Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

•

2 likes•1,613 views

La ingeniería inversa y el análisis de seguridad de dispositivos hardware suele requerir herramientas especializadas que el usuario medio no tiene disponibles en casa. Durante esta charla presentaremos las herramientas y métodos básicos a utilizar durante el análisis de este tipo de productos, buscando introducir a los asistentes en el mundo del hardware hacking sin necesidad de emplear excesivos recursos. Se empezará desde la búsqueda de información inicial, el análisis de interfaces interesantes (RS232, i2c, USB, etc ), pasando por la obtención del firmware utilizado por el dispositivo y finalmente por la emulación yo debugging en tiempo real del código utilizado por el dispositivo via JTAG. Para cada uno de estos aspectos se realizarán demostraciones sobre hardware común (off-the-shelf).

Hardware hacking on your coach
Intro to affordable embedded hacking

Eloi Sanfelix <eloi@riscure.com>
Javi Moreno <javi.moreno@nruns.com>

#rootedHW

The life of a software security guy
during the day

The life of a software security guy
during the night

Hardware = FUN

Source: http://www.flickr.com/photos/neimod/

... but more ...

Source: http://dontstuffbeansupyournose.com

Open Source Info Gathering
• Search the web
– Part # / Chip model  Datasheets
– Similar models
– Exploits for similar devices
– ...

Interesting interfaces

Interface Typical uses

RS232 Shells , debug output

Debug output, peripheral management,
i2c / SPI
serial EEPROM, ...

JTAG Testing and debugging

USB / Ethernet / SATA / Etc Same as your PC ;-)

How to obtain firmware?
• Online firmware updates

• Flash dumping
– SPI for serial ROMs
– Via debug access (e.g JTAG)
– Desoldering + external flash readers
• Commercial readers
• Microcontroller-based dumpers

Debugging with JTAG
• Boundary Scan only:
– Reading / Modifying memory
– Checking control lines (inputs/outputs)
• Using additional aids:
– Private instructions
– Debugging logic
• ARM: EmbeddedICE
• MIPS: EJTAG
• Motorola: BDM

Debugging with JTAG (2)
• Provides:
– Hardware breakpoints
– Hardware watchpoints
– Register access

• Example: EJTAG

BGA (2)
• Drilling through the PCB

Balls on CPU: Balls through PCB:

Can’t debug? Emulate!
• You still can use emulators
– Qemu
– GXEmul
– Skyeye
– ...

Key security features
Feature Description

Internal boot code / core must assure
Secure boot
integrity of loaded firmware
Security subsystem must assure integrity
Runtime integrity
of running code
Debug interfaces must either be disabled
Interface protection
or (securely) protected
Sensitive keys must be stored within the
Key storage chipset and not readable to the
application
Content stored in external memory
(RAM) during runtime must be protected
External memory protection
from attackers.
(scrambling and maybe authentiaction)
Need to withstand SCA/FI attacks in
Protected crypto cores
order to properly protect keys.

Conclusion
• Embedded hacking = FUN

• Attacker’s challenges
– Info gathering often difficult
– Interfacing trickier than with software

• Defender’s challenges
– Device running under hostile environment

Shopping list
Item Price

Arduino / Other dev boards 20-60€ each / 20 to 300€

Bus Pirate 25€

Bus Blaster / GoodFET 30€ / DIY

Openbench Logic Sniffer / Saleae Logic Analyzer 40€ / 120€

Cables, solder, screwdrivers, probes, ... -

DSO Oscilloscope Nano / Quad 70€ / 150€

USB Microscope ~20 €

OpenVizsla (when available) 100 – 200 EUR

Some things to look at
• Routers, modems, STBs, MFPs ...
• Gaming consoles, modern TVs
• PC parts
• (Smart)phones
• Smart meters, alarms, SCADA/PLCs...
• Car or vehicle electronics
• Home appliances, domotics
• Gadgets

HW Hacking resources
• Hack a day – www.hackaday.com
• /dev/ttyS0 – www.devttys0.com
• Bunnie’s blog – www.bunniestudios.com
• Debugmo.de – debugmo.de
• Pagetable – www.pagetable.com
• HW vendors’ forums: SeedStudio, Sparkfun ,
adafruit.com, Dangerous Prototypes , ...
• Fritzing – www.fritzing.org
• [... The list goes on ...]

