SlideShare a Scribd company logo

Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23

Download as PPTX, PDF
Chase Schultz
Chase Schultz

Slides from Defcon IoT Village Workshop Ever wondered how people get shells via hooking up to chips or pins on a board? Or how to dump the firmware off a device you own at home? How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? The Pwning IoT Devices via Hardware Attacks workshop is focused on a hands-on learning experience, of how people use hardware attacks to get initial access IoT Devices for security research. This workshop is designed for people new to hardware hacking, looking to have fun exploiting the Internet of (broken) Things. So come on out if you're looking to join the embedded system & IoT exploitation party!

Devices & Hardware
1 of 40
P w n i n g I o T v i a H a r d w a r e A t t a c k s Chase Schultz, Senior Security Consultant cschultz@securityevaluators.com
About ISE Analysts • White box Perspective • Hackers; Cryptographers; RE Research • Routers; NAS; Healthcare Customers • Companies with high value assets Exploits • iPhone; Android; Ford; Exxon; Diebold
whoami • ChaseSchultz • Senior Security Consultant • IndependentSecurity Evaluators • Twitter– @f47h3r_b0 • Interests: – Reverse Engineering, Hardware, SDR, Fuzzing, Embedded Systems, Python & Go
Agenda ① Importance of Hardware Hacking & IoT Research ② Scopeof Workshop ③ Hardware Hacking Background ④ Tools of the Trade ⑤ Methodology ⑥ Examples ⑦ Photo Journal ⑧ Hands On!! ⑨ Resources / Further Reading ⑩ Openit upto attendee’s. What do you want to see?
Why is this important?
A Journey ofPwnage • Started gettinginterested in Hardware Hacking & IoT • Software guy goes to school … • Great way to get access and leverage for further research.
IoT? • IoT is a buzzword (duh) … – Lots of embedded devices doing allthe things … – Smart Homes – Medical Devices / Entertainment / Health Fitness / Toys / Sensors etc
HardwareHacking • Interfaces – UART (Universal Asynchronous Receive & Transmit) – JTAG (Joint Test Action Group) – HW Debug – SPI (Serial Peripheral Interface) – I2C (Inter-Integrated Circuit)
Tools of the Trade
ISE Confidential - not for distribution
ISE Confidential - not for distribution
Hardware Attacks (Methodology) 0) Open thedevice, void yourwarranty,andjoin the exploitationparty. 1) IdentifyDevice, hardwarerevisions, documenthardwarecomponents 2) Researchchipdatasheets- figure outfeatures 3) Identifyhardwarecommunicationinterfacespossibilities 4) ContinuityTesting andElectrical PinoutReversing 5) Identifyingwireline protocollogic (How the hell doI talktothesechips?) 6) Hardwaretoolsforaccessing interfaces 7) Wiring uptoto theboard 8) Device Interrogation 9) FirmwareReverseEngineering 10) VulnerabilityResearch/ Exploitation
VoidSome Warranties
RTFM • Datasheetsare your friend!
Identifying HW Interfaces
Pinout Reversing
ISE Confidential - not for distribution
• VCC Pin– Steady Voltage (Also chirps) • GND Pin– Metal Piece& Pin • Tx Pin– Fluctuationupon boot • Baudrate
UARTto Root Shells
ISE Confidential - not for distribution
ISE Confidential - not for distribution
• JTAG – Joint Test Action Group – Finding TDI (Test Data In), TDO (Test Data Out), TCK(Test Clock), TMS (Test Mode Select), TRST (Test Reset) optional. – Hardware Debugging via OpenOCD / GDB – Jtagulator is awesome for brute-forcing pinout ISE Confidential - not for distribution
Dumping Flash w/Flashrom
Resourcesto Learn • Trainings: – SexViaHex.com – Software Exploitation ViaHardware Exploitation - Xipiter – Hands on Hardware Hacking – Joe Grand • Blogs – http://www.devttys0.com/ – https://dontstuffbeansupyournose.com
HANDSON!! • If anyone would liketo try wiring up a shikra to a UART interfaceand playing around witha device. • Presoldered SOHO Routers & Home Automation Hubs
AccessingShikraviaScreen screen /dev/cu.usbserial-145 115200 ^ ^ ^ cmd device name baudrate ISE Confidential - not for distribution
Your Turn! • Enable yourself as a security researcher. • Initialaccess for furtherresearch. • You can do it too! Its fun! ISE Confidential - not for distribution
ThankYou! • DEF CON /@IoTVillage / You! • Contact ISE --https://securityevaluators.com/  https://github.com/f47h3r/firmware_collection  @f47h3r_b0
GetInvolved

