDSPLOIT
UART Bus iden<fica<on
SPI
PARALLEL
I2C
JTAG / SWD Bus iden<fica<on
MODULARITY Microcontroller Microcontroller Microcontroller uC / FPGA
EASE OF USE Cmd line + datasheet Command line Command line Official GUI / API / DB
I/O NUMBER < 10 24 < 14 64 (plus power)
WIRING TEXT (but MOSI = SDA J) TEXT / AUTOMATIC
iden<fica<on
TEXT LED / TEXT/
AUTOMATIC
iden<fica<on
16/03/2016 14

15. Hardsploit: CommunicaSon
16/03/2016 15

16. Prototype making
• Applying soldering paste (low budget style)
16/03/2016 16

17. Prototype making
• Manual reflow oven (DIY style)
16/03/2016 17

18. Prototype V0.1 aka The Green Goblin J
16/03/2016 18

19. Prototype making (with a budget)
• The rebirth
16/03/2016 19

20. The board – Final version
• 64 I/O channels
• ESD Protec<on
• Target voltage: 3.3 & 5V
• Use a Cyclone II FPGA
• USB 2.0
• 20cm x 9cm
16/03/2016 20

21. Hardsploit organizaSon
16/03/2016 21

22. Chip management
• Search
• Create
• Modify
• Interact
16/03/2016 22

23. Wiring helper
Datasheet
representa<on
Hardsploit Wiring module
representa<on
GUI <–> Board interac<on
16/03/2016 23

24. Se[ngs
16/03/2016 24

25. Command editor
16/03/2016 25

26. What are available on github (Open) ?
• Microcontroller (c)
• API (ruby)
• GUI (ruby)
• Create your own Hardsploit module : VHDL & API (ruby)
16/03/2016 26

27. Already available (github)
Parallel non mul<plexed memory dump
• 32 bits for address
• 8/16 bits for data
Helping wiring
I2C 100Khz 400Khz and 1 Mhz
• Addresses scan
• Read, write, automa<c full and par<al dump
SPI mode 0,1,2,3 up to 25 Mhz
• Read, write, automa<c full and par<al dump
SWD interface (like JTAG but for ARM core)
• Dump and write firmware of most ARM CPU
GPIO interact / bitbanging (API only for the moment)
• Low speed < 500Hz read & write opera<ons on 64 bits
16/03/2016 27

28. More to come (see online roadmap)…
• Automa<c bus inden<fica<on & Scanner (@30%)
• Component & commands sharing platorm (@90%)
• TTL UART Module with automa<c detec<on speed (@80%)
• Parallel communica<on with mul<plexed memory
• I2C sniffing (shot of 4000 bytes up to 1 Mhz)
• SPI sniffing (shot of 8000 / 4000 byte half / full up to 25Mhz)
• RF Wireless transmission training plateform (Nordic NRF24, 433Mhz, 868Mhz transcievers)
• Metasploit integra<on (module) ??
• JTAG
• 1 Wire
• CanBUS (with hardware level adapter)
• …
16/03/2016 28

29. Concrete case
• An electronic lock system
• 4 characters pin code A – B – C – D
• Good combinaison – Door opens, green L.E.D turn on
• Wrong combinaison – Door closes, red L.E.D turn on
16/03/2016 29

30. Concrete case: Open it
16/03/2016 30

31. Concrete case: Fingerprint
I2C MEMORIES 24LC64
STM32F103RBT6
SPI MEMORY 25LC08
16/03/2016 31

32. Concrete case: Online / Offline analysis ?
16/03/2016 32

33. Concrete case: hardsploit scenario
1. Open Hardsploit to create the component (if not exist)
2. Connect the component to Hardsploit (wiring helping)
3. Enter and save the component seungs (if not exist)
4. Dump the content of the memories (1 click)
5. Change the door password by using commands (few clicks)
6. Try the new password on the lock system (enjoy)
16/03/2016 33

34. Concrete case:
Read | Write operaSon, I2C, SPI, SWD …
• Time for a live demo ?
16/03/2016 34

35. Parallel bus memory
16/03/2016 35

36. Concrete case: Fingerprint
16/03/2016 36

37. Concrete case: Offline analysis
16/03/2016 37

38. Concrete case: Ready to dump the content
16/03/2016 38

39. Conclusion
• IoT Device are (also) prone to vulnerabili<es help you to find them
• Security policy need to be adpated, nowadays, it is not so difficult to
extract data on IoT
• Designers need to design with security in mind
• Skills related to pentest a hardware device is mandatory for Security
Experts (but training exist)
• Industry need to take care about device security
16/03/2016 39

40. Thank you !
Hardsploit board is available at shop-hardsploit.com (250 € / 277 USD / 370 CAD excluding VAT)
To learn more about Hardsploit and follow the development
Hardsploit.io & Opale-Security.com
• Yann ALLAIN (CEO)
• yann.allain@opale-security.com
• +33 6 45 45 33 81
Hardware & Sofware, Pentest, Audit, Training
• Julien MOINARD (Project leader of Hardsploit)
• julien.moinard@opale-security.com
• +33 9 72 43 87 07
16/03/2016 40