Thanks!

Eloi Sanfelix (@esanfelix) Javi Moreno (@vierito5)
eloi@riscure.com javi.moreno@nruns.com

Software geeks fear hardware. It's a fact of life: code is easy to write and easy to change, but hardware catches on fire if you put it together wrong. But this is changing! Hardware is becoming cheaper and easier to work with every day and can often be managed with the same tools you use to deploy code to the cloud. Join self-described software guy and hardware-phobe Ronald McCollam for a guided trip from the safe world of web development to the scary lands of hardware and back again. We'll see how easy it can be to make the leap from managed code to microprocessors!

Hardware hacking

Tavish Naruka

Internet of things - with routers

Tavish Naruka

Building Trojan Hardware at Home

E Hacking

Nodemcu - introduction

Michal Sedlak

Programming esp8266

Baoshi Zhu

Video here, thanks to archive.org: https://archive.org/details/ShmooCon2014_Controlling_USB_Flash_Drive_Controllers With stories of "BadBIOS" infecting PCs simply by connecting a malicious USB flash drive to a PC, it's time we learned about flash drives and their controllers. Consumer USB flash drives are cheap, growing in capacity and shrinking in physical size. There are only around 15 prominent controller chip manufacturers whom you have never heard of, but OEM for all the popular and respected "name brands" on the market. These flash controllers have capabilities that aren't mentioned on product packaging, and can be enabled with programming you will learn during this presentation. These flash controllers can be *reprogrammed entirely* via software to do whatever you want. Turn an old flash drive into an emulated CDROM or a CDROM + flash drive. Update the controller's firmware, disassemble it, etc. This talk will touch on the various controller manufacturers, features, and show you how to leverage them for yourself. Why spend $100 on an old SanDisk[tm] U3 Cruiser when you can spend $4 for the same features? Richard Harman is an incident responder at SRA International's internal Security Operations Center, where he slings Perl code supporting incident response and performs analysis & reverse engineering of targeted attack malware samples. He writes and releases scripts in support of his work on github at http://github.com/warewolf. Outside of his day job, he can be found hacking on projects at the Reston, VA hackerspace Nova Labs http://www.nova-labs.org.

Kernel entrance to-geek-

mao999

Esp8266 - Intro for dummies

Pavlos Isaris

lesson2 - Nodemcu course - NodeMCU dev Board

Elaf A.Saeed

Republic of IoT - Hackathon Hardware Kits Hands-on Labs

Alwin Arrasyid

Esp8266 Workshop

Stijn van Drunen

Everything you wanted to know about Internet of Things & Galileo

BeMyApp

[5]投影片 futurewad樹莓派研習會 141218

CAVEDU Education

Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015

CODE BLUE

A few months ago I publicly disclosed an Apple EFI firmware zero day. It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time. EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them. This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun. Thunderstrike 2 (to be presented at BlackHat) is a fine example of the power of EFI rootkits and the problems they present.

Let's begin io t with $10

Makoto Takahashi

Espresso Lite v2 - ESP8266 Overview

The World Bank

Making wearables with NodeMCU - FOSDEM 2017

Etiene Dalcol

NodeMCU is an open hardware IoT platform based on eLua for the ESP8266 microcontroller. It allows creating low-cost projects using Wi-Fi and easy scripting in Lua, which makes it great for making wearables, for example. In this talk I'll give an introduction to the platform, show how I built an audio reactive graduation dress and share the materials to get you started on your own wearable project. This talk is ideal for beginners to hardware hacking or Lua enthusiasts looking for project inspiration.

Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...

