• Save
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

on

  • 1,691 views

La ingeniería inversa y el análisis de seguridad de dispositivos hardware suele requerir herramientas especializadas que el usuario medio no tiene disponibles en casa. Durante esta charla ...

La ingeniería inversa y el análisis de seguridad de dispositivos hardware suele requerir herramientas especializadas que el usuario medio no tiene disponibles en casa. Durante esta charla presentaremos las herramientas y métodos básicos a utilizar durante el análisis de este tipo de productos, buscando introducir a los asistentes en el mundo del hardware hacking sin necesidad de emplear excesivos recursos. Se empezará desde la búsqueda de información inicial, el análisis de interfaces interesantes (RS232, i2c, USB, etc ), pasando por la obtención del firmware utilizado por el dispositivo y finalmente por la emulación yo debugging en tiempo real del código utilizado por el dispositivo via JTAG. Para cada uno de estos aspectos se realizarán demostraciones sobre hardware común (off-the-shelf).

Statistics

Views

Total Views
1,691
Views on SlideShare
1,688
Embed Views
3

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 3

https://si0.twimg.com 2
https://twimg0-a.akamaihd.net 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012] Presentation Transcript

  • 1. Hardware hacking on your coach Intro to affordable embedded hacking Eloi Sanfelix <eloi@riscure.com> Javi Moreno <javi.moreno@nruns.com> #rootedHW
  • 2. The life of a software security guy during the day
  • 3. The life of a software security guy during the night
  • 4. Hardware = FUN Source: http://www.flickr.com/photos/neimod/
  • 5. This is NOT about....
  • 6. ... but more ... Source: http://dontstuffbeansupyournose.com
  • 7. Overview
  • 8. InfoGathering
  • 9. Classic Embedded System
  • 10. Mapping of the device 10
  • 11. Open Source Info Gathering• Search the web – Part # / Chip model  Datasheets – Similar models – Exploits for similar devices – ...
  • 12. InterfacingEmbedded Systems
  • 13. Interesting interfaces Interface Typical uses RS232 Shells , debug output Debug output, peripheral management, i2c / SPI serial EEPROM, ... JTAG Testing and debuggingUSB / Ethernet / SATA / Etc Same as your PC ;-)
  • 14. Finding interfaces
  • 15. Bus Pirate v3.x
  • 16. Openbench Logic Sniffer
  • 17. DEMO: Interfacing & sniffing
  • 18. DumpingFirmware
  • 19. How to obtain firmware?• Online firmware updates• Flash dumping – SPI for serial ROMs – Via debug access (e.g JTAG) – Desoldering + external flash readers • Commercial readers • Microcontroller-based dumpers
  • 20. Placa ROMs
  • 21. Binary Visualization
  • 22. Firmware Reverse Engineering
  • 23. Debugging
  • 24. JTAG interface
  • 25. Debugging with JTAG• Boundary Scan only: – Reading / Modifying memory – Checking control lines (inputs/outputs)• Using additional aids: – Private instructions – Debugging logic • ARM: EmbeddedICE • MIPS: EJTAG • Motorola: BDM
  • 26. Debugging with JTAG (2)• Provides: – Hardware breakpoints – Hardware watchpoints – Register access• Example: EJTAG
  • 27. DEMO: Meet the BUS BLASTER
  • 28. Locating JTAG AB D C
  • 29. Locating JTAG (2)
  • 30. Locating JTAG (3)
  • 31. Locating JTAG (4)
  • 32. Image source: www.hirox-usa.com
  • 33. BGA (2)• Drilling through the PCB Balls on CPU: Balls through PCB:
  • 34. Can’t  debug?  Emulate!• You still can use emulators – Qemu – GXEmul – Skyeye – ...
  • 35. SecuringEmbedded Systems
  • 36. Secure Embedded System
  • 37. Key security features Feature Description Internal boot code / core must assure Secure boot integrity of loaded firmware Security subsystem must assure integrity Runtime integrity of running code Debug interfaces must either be disabled Interface protection or (securely) protected Sensitive keys must be stored within the Key storage chipset and not readable to the application Content stored in external memory (RAM) during runtime must be protectedExternal memory protection from attackers. (scrambling and maybe authentiaction) Need to withstand SCA/FI attacks in Protected crypto cores order to properly protect keys.
  • 38. Conclusion• Embedded hacking = FUN• Attacker’s  challenges – Info gathering often difficult – Interfacing trickier than with software• Defender’s  challenges – Device running under hostile environment
  • 39. Shopping list Item Price Arduino / Other dev boards 20-60€ each / 20 to 300€ Bus Pirate 25€ Bus Blaster / GoodFET 30€ / DIYOpenbench Logic Sniffer / Saleae Logic Analyzer 40€ / 120€ Cables, solder, screwdrivers, probes, ... - DSO Oscilloscope Nano / Quad 70€ / 150€ USB Microscope ~20 € OpenVizsla (when available) 100 – 200 EUR
  • 40. Some things to look at• Routers, modems, STBs, MFPs ...• Gaming consoles, modern TVs• PC parts• (Smart)phones• Smart meters, alarms, SCADA/PLCs...• Car or vehicle electronics• Home appliances, domotics• Gadgets
  • 41. HW Hacking resources• Hack a day – www.hackaday.com• /dev/ttyS0 – www.devttys0.com• Bunnie’s  blog  – www.bunniestudios.com• Debugmo.de – debugmo.de• Pagetable – www.pagetable.com• HW  vendors’  forums:  SeedStudio,  Sparkfun  ,   adafruit.com, Dangerous Prototypes , ...• Fritzing – www.fritzing.org• [... The list goes on ...]
  • 42. Thanks!Eloi Sanfelix (@esanfelix) Javi Moreno (@vierito5) eloi@riscure.com javi.moreno@nruns.com