The document discusses hardware security assessments of Internet of Things (IoT) devices. It provides tips for obtaining cheap IoT devices, identifying device components, interfacing with devices using logic analyzers and hardware debugging tools, extracting file systems, and performing reverse engineering. Methods covered include identifying interfaces like UART and JTAG, using tools like Saleae Logic, Bus Pirate, Shikra, and OpenOCD, and reversing binaries with tools like Binary Ninja, IDA Pro, and Radare2.

1. Insecure Obsolete and Trivial
The Real IOT
BSides Puerto Rico 2017(18)
Price McDonald

2. #USERID 0,0 pkm
• 10 years InfoSec Experience
• Manager, Rapid7 Global Services
• Certifications:
• GPEN, GREM, GWAPT, GXPN, OSCP
• Enjoys long walks to Microcenter, Competitive Shooting and Reverse Engineering.

3. Current State of Hardware Security
O’RLY?

4. Current State of Hardware Security
Ok, So Hardware
Security sucks…
But why focus on
the hardware?

5. Get the “Things” on the Cheap
• Beta Programs
• https://www.betabound.com/tp-link-router-private-beta/
• https://beta.linksys.com/
• https://www.beta.netgear.com/signup/
• Flea Markets
• Ebay
• Craigslist
• Garage Sales

6. Test Dummy

7. Tamper Resistance and Detection

8. Component Identification

9. Component Identification(2)
• EOL 802.11G router SoC (System on Chip)
• 200 Mhz MIPS32 core
• Supports Serial or Parallel Flash
• One JTAG and two UART Ports
• 336 ball FBGA (Fine-pitch Ball Grid
Array)
• 32M-BIT Parallel NOR Flash Memory
• 3V only
• 48-pin TSOP (Thin Small Outline Package)
• CMOS DDR400 RAM
• 66-pin TSOP II

10. Component Identification Tips and Trick

11. Arts and Crafts Time

12. Finding Ground
• Using the Multi-Meter we can figure out which of the pins on our
headers connect to ground and which have voltage.
Ground
Voltage
Specifically
3.3v
• Got Ground?

13. Physical Counter Measures

14. Common Interface Types
• UART - Universal Asynchronous Receiver/Transmitter
• SPI – Serial Peripheral Interface
• I2C – Inter Integrated Circuit
• JTAG – Joint Test Action Group – Hardware Debugging Interface
• CAN – Controller Area Network (Cars/ATM/etc)
• RS232- Serial Interface used on many legacy devices

15. Pinout Reversing
• Saleae Logic Analyzer
• ~100 Bucks on the low end @ https://www.saleae.com
• Also, EDU discounts available up to 50% depending
on model.
• Keep in mind that logic analyzers are sampling which
can cause artificial data depending on the sampling
rate and thresholds.
• Works for I2C, UART, SPI, JTAG, CAN, etc, etc

16. Saleae Logic UI
• Using the Saleae logic analyzer we can watch the pins during boot to check for voltage
spikes during. This is a good indication of either a UART, I2C or SPI connection.

17. Saleae Logic Decoders
Given that we suspect Async Serial (UART) we will select that analyzer

18. Saleae Logic - Decoding
Among small embedded devices 115200 is a very common bit rate so it is an easy
guess. But we will also cover a more automated way of determining bit rate.

19. Saleae Logic - Decoding(2)
We must also ensure we are configuring the device to analyze the appropriate
channel (which are color coded as long as you connect them correctly)

20. Saleae Logic - Output
As you can see we are successfully decoding the output
from the UART serial connection on our Broadcom chip.

21. Connecting to Interfaces
• Bus Pirate
• Less of a learning curve
• Slower transfer speeds
• Supports UART, SPI, I2C and JTAG
• Shikra
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C and JTAG
• TIAO USB Multiprotocol Adapter
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C, JTAG, RS-232
• Supports multiple connections from same device
• Slightly less reliable in my experience

22. Using the Shikra
http://int3.cc/products/the-shikra

23. Connecting to UART
The command used to connect to a UART serial adapter will vary by
device and OS but will generally be similar to the command below.
sudo screen /dev/[device id] baud rate
Or the the case of the Device ID below for the Shikra:
sudo screen /dev/ttyUSB0 115200

24. NOW WE HAVE A SHELL!
But what’s next?
AND THEN?

25. Shell is only the beginning

26. No Tech Hacking

27. File System Fiddling
• MTD is a "Memory Technology Device.
• Unix traditionally only knew block devices and character devices.
Character devices were things like keyboards or mice, that you could
read current data from, but couldn't be seek-ed and didn't have a size.
Block devices had a fixed size and could be seek-ed.
• A mtdblock is a block device emulated over an mtd device.

28. Hiding in Plain Sight
Often times embedded device manufacturers leave important file systems unmounted.
Another good Resource:
http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS

29. Pilfering
But, How do we get the file system off of the target device?

30. Accidental Footprints

31. So what Happens if that doesn’t work?
• JTAG stands for (Joint Test Action Group) which was formed in 1985.
• The following pins are required for JTAG use:
• TDI (Test Data In)
• TDO (Test Data Out)
• TCK (Test Clock)
• TMS (Test Mode Select)
• The TCK Pin (Test Clock) is what keeps the clock for the state machine.
• THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances
depending on it’s relative position during each clock cycle.

32. JTAG ADAPTERS
Good Better Best
$45 $60-$600 $5000-$20000

33. Have you heard of the JTAGulator?
• Created by Joe Grand @ http://www.grandideastudio.com
• ~180-200 Bucks

34. HOW TO CONNECT WITH OPENOCD
The command to initiate openocd is : openocd –f interface –f target
But now what? There are errors and stuff!!!!!
#openocd on Freenode

35. HOW TO CONNECT WITH OPENOCD(2)
Silly openocd!
That’s more like it J

36. Cereal

37. Reverse Engineering
• Binary Ninja
• Free version available
• Limited Architecture Support
• Learn one IL to reverse them all
• Ida Pro
• Paid Version required for disassembly
• ARM decompiler available but $$$$
• Also very good debugger
• Radare2
• Free multiplatform support
• No decompiler available

38. Radare2

39. IDA Pro

40. No Shell No Problem

41. Peripheral interfaces

43. Contact Information
Contact information
twitter: @PriceMcdonald
Linkedin: linkedin.com/pricemcdonald
Email: pricemcdonald@gmail.com