RootedCON

El objetivo de la presentación es el de transmitir al publico, de como funcionan las bandas criminales en internet desde un punto de vista técnico sin dejar de lado una pequeña introducción historica para los asistentes no familiarizados con el mundo del cibercrimen. Durante la presentación se hablara de los proveedores Offshore más activos e situado en Europa del este. Dicho ISP constituye uno de los recursos más activos del Crimeware mediante el cual se distribuyen una importante cantidad de códigos maliciosos, malware, crimepacks, botnets, iframers, tdsSystems y un largo ETC…. El indice de la presentación tendrá una estructura similar a la siguiente: Un poco de Historia (Breve introducción al cibercrimen) Infraestructura enumerando máquinas, dominios, etc? (Como tienen montado el chiringuito) Dibujo de la organización, responsabilidades…(Vamos a mostrar, nombres, responsabilidades,horarios de trabajo) Donde compran ellos su infraestructura (es realmente offshore??) (sacaremos algún leak que demuestra nuestras sospechas y se verán contrastadas nuestras suposiciones) ¿Que cuesta ser malo? (Kids Don’t do it!) (Cuanto invierte un malote) Donde venden y compran servicios. Servicios más relevantes que ofrecen, trafico, vps, vpn, marketplaces, mulas, etc.. (Cual es el éxito de su servicio) ‘lo prueban por su calidad y se quedan por el servicio técnico’ Análisis de los crimewares encontrados más relevantes y conocidos. Los clasicos Spyeye, Zevs, etc…. Análisis de los crimewares más raros y privados encontrados. (Bazar Bizarro) Conclusiones y agradecimientos. El contenido de la ponencia será completamente 100% real. se mantendrá la frescura de los datos en exclusiva para la la RootedCon, de está manera está presentación no se volverá a repetir en ningún congreso Por otro lado se sombrearan los datos que se considere que puedan perjudicar y causar un impacto negativo sobre los mismos. Toda la información que se cite durante la ponencia será con fines educacionales y a pesar de los títulos en ningún momento se incitara a cometer actos delictivos. Todos los datos adquiridos han sido fruto de colaboración empresas y autoridades que nos facilitan la publicación de los datos.

Modulo 5Cesar Zarate

What's hot

Cigarette VS Bubble GumNaruenart

IoT Hands-On-Lab, KINGS, 2019

Jong-Hyun Kim

Intel Edison: Beyond the Breadboard

yeokm1

Introduction to ESP32 Programming [Road to RIoT 2017]

Alwin Arrasyid

How to Make an Eight Bit Computer and Save the World!elliando dias

Linux Kernel Exploitation

Scio Security

Arduino Meetup with Sonar and 433Mhz Radios

roadster43

How to Install ESP8266 WiFi Web Server using Arduino IDE

Naoto MATSUMOTO

Controlling USB Flash Drive Controllers: Expose of Hidden Features

xabean

Kernel entrance to-geek-

mao999

Esp8266 - Intro for dummies

Pavlos Isaris

lesson2 - Nodemcu course - NodeMCU dev Board

Elaf A.Saeed

Republic of IoT - Hackathon Hardware Kits Hands-on Labs

Alwin Arrasyid

Esp8266 Workshop

Stijn van Drunen

Everything you wanted to know about Internet of Things & Galileo

BeMyApp

[5]投影片 futurewad樹莓派研習會 141218

CAVEDU Education

Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015

CODE BLUE

Let's begin io t with $10

Makoto Takahashi

Espresso Lite v2 - ESP8266 Overview

The World Bank

Making wearables with NodeMCU - FOSDEM 2017

Etiene Dalcol

What's hot (20)

Cigarette VS Bubble Gum

IoT Hands-On-Lab, KINGS, 2019

Intel Edison: Beyond the Breadboard

Introduction to ESP32 Programming [Road to RIoT 2017]

How to Make an Eight Bit Computer and Save the World!

Linux Kernel Exploitation

Arduino Meetup with Sonar and 433Mhz Radios

How to Install ESP8266 WiFi Web Server using Arduino IDE

Controlling USB Flash Drive Controllers: Expose of Hidden Features

Kernel entrance to-geek-

Esp8266 - Intro for dummies

lesson2 - Nodemcu course - NodeMCU dev Board

Republic of IoT - Hackathon Hardware Kits Hands-on Labs

Esp8266 Workshop

Everything you wanted to know about Internet of Things & Galileo

[5]投影片 futurewad樹莓派研習會 141218

Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015

Let's begin io t with $10

Espresso Lite v2 - ESP8266 Overview

Making wearables with NodeMCU - FOSDEM 2017

Viewers also liked

Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...

RootedCON

Modulo 5Cesar Zarate

José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...

