SlideShare a Scribd company logo
1 of 40
P w n i n g I o T v i a H a r d w a r e A t t a c k s
Chase Schultz, Senior Security Consultant
cschultz@securityevaluators.com
About ISE
Analysts
• White box
Perspective
• Hackers; Cryptographers; RE
Research
• Routers; NAS; Healthcare
Customers
• Companies with high value assets
Exploits
• iPhone; Android; Ford; Exxon; Diebold
whoami
• ChaseSchultz
• Senior Security Consultant
• IndependentSecurity Evaluators
• Twitter– @f47h3r_b0
• Interests:
– Reverse Engineering, Hardware, SDR, Fuzzing, Embedded Systems,
Python & Go
Agenda
① Importance of Hardware Hacking & IoT Research
② Scopeof Workshop
③ Hardware Hacking Background
④ Tools of the Trade
⑤ Methodology
⑥ Examples
⑦ Photo Journal
⑧ Hands On!!
⑨ Resources / Further Reading
⑩ Openit upto attendee’s. What do you want to see?
Why is this important?
A Journey ofPwnage
• Started gettinginterested in Hardware Hacking
& IoT
• Software guy goes to school …
• Great way to get access and leverage for further
research.
IoT?
• IoT is a buzzword (duh) …
– Lots of embedded devices doing allthe things …
– Smart Homes
– Medical Devices / Entertainment / Health Fitness / Toys
/ Sensors etc
HardwareHacking
• Interfaces
– UART (Universal Asynchronous Receive & Transmit)
– JTAG (Joint Test Action Group) – HW Debug
– SPI (Serial Peripheral Interface)
– I2C (Inter-Integrated Circuit)
Tools of the Trade
ISE Confidential - not for distribution
ISE Confidential - not for distribution
Hardware Attacks (Methodology)
0) Open thedevice, void yourwarranty,andjoin the exploitationparty.
1) IdentifyDevice, hardwarerevisions, documenthardwarecomponents
2) Researchchipdatasheets- figure outfeatures
3) Identifyhardwarecommunicationinterfacespossibilities
4) ContinuityTesting andElectrical PinoutReversing
5) Identifyingwireline protocollogic (How the hell doI talktothesechips?)
6) Hardwaretoolsforaccessing interfaces
7) Wiring uptoto theboard
8) Device Interrogation
9) FirmwareReverseEngineering
10) VulnerabilityResearch/ Exploitation
VoidSome Warranties
RTFM
• Datasheetsare your friend!
Identifying HW Interfaces
Pinout Reversing
ISE Confidential - not for distribution
• VCC Pin– Steady Voltage (Also chirps)
• GND Pin– Metal Piece& Pin
• Tx Pin– Fluctuationupon boot
• Baudrate
UARTto Root Shells
ISE Confidential - not for distribution
ISE Confidential - not for distribution
• JTAG – Joint Test Action Group
– Finding TDI (Test Data In), TDO (Test Data Out), TCK(Test Clock),
TMS (Test Mode Select), TRST (Test Reset) optional.
– Hardware Debugging via OpenOCD / GDB
– Jtagulator is awesome for brute-forcing pinout
ISE Confidential - not for distribution
Dumping Flash w/Flashrom
Resourcesto Learn
• Trainings:
– SexViaHex.com – Software Exploitation ViaHardware
Exploitation - Xipiter
– Hands on Hardware Hacking – Joe Grand
• Blogs
– http://www.devttys0.com/
– https://dontstuffbeansupyournose.com
HANDSON!!
• If anyone would liketo try wiring up a shikra to a UART
interfaceand playing around witha device.
• Presoldered SOHO Routers & Home Automation Hubs
AccessingShikraviaScreen
screen /dev/cu.usbserial-145 115200
^ ^ ^
cmd device name baudrate
ISE Confidential - not for distribution
Your Turn!
• Enable yourself as a security researcher.
• Initialaccess for furtherresearch.
• You can do it too! Its fun!
ISE Confidential - not for distribution
ThankYou!
• DEF CON /@IoTVillage / You!
• Contact ISE --https://securityevaluators.com/
 https://github.com/f47h3r/firmware_collection
 @f47h3r_b0
GetInvolved

