Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

1,789 views
1,599 views

Published on

La ingeniería inversa y el análisis de seguridad de dispositivos hardware suele requerir herramientas especializadas que el usuario medio no tiene disponibles en casa. Durante esta charla presentaremos las herramientas y métodos básicos a utilizar durante el análisis de este tipo de productos, buscando introducir a los asistentes en el mundo del hardware hacking sin necesidad de emplear excesivos recursos. Se empezará desde la búsqueda de información inicial, el análisis de interfaces interesantes (RS232, i2c, USB, etc ), pasando por la obtención del firmware utilizado por el dispositivo y finalmente por la emulación yo debugging en tiempo real del código utilizado por el dispositivo via JTAG. Para cada uno de estos aspectos se realizarán demostraciones sobre hardware común (off-the-shelf).

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,789
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

  1. 1. Hardware hacking on your coach Intro to affordable embedded hacking Eloi Sanfelix <eloi@riscure.com> Javi Moreno <javi.moreno@nruns.com> #rootedHW
  2. 2. The life of a software security guy during the day
  3. 3. The life of a software security guy during the night
  4. 4. Hardware = FUN Source: http://www.flickr.com/photos/neimod/
  5. 5. This is NOT about....
  6. 6. ... but more ... Source: http://dontstuffbeansupyournose.com
  7. 7. Overview
  8. 8. InfoGathering
  9. 9. Classic Embedded System
  10. 10. Mapping of the device 10
  11. 11. Open Source Info Gathering• Search the web – Part # / Chip model  Datasheets – Similar models – Exploits for similar devices – ...
  12. 12. InterfacingEmbedded Systems
  13. 13. Interesting interfaces Interface Typical uses RS232 Shells , debug output Debug output, peripheral management, i2c / SPI serial EEPROM, ... JTAG Testing and debuggingUSB / Ethernet / SATA / Etc Same as your PC ;-)
  14. 14. Finding interfaces
  15. 15. Bus Pirate v3.x
  16. 16. Openbench Logic Sniffer
  17. 17. DEMO: Interfacing & sniffing
  18. 18. DumpingFirmware
  19. 19. How to obtain firmware?• Online firmware updates• Flash dumping – SPI for serial ROMs – Via debug access (e.g JTAG) – Desoldering + external flash readers • Commercial readers • Microcontroller-based dumpers
  20. 20. Placa ROMs
  21. 21. Binary Visualization
  22. 22. Firmware Reverse Engineering
  23. 23. Debugging
  24. 24. JTAG interface
  25. 25. Debugging with JTAG• Boundary Scan only: – Reading / Modifying memory – Checking control lines (inputs/outputs)• Using additional aids: – Private instructions – Debugging logic • ARM: EmbeddedICE • MIPS: EJTAG • Motorola: BDM
  26. 26. Debugging with JTAG (2)• Provides: – Hardware breakpoints – Hardware watchpoints – Register access• Example: EJTAG
  27. 27. DEMO: Meet the BUS BLASTER
  28. 28. Locating JTAG AB D C
  29. 29. Locating JTAG (2)
  30. 30. Locating JTAG (3)
  31. 31. Locating JTAG (4)
  32. 32. Image source: www.hirox-usa.com
  33. 33. BGA (2)• Drilling through the PCB Balls on CPU: Balls through PCB:
  34. 34. Can’t  debug?  Emulate!• You still can use emulators – Qemu – GXEmul – Skyeye – ...
  35. 35. SecuringEmbedded Systems
  36. 36. Secure Embedded System
  37. 37. Key security features Feature Description Internal boot code / core must assure Secure boot integrity of loaded firmware Security subsystem must assure integrity Runtime integrity of running code Debug interfaces must either be disabled Interface protection or (securely) protected Sensitive keys must be stored within the Key storage chipset and not readable to the application Content stored in external memory (RAM) during runtime must be protectedExternal memory protection from attackers. (scrambling and maybe authentiaction) Need to withstand SCA/FI attacks in Protected crypto cores order to properly protect keys.
  38. 38. Conclusion• Embedded hacking = FUN• Attacker’s  challenges – Info gathering often difficult – Interfacing trickier than with software• Defender’s  challenges – Device running under hostile environment
  39. 39. Shopping list Item Price Arduino / Other dev boards 20-60€ each / 20 to 300€ Bus Pirate 25€ Bus Blaster / GoodFET 30€ / DIYOpenbench Logic Sniffer / Saleae Logic Analyzer 40€ / 120€ Cables, solder, screwdrivers, probes, ... - DSO Oscilloscope Nano / Quad 70€ / 150€ USB Microscope ~20 € OpenVizsla (when available) 100 – 200 EUR
  40. 40. Some things to look at• Routers, modems, STBs, MFPs ...• Gaming consoles, modern TVs• PC parts• (Smart)phones• Smart meters, alarms, SCADA/PLCs...• Car or vehicle electronics• Home appliances, domotics• Gadgets
  41. 41. HW Hacking resources• Hack a day – www.hackaday.com• /dev/ttyS0 – www.devttys0.com• Bunnie’s  blog  – www.bunniestudios.com• Debugmo.de – debugmo.de• Pagetable – www.pagetable.com• HW  vendors’  forums:  SeedStudio,  Sparkfun  ,   adafruit.com, Dangerous Prototypes , ...• Fritzing – www.fritzing.org• [... The list goes on ...]
  42. 42. Thanks!Eloi Sanfelix (@esanfelix) Javi Moreno (@vierito5) eloi@riscure.com javi.moreno@nruns.com

×