RootedCON

La ingeniería social es el arte de obtener información confidencial a través de la manipulación de la persona que tiene ese conocimiento. La base de esta técnica es que las personas siempre suelen ser el eslabón más débil en un sistema securizado, ya que normalmente siempre hay una persona que sabe cómo acceder a él. La idea es que es más fácil manipular a una persona que al sistema en sí mismo. La banca online no es una excepción. En este caso, las personas más vulnerables son los propios usuarios, los clientes finales de los bancos, y el objetivo es acceder a sus cuentas. Para ello se utilizan troyanos bancarios, pero no se deja de lado la ingeniería social, sino que ésta aparece en forma de inyecciones HTML o redirecciones a sitios de phishing, siendo las primeras las más sofisticadas. Es impresionante ver cómo cada vez que un banco añade una barrera de seguridad ésta se salta sin problemas gracias a la ingeniería social y a la ingenuidad de los usuarios. Por lo tanto, ¿sigue siendo rentable invertir en medidas de seguridad sabiendo que no podemos controlar a los usuarios?¿existe alguna contramedida contra la ingeniería social?

Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]

RootedCON

Pese a que la criptografía matemática es en general bastante segura en cuanto a algoritmia y protocolos, a la hora de realizar implementaciones prácticas es fácil subvertir esa seguridad inicial añadiendo vectores de ataque que permiten ‘explotar’ vulnerabilidades que pongan en peligro la seguridad. La charla versará sobre ejemplos prácticos de como atacar y sacar partido a herramientas criptográficas de amplio uso (SmartCards, certificados SSL, comunicaciones seguras, etc) Junto con la charla se presentará y liberará un ejemplo de ‘Troyano’ que ataca al DNI-E haciendo operaciones seguras de forma desatendida una vez robado el PIN 3. Relación de temas Problemas relacionados con gestión de certificados SSL (no verificabilidad, falsa sensación de seguridad, fallos en procesos de registro) Problemas relacionados con certificados en formato PKCS#12 Problemas relacionados con comunicaciones seguras cifradas (ataques MitM avanzados) Vectores prácticos de ataques a SmartCards (Dni-e)

Guillermo Grande y Alberto Ortega - Building an IP reputation engine, trackin...

RootedCON

La presentación tratará acerca del sistema de reputación IP, accesible de forma libre, desarrollado en Alienvault. Se explicará el funcionamiento de todas sus partes, lo que incluye sus fuentes de información, las metodologías de recopilación de datos y el procesado de los mismos. Se tratarán temas como análisis automatizado de malware, algoritmos para perfilar datos y evitar falsos positivos, la forma de recibir retroalimentación, el uso de recursos muy diferentes en el sistema, así como las dificultades que hemos tenido a la hora de desarrollarlo.

Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]

RootedCON

¿Te crees que bastionando tu servidores estás seguro?, Tienes PKI, Certificados, SSL, e-DNI, IPSEC,mucha experiencia en seguridad, dispones de certificaciones y eres muy considerado en el sector, ¿pero? ¿le has preguntado a la secretaria de tu director? ¿sabes como y donde almacena las contraseñas tu director comercial? Hospital Central, pretende enseñar a los asistentes como se realizo una auditoría a un hospital utilizando mecanismos de ingeniería social y como se obtuvo el control del hospital en menos de 24 horas. Nada de exploits, nada de SQL Injection. Tan solo la utilización de técnicas y troyanos humanos.

Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]

RootedCON

Desde hace tiempo se ha tendido a criminalizar algunas actividades relacionadas con el mundo de la seguridad informática creando nuevas leyes o endureciendo las existentes con el fin de ampliar el control sobre las comunicaciones y los usuarios. Teniendo en cuenta esta situación que ha sido agravada por las actuaciones de determinados colectivos; algunas practicas de la seguridad informática que antes podían justificarse como pura “”curiosidad”" se han convertido en un delito y pueden terminar en situaciones desagradables. La charla tratara sobre los métodos que podemos utilizar para evitar que nuestra curiosidad se vuelva contra nosotros y terminemos recibiendo alguna visita “”non grata”". Mostraremos técnicas para conseguir anonimato en Internet y evitar ser trazados, como utilizar “”otros”" sistemas sin que nadie se percate de nuestra presencia, etc… En resumen: como se podría “”curiosear”" sin terminar enjaulado. Todo esto se demostrara utilizando herramientas propias, parte de las cuales serán liberadas al público tras finalizar la conferencia.

Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...

RootedCON

Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]

RootedCON

El objetivo de la conferencia es exponer cómo se puede llevar a cabo, de forma lo más sencilla y estructurada posible, la coexistencia de diversos elementos cotidianos en las casas actuales, controlados por un único sistema, con la finalidad de mejorar la seguridad del lugar donde más tranquilos deberíamos estar: nuestra propia vivienda. Se explicará cómo diseñar un mecanismo de seguridad física casero basado en: Mecanismos de monitorización mediante cámaras web genéricas, con técnicas de reconocimiento facial de los habitantes de la casa, así como detección por bluetooth. Grabación de videos a sospechosos Interacción con una alarma controlable vía TCPIP Reconocimiento facial de personas clasificadas como “buscadas por las autoridades”, en modo lista negra, integrado con el aviso teléfonico a la policía mediante una centralita basada en VoIP, indicando la ubicación de qué persona de dicha lista, se encuentra en el domicilio. Sistema de notificaciones de las alertas a Twitter, correo y mensajería instantánea. Asimismo, se hablará de automatización de mecanismos de control de aire acondicionado/calefacción, robots dedicados a la limpieza y estaciones meteorológicas, demostrando que cualquier elemento casero con interfaz de red, puede ser un sistema SCADA. Además de implementar un sistema de autenticación biométrica, aprovechando el reconocimiento facial de quien entra en la casa, se podrá disponer de una lista blanca de usuarios, sobre los que poder personalizar un mensaje de bienvenida para cada usuario, pudiendo avisarle de diversos aspectos.

Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...

RootedCON

En los tiempos que corren, la asentada crisis, y los presupuestos cayendo en picado, arquitectos de sistemas, así como técnicos, se pueden ver en un aprieto, a la hora de necesitar realizar recogida de evidencias corporativas, en el caso de no poder contar con las herramientas adecuadas, por falta de presupuesto. En esta sesión, se aportará un enfoque práctico sobre este problema, incidiendo en presentar la arquitectura corporativa como una solución, más que un problema. Para ello, se aportarán ideas que permitan, por ejemplo, extraer datos en caliente de un equipo, o grupo de equipos, sin la tediosa tarea de realizar una imagen completa al mismo. Todo ello utilizando la infraestructura existente y sin necesidad de herramientas de terceros. También se presentarán ideas sobre cómo almacenar Logs de equipos críticos en BBDD, sin utilizar para ello aplicaciones residentes ni complejos proyectos. Toca remangarse y scriptar!!

BSides DFW2016-Hack Mode Enabled

pricemcdonald

Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]

RootedCON

“DNS: Internet Dial-Tone”; Partiendo de esta premisa y con la vista puesta en el método de distribución de ‘malware’ presentado en 2011 (Cloud Malware Distribution), intentaremos mostrar de forma dinámica los resultados obtenidos después de algunos meses de trabajo focalizado en las comunicaciones, tanto en la parte de control como en la fuga de información, de las ‘botnets’. Por supuesto con el protocolo DNS con un papel protagonista. Jugaremos con tres parámetros fundamentales que tendremos que equilibrar: Nivel de exposición de la infraestructura del atacante. Recursos y complejidad. Ancho de banda en la comunicación. El objetivo final es concienciar de la importancia de poner el foco en este protocolo como se ha hecho en otros. Nuestros resultados, y los resultados obtenidos por proveedores de seguridad e investigadores en los últimos meses avalan la posición que defendemos.

Viewers also liked (12)

Manu Quintans y Frank Ruiz - All Your Crimeware Are Belong To Us! [RootedCON ...

Modulo 5

José Miguel Esparza y Mikel Gastesi - Social Engineering in Banking Trojans: ...

Yago Jesús - Applied Cryptography FAILs [RootedCON 2012]

Guillermo Grande y Alberto Ortega - Building an IP reputation engine, trackin...

Pedro Sánchez - Hospital Central. Historia de una extorsión [RootedCON 2012]

Jaime Peñalba y Javier Rodríguez - Live Free or Die Hacking [RootedCON 2012]

Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript...