More Related Content

What's hot

Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillageagmoneyy
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoTPriyanka Aash
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008guest642391
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
How to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris SistrunkHow to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris SistrunkEC-Council
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known IncidentEndgameInc
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embeddedantitree
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure IntroductionRiscure
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedAshwini Almad
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Securitynoornabi16
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 

What's hot (20)

Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
How to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris SistrunkHow to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris Sistrunk
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
 
Seminar V2
Seminar V2Seminar V2
Seminar V2
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavor
 

Viewers also liked

Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.Harish Manchala
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Serum protein electrophoresis & their clinical importance
Serum protein electrophoresis & their clinical importanceSerum protein electrophoresis & their clinical importance
Serum protein electrophoresis & their clinical importanceDr.M.Prasad Naidu
 
Ppt lung carcinoma part1
Ppt lung carcinoma part1Ppt lung carcinoma part1
Ppt lung carcinoma part1Juned Khan
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session iMalachi Jones
 
Near field communication(NFC)
Near field communication(NFC)Near field communication(NFC)
Near field communication(NFC)ronak1207
 
Tap into NFC Meetup - Boston
Tap into NFC Meetup  - Boston Tap into NFC Meetup  - Boston
Tap into NFC Meetup - Boston NFC Forum
 
Routers.ppt
Routers.pptRouters.ppt
Routers.pptkirbadh
 
OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017
OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017
OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017contactOpinionWay
 
Global Snapshots from a Changing Climate
Global Snapshots from a Changing ClimateGlobal Snapshots from a Changing Climate
Global Snapshots from a Changing Climateron mader
 
The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)Lara McCulloch-Carter
 

Viewers also liked (19)

Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Rheumatic fever
Rheumatic feverRheumatic fever
Rheumatic fever
 
Raynaud's phenomenon
Raynaud's phenomenonRaynaud's phenomenon
Raynaud's phenomenon
 
Serum protein electrophoresis & their clinical importance
Serum protein electrophoresis & their clinical importanceSerum protein electrophoresis & their clinical importance
Serum protein electrophoresis & their clinical importance
 
Ppt lung carcinoma part1
Ppt lung carcinoma part1Ppt lung carcinoma part1
Ppt lung carcinoma part1
 
Presentation on router
Presentation on routerPresentation on router
Presentation on router
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session i
 
Project
ProjectProject
Project
 
Omar faruk CV
Omar faruk CVOmar faruk CV
Omar faruk CV
 
Near field communication(NFC)
Near field communication(NFC)Near field communication(NFC)
Near field communication(NFC)
 
Test First, TDD e outros Bichos
Test First, TDD e outros BichosTest First, TDD e outros Bichos
Test First, TDD e outros Bichos
 
Tap into NFC Meetup - Boston
Tap into NFC Meetup  - Boston Tap into NFC Meetup  - Boston
Tap into NFC Meetup - Boston
 
Nfc power point
Nfc power pointNfc power point
Nfc power point
 
Routers.ppt
Routers.pptRouters.ppt
Routers.ppt
 
OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017
OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017
OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017
 
Global Snapshots from a Changing Climate
Global Snapshots from a Changing ClimateGlobal Snapshots from a Changing Climate
Global Snapshots from a Changing Climate
 
The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)
 

Similar to Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23

Advanced Machine Learning for Hardware Trojan Detection_v2.pdf
Advanced Machine Learning for Hardware Trojan Detection_v2.pdfAdvanced Machine Learning for Hardware Trojan Detection_v2.pdf
Advanced Machine Learning for Hardware Trojan Detection_v2.pdfChien Cheng Wu
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBarcamp Kerala
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
fingerprinting blackhat by pseudor00t
fingerprinting blackhat by pseudor00tfingerprinting blackhat by pseudor00t
fingerprinting blackhat by pseudor00tpseudor00t overflow
 
Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Ken Belva
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfgcara4
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesMarina Krotofil
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
 
Defense-in-depth for embedded devices
Defense-in-depth for embedded devicesDefense-in-depth for embedded devices
Defense-in-depth for embedded devicesJiggyasu Sharma
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 

Similar to Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23 (20)

Advanced Machine Learning for Hardware Trojan Detection_v2.pdf
Advanced Machine Learning for Hardware Trojan Detection_v2.pdfAdvanced Machine Learning for Hardware Trojan Detection_v2.pdf
Advanced Machine Learning for Hardware Trojan Detection_v2.pdf
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
fingerprinting blackhat by pseudor00t
fingerprinting blackhat by pseudor00tfingerprinting blackhat by pseudor00t
fingerprinting blackhat by pseudor00t
 
Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bag
 
Defense-in-depth for embedded devices
Defense-in-depth for embedded devicesDefense-in-depth for embedded devices
Defense-in-depth for embedded devices
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 

Recently uploaded

(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一C SSS
 
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degreeyuu sss
 
Call Girls Delhi {Rohini} 9711199012 high profile service
Call Girls Delhi {Rohini} 9711199012 high profile serviceCall Girls Delhi {Rohini} 9711199012 high profile service
Call Girls Delhi {Rohini} 9711199012 high profile servicerehmti665
 
Papular No 1 Online Istikhara Amil Baba Pakistan Amil Baba In Karachi Amil B...
Papular No 1 Online Istikhara Amil Baba Pakistan  Amil Baba In Karachi Amil B...Papular No 1 Online Istikhara Amil Baba Pakistan  Amil Baba In Karachi Amil B...
Papular No 1 Online Istikhara Amil Baba Pakistan Amil Baba In Karachi Amil B...Authentic No 1 Amil Baba In Pakistan
 
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...Amil baba
 
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degreeyuu sss
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作f3774p8b
 
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)861c7ca49a02
 
existing product research b2 Sunderland Culture
existing product research b2 Sunderland Cultureexisting product research b2 Sunderland Culture
existing product research b2 Sunderland CultureChloeMeadows1
 
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...Amil Baba Dawood bangali
 
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一diploma 1
 
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作f3774p8b
 
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一Fi sss
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubaikojalkojal131
 
vip Krishna Nagar Call Girls 9999965857 Call or WhatsApp Now Book
vip Krishna Nagar Call Girls 9999965857 Call or WhatsApp Now Bookvip Krishna Nagar Call Girls 9999965857 Call or WhatsApp Now Book
vip Krishna Nagar Call Girls 9999965857 Call or WhatsApp Now Bookmanojkuma9823
 
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...ttt fff
 
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作ss846v0c
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Servicesnajka9823
 

Recently uploaded (20)

(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
(办理学位证)韩国汉阳大学毕业证成绩单原版一比一
 
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
 
Call Girls Delhi {Rohini} 9711199012 high profile service
Call Girls Delhi {Rohini} 9711199012 high profile serviceCall Girls Delhi {Rohini} 9711199012 high profile service
Call Girls Delhi {Rohini} 9711199012 high profile service
 
Papular No 1 Online Istikhara Amil Baba Pakistan Amil Baba In Karachi Amil B...
Papular No 1 Online Istikhara Amil Baba Pakistan  Amil Baba In Karachi Amil B...Papular No 1 Online Istikhara Amil Baba Pakistan  Amil Baba In Karachi Amil B...
Papular No 1 Online Istikhara Amil Baba Pakistan Amil Baba In Karachi Amil B...
 
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
 
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作
 
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
 
existing product research b2 Sunderland Culture
existing product research b2 Sunderland Cultureexisting product research b2 Sunderland Culture
existing product research b2 Sunderland Culture
 
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
 
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
 
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
 
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
(办理学位证)加州州立大学北岭分校毕业证成绩单原版一比一
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
 
vip Krishna Nagar Call Girls 9999965857 Call or WhatsApp Now Book
vip Krishna Nagar Call Girls 9999965857 Call or WhatsApp Now Bookvip Krishna Nagar Call Girls 9999965857 Call or WhatsApp Now Book
vip Krishna Nagar Call Girls 9999965857 Call or WhatsApp Now Book
 
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
 
young call girls in Khanpur,🔝 9953056974 🔝 escort Service
young call girls in  Khanpur,🔝 9953056974 🔝 escort Serviceyoung call girls in  Khanpur,🔝 9953056974 🔝 escort Service
young call girls in Khanpur,🔝 9953056974 🔝 escort Service
 
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Serviceyoung call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
 
