Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23

1,335 views

Published on

Slides from Defcon IoT Village Workshop

Ever wondered how people get shells via hooking up to chips or pins on a board? Or how to dump the firmware off a device you own at home? How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? The Pwning IoT Devices via Hardware Attacks workshop is focused on a hands-on learning experience, of how people use hardware attacks to get initial access IoT Devices for security research. This workshop is designed for people new to hardware hacking, looking to have fun exploiting the Internet of (broken) Things. So come on out if you're looking to join the embedded system & IoT exploitation party!

Published in: Devices & Hardware
  • Be the first to comment

Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23

  1. 1. P w n i n g I o T v i a H a r d w a r e A t t a c k s Chase Schultz, Senior Security Consultant cschultz@securityevaluators.com
  2. 2. About ISE Analysts • White box Perspective • Hackers; Cryptographers; RE Research • Routers; NAS; Healthcare Customers • Companies with high value assets Exploits • iPhone; Android; Ford; Exxon; Diebold
  3. 3. whoami • ChaseSchultz • Senior Security Consultant • IndependentSecurity Evaluators • Twitter– @f47h3r_b0 • Interests: – Reverse Engineering, Hardware, SDR, Fuzzing, Embedded Systems, Python & Go
  4. 4. Agenda ① Importance of Hardware Hacking & IoT Research ② Scopeof Workshop ③ Hardware Hacking Background ④ Tools of the Trade ⑤ Methodology ⑥ Examples ⑦ Photo Journal ⑧ Hands On!! ⑨ Resources / Further Reading ⑩ Openit upto attendee’s. What do you want to see?
  5. 5. Why is this important?
  6. 6. A Journey ofPwnage • Started gettinginterested in Hardware Hacking & IoT • Software guy goes to school … • Great way to get access and leverage for further research.
  7. 7. IoT? • IoT is a buzzword (duh) … – Lots of embedded devices doing allthe things … – Smart Homes – Medical Devices / Entertainment / Health Fitness / Toys / Sensors etc
  8. 8. HardwareHacking • Interfaces – UART (Universal Asynchronous Receive & Transmit) – JTAG (Joint Test Action Group) – HW Debug – SPI (Serial Peripheral Interface) – I2C (Inter-Integrated Circuit)
  9. 9. Tools of the Trade
  10. 10. ISE Confidential - not for distribution
  11. 11. ISE Confidential - not for distribution
  12. 12. Hardware Attacks (Methodology) 0) Open thedevice, void yourwarranty,andjoin the exploitationparty. 1) IdentifyDevice, hardwarerevisions, documenthardwarecomponents 2) Researchchipdatasheets- figure outfeatures 3) Identifyhardwarecommunicationinterfacespossibilities 4) ContinuityTesting andElectrical PinoutReversing 5) Identifyingwireline protocollogic (How the hell doI talktothesechips?) 6) Hardwaretoolsforaccessing interfaces 7) Wiring uptoto theboard 8) Device Interrogation 9) FirmwareReverseEngineering 10) VulnerabilityResearch/ Exploitation
  13. 13. VoidSome Warranties
  14. 14. RTFM • Datasheetsare your friend!
  15. 15. Identifying HW Interfaces
  16. 16. Pinout Reversing
  17. 17. ISE Confidential - not for distribution
  18. 18. • VCC Pin– Steady Voltage (Also chirps) • GND Pin– Metal Piece& Pin • Tx Pin– Fluctuationupon boot • Baudrate
  19. 19. UARTto Root Shells
  20. 20. ISE Confidential - not for distribution
  21. 21. ISE Confidential - not for distribution
  22. 22. • JTAG – Joint Test Action Group – Finding TDI (Test Data In), TDO (Test Data Out), TCK(Test Clock), TMS (Test Mode Select), TRST (Test Reset) optional. – Hardware Debugging via OpenOCD / GDB – Jtagulator is awesome for brute-forcing pinout ISE Confidential - not for distribution
  23. 23. Dumping Flash w/Flashrom
  24. 24. Resourcesto Learn • Trainings: – SexViaHex.com – Software Exploitation ViaHardware Exploitation - Xipiter – Hands on Hardware Hacking – Joe Grand • Blogs – http://www.devttys0.com/ – https://dontstuffbeansupyournose.com
  25. 25. HANDSON!! • If anyone would liketo try wiring up a shikra to a UART interfaceand playing around witha device. • Presoldered SOHO Routers & Home Automation Hubs
  26. 26. AccessingShikraviaScreen screen /dev/cu.usbserial-145 115200 ^ ^ ^ cmd device name baudrate ISE Confidential - not for distribution
  27. 27. Your Turn! • Enable yourself as a security researcher. • Initialaccess for furtherresearch. • You can do it too! Its fun! ISE Confidential - not for distribution
  28. 28. ThankYou! • DEF CON /@IoTVillage / You! • Contact ISE --https://securityevaluators.com/  https://github.com/f47h3r/firmware_collection  @f47h3r_b0
  29. 29. GetInvolved

×