Lorenzo Martínez - Welcome to your secure /home, $user [Rooted CON 2012]

Juan Garrido - Corporate Forensics: Saca partido a tu arquitectura[RootedCON ...

BSides DFW2016-Hack Mode Enabled

Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]

Similar to Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...

Priyanka Aash

With the proliferation of Linux-based SoCs -- you've likely got one or two in your house, on your person or in your pocket -- it is often useful to look "under the hood" at what is running; Additionally, in-situ debugging may be unavailable due to read-only filesystems, memory is often limited, and other factors keep us from attacking a live device. This talk looks at attacking binaries outside their native environment using QEMU, the Quick Emulator, as well as techniques for extracting relevant content from devices and exploring them.

Making and breaking security in embedded devices

Yashin Mehaboobe

DefCon 2012 - Gaining Access to User Android DataMichael Smith

Advanced SOHO Router Exploitation XCON

Lyon Yang

D1 t1 t. yunusov k. nesterov - bootkit via sms

qqlan

Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network. And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier. Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.

arduino.pdf

Gurumurthy B R

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...

Sergey Gordeychik

Pitfalls and limits of dynamic malware analysis

Tamas K Lengyel

Attacking Embedded Devices (No Axe Required)

Security Weekly

Porting your favourite cmdline tool to Android

Vlatko Kosturjak

EMBA - Firmware analysis - Black Hat Arsenal USA 2022

MichaelM85042

IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is the open-source firmware scanner, created by penetration testers for penetration testers. Project page: https://github.com/e-m-b-a/emba Conference page: https://www.blackhat.com/us-22/arsenal/schedule/index.html#emba--open-source-firmware-security-testing-26596

HKUST Security Lab Opening Ceremony

Kelvin Chan

IoT security zigbee -- Null Meet bangalore

veerababu penugonda(Mr-IoT)

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

MichaelM85042

Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis. Project page: https://github.com/e-m-b-a/emba Conference page: https://forum.defcon.org/node/242109

Reverse code engineering

Krishs Patil

Reverse Engineering the TomTom Runner pt. 1

Luis Grangeia

A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device. This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried. Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon

Firmware analysis 101

veerababu penugonda(Mr-IoT)

From printed circuit boards to exploits

virtualabs

Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing. This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.

Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl

Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin

Similar to Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012] (20)

It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...

Making and breaking security in embedded devices

DefCon 2012 - Gaining Access to User Android Data

Advanced SOHO Router Exploitation XCON

D1 t1 t. yunusov k. nesterov - bootkit via sms

arduino.pdf

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...

Pitfalls and limits of dynamic malware analysis

Attacking Embedded Devices (No Axe Required)

Porting your favourite cmdline tool to Android

EMBA - Firmware analysis - Black Hat Arsenal USA 2022

HKUST Security Lab Opening Ceremony

IoT security zigbee -- Null Meet bangalore

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

Reverse code engineering

Reverse Engineering the TomTom Runner pt. 1

Firmware analysis 101

From printed circuit boards to exploits

Simplest-Ownage-Human-Observed… - Routers

Filip palian mateuszkocielski. simplest ownage human observed… routers

Recently uploaded

Knowledge engineering: from people to machines and back

Elena Simperl

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Product School

Neuro-symbolic is not enough, we need neuro-*semantic*

Frank van Harmelen

Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”. All of this illustrated with link prediction over knowledge graphs, but the argument is general.

Search and Society: Reimagining Information Access for Radical Futures

Bhaskar Mitra

The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

The Future of Platform Engineering

Jemma Hussein Allen

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Recently uploaded (20)

Knowledge engineering: from people to machines and back

Designing Great Products: The Power of Design and Leadership by Chief Designe...

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Neuro-symbolic is not enough, we need neuro-*semantic*

Search and Society: Reimagining Information Access for Radical Futures

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Epistemic Interaction - tuning interfaces to provide information for AI support

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

The Future of Platform Engineering

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Assuring Contact Center Experiences for Your Customers With ThousandEyes

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

1. Hardware hacking on your coach Intro to affordable embedded hacking Eloi Sanfelix <eloi@riscure.com> Javi Moreno <javi.moreno@nruns.com> #rootedHW

2. The life of a software security guy during the day

3. The life of a software security guy during the night

4. Hardware = FUN Source: http://www.flickr.com/photos/neimod/

5. This is NOT about....

6. ... but more ... Source: http://dontstuffbeansupyournose.com

7. Overview

8. Info Gathering

9. Classic Embedded System

10. Mapping of the device 10

11. Open Source Info Gathering • Search the web – Part # / Chip model  Datasheets – Similar models – Exploits for similar devices – ...