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
 

Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23

  • 1. P w n i n g I o T v i a H a r d w a r e A t t a c k s Chase Schultz, Senior Security Consultant cschultz@securityevaluators.com
  • 2. About ISE Analysts • White box Perspective • Hackers; Cryptographers; RE Research • Routers; NAS; Healthcare Customers • Companies with high value assets Exploits • iPhone; Android; Ford; Exxon; Diebold
  • 3. whoami • ChaseSchultz • Senior Security Consultant • IndependentSecurity Evaluators • Twitter– @f47h3r_b0 • Interests: – Reverse Engineering, Hardware, SDR, Fuzzing, Embedded Systems, Python & Go
  • 4. Agenda ① Importance of Hardware Hacking & IoT Research ② Scopeof Workshop ③ Hardware Hacking Background ④ Tools of the Trade ⑤ Methodology ⑥ Examples ⑦ Photo Journal ⑧ Hands On!! ⑨ Resources / Further Reading ⑩ Openit upto attendee’s. What do you want to see?
  • 5. Why is this important?
  • 6. A Journey ofPwnage • Started gettinginterested in Hardware Hacking & IoT • Software guy goes to school … • Great way to get access and leverage for further research.
  • 7. IoT? • IoT is a buzzword (duh) … – Lots of embedded devices doing allthe things … – Smart Homes – Medical Devices / Entertainment / Health Fitness / Toys / Sensors etc
  • 8. HardwareHacking • Interfaces – UART (Universal Asynchronous Receive & Transmit) – JTAG (Joint Test Action Group) – HW Debug – SPI (Serial Peripheral Interface) – I2C (Inter-Integrated Circuit)
  • 9.
  • 10. Tools of the Trade
  • 11.
  • 12. ISE Confidential - not for distribution
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. ISE Confidential - not for distribution
  • 18. Hardware Attacks (Methodology) 0) Open thedevice, void yourwarranty,andjoin the exploitationparty. 1) IdentifyDevice, hardwarerevisions, documenthardwarecomponents 2) Researchchipdatasheets- figure outfeatures 3) Identifyhardwarecommunicationinterfacespossibilities 4) ContinuityTesting andElectrical PinoutReversing 5) Identifyingwireline protocollogic (How the hell doI talktothesechips?) 6) Hardwaretoolsforaccessing interfaces 7) Wiring uptoto theboard 8) Device Interrogation 9) FirmwareReverseEngineering 10) VulnerabilityResearch/ Exploitation
  • 22.
  • 23.
  • 24.
  • 26. ISE Confidential - not for distribution
  • 27.
  • 28. • VCC Pin– Steady Voltage (Also chirps) • GND Pin– Metal Piece& Pin • Tx Pin– Fluctuationupon boot • Baudrate
  • 30. ISE Confidential - not for distribution
  • 31. ISE Confidential - not for distribution
  • 32. • JTAG – Joint Test Action Group – Finding TDI (Test Data In), TDO (Test Data Out), TCK(Test Clock), TMS (Test Mode Select), TRST (Test Reset) optional. – Hardware Debugging via OpenOCD / GDB – Jtagulator is awesome for brute-forcing pinout ISE Confidential - not for distribution
  • 34. Resourcesto Learn • Trainings: – SexViaHex.com – Software Exploitation ViaHardware Exploitation - Xipiter – Hands on Hardware Hacking – Joe Grand • Blogs – http://www.devttys0.com/ – https://dontstuffbeansupyournose.com
  • 35. HANDSON!! • If anyone would liketo try wiring up a shikra to a UART interfaceand playing around witha device. • Presoldered SOHO Routers & Home Automation Hubs
  • 36.
  • 37. AccessingShikraviaScreen screen /dev/cu.usbserial-145 115200 ^ ^ ^ cmd device name baudrate ISE Confidential - not for distribution
  • 38. Your Turn! • Enable yourself as a security researcher. • Initialaccess for furtherresearch. • You can do it too! Its fun! ISE Confidential - not for distribution
  • 39. ThankYou! • DEF CON /@IoTVillage / You! • Contact ISE --https://securityevaluators.com/  https://github.com/f47h3r/firmware_collection  @f47h3r_b0

Editor's Notes

  1. Talk about the current landscape of IoT… So many new products hitting the streets… Smart Home is here / So many personal devices / … Light Bulbs, Home Appliances, Lighting & Energy Control Systems.
  2. Need to Add Refrences
  3. Piper Night Vision Camera and Home Automation System
  4. 1) MX25L32 2) PIC32MX5