12. Interfacing Embedded Systems

13. Interesting interfaces Interface Typical uses RS232 Shells , debug output Debug output, peripheral management, i2c / SPI serial EEPROM, ... JTAG Testing and debugging USB / Ethernet / SATA / Etc Same as your PC ;-)

14. Finding interfaces

15. Bus Pirate v3.x

16. Openbench Logic Sniffer

17. DEMO: Interfacing & sniffing

18. Dumping Firmware

19. How to obtain firmware? • Online firmware updates • Flash dumping – SPI for serial ROMs – Via debug access (e.g JTAG) – Desoldering + external flash readers • Commercial readers • Microcontroller-based dumpers

20. Placa ROMs

21. Binary Visualization

22. Firmware Reverse Engineering

23. Debugging

24. JTAG interface

25. Debugging with JTAG • Boundary Scan only: – Reading / Modifying memory – Checking control lines (inputs/outputs) • Using additional aids: – Private instructions – Debugging logic • ARM: EmbeddedICE • MIPS: EJTAG • Motorola: BDM

26. Debugging with JTAG (2) • Provides: – Hardware breakpoints – Hardware watchpoints – Register access • Example: EJTAG

27. DEMO: Meet the BUS BLASTER

28. Locating JTAG A B D C

29. Locating JTAG (2)

30. Locating JTAG (3)

31. Locating JTAG (4)

32. Image source: www.hirox-usa.com

33. BGA (2) • Drilling through the PCB Balls on CPU: Balls through PCB:

34. Can’t debug? Emulate! • You still can use emulators – Qemu – GXEmul – Skyeye – ...

35. Securing Embedded Systems

36. Secure Embedded System

37. Key security features Feature Description Internal boot code / core must assure Secure boot integrity of loaded firmware Security subsystem must assure integrity Runtime integrity of running code Debug interfaces must either be disabled Interface protection or (securely) protected Sensitive keys must be stored within the Key storage chipset and not readable to the application Content stored in external memory (RAM) during runtime must be protected External memory protection from attackers. (scrambling and maybe authentiaction) Need to withstand SCA/FI attacks in Protected crypto cores order to properly protect keys.

38. Conclusion • Embedded hacking = FUN • Attacker’s challenges – Info gathering often difficult – Interfacing trickier than with software • Defender’s challenges – Device running under hostile environment

39. Shopping list Item Price Arduino / Other dev boards 20-60€ each / 20 to 300€ Bus Pirate 25€ Bus Blaster / GoodFET 30€ / DIY Openbench Logic Sniffer / Saleae Logic Analyzer 40€ / 120€ Cables, solder, screwdrivers, probes, ... - DSO Oscilloscope Nano / Quad 70€ / 150€ USB Microscope ~20 € OpenVizsla (when available) 100 – 200 EUR

40. Some things to look at • Routers, modems, STBs, MFPs ... • Gaming consoles, modern TVs • PC parts • (Smart)phones • Smart meters, alarms, SCADA/PLCs... • Car or vehicle electronics • Home appliances, domotics • Gadgets

41. HW Hacking resources • Hack a day – www.hackaday.com • /dev/ttyS0 – www.devttys0.com • Bunnie’s blog – www.bunniestudios.com • Debugmo.de – debugmo.de • Pagetable – www.pagetable.com • HW vendors’ forums: SeedStudio, Sparkfun , adafruit.com, Dangerous Prototypes , ... • Fritzing – www.fritzing.org • [... The list goes on ...]

42. Thanks! Eloi Sanfelix (@esanfelix) Javi Moreno (@vierito5) eloi@riscure.com javi.moreno@nruns.com

Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (12)

Similar to Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]

Similar to Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012] (20)

More from RootedCON

More from RootedCON (20)

Recently uploaded

Recently uploaded (20)

Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]