Recommended

Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
Chase Schultz
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101
veerababu penugonda(Mr-IoT)
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
veerababu penugonda(Mr-IoT)
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
Hykeos
 
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
EC-Council
 

Recommended

Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
Chase Schultz
 
Firmware analysis 101
Firmware analysis 101Firmware analysis 101
Firmware analysis 101
veerababu penugonda(Mr-IoT)
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
veerababu penugonda(Mr-IoT)
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
Hykeos
 
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
EC-Council
 
Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
agmoneyy
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
Priyanka Aash
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
guest642391
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
WSO2
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
Satria Ady Pradana
 
How to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris SistrunkHow to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris Sistrunk
EC-Council
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
EndgameInc
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
antitree
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
Riscure
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
Ashwini Almad
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
Ashwini Almad
 
Seminar V2
Seminar V2Seminar V2
Seminar V2
Moustafa Najm
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
noornabi16
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavor
Satria Ady Pradana
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.
Harish Manchala
 

More Related Content

What's hot

Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
agmoneyy
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
WSO2
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
EndgameInc
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
antitree
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 

What's hot (20)

Io t slides_iotvillage
Io t slides_iotvillageIo t slides_iotvillage
Io t slides_iotvillage
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008Cracking Into Embedded Devices - Hack in The Box Dubai 2008
Cracking Into Embedded Devices - Hack in The Box Dubai 2008
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
How to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris SistrunkHow to Get into ICS Security byChris Sistrunk
How to Get into ICS Security byChris Sistrunk
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
 
Seminar V2
Seminar V2Seminar V2
Seminar V2
 
IOT privacy and Security
IOT privacy and SecurityIOT privacy and Security
IOT privacy and Security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
 
Dracos forensic flavor
Dracos forensic flavorDracos forensic flavor
Dracos forensic flavor
 

Viewers also liked

Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.
Harish Manchala
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Serum protein electrophoresis & their clinical importance
Serum protein electrophoresis & their clinical importanceSerum protein electrophoresis & their clinical importance
Serum protein electrophoresis & their clinical importance
Dr.M.Prasad Naidu
 
Ppt lung carcinoma part1
Ppt lung carcinoma part1Ppt lung carcinoma part1
Ppt lung carcinoma part1
Juned Khan
 
Global Snapshots from a Changing Climate
Global Snapshots from a Changing ClimateGlobal Snapshots from a Changing Climate
Global Snapshots from a Changing Climate
ron mader
 
The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)
Lara McCulloch-Carter
 

Viewers also liked (19)

Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.Sources of finance for Oil,Gas and Petroleum companies.
Sources of finance for Oil,Gas and Petroleum companies.
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Rheumatic fever
Rheumatic feverRheumatic fever
Rheumatic fever
 
Raynaud's phenomenon
Raynaud's phenomenonRaynaud's phenomenon
Raynaud's phenomenon
 
Serum protein electrophoresis & their clinical importance
Serum protein electrophoresis & their clinical importanceSerum protein electrophoresis & their clinical importance
Serum protein electrophoresis & their clinical importance
 
Ppt lung carcinoma part1
Ppt lung carcinoma part1Ppt lung carcinoma part1
Ppt lung carcinoma part1
 
Presentation on router
Presentation on routerPresentation on router
Presentation on router
 
Embedded device hacking Session i
Embedded device hacking Session iEmbedded device hacking Session i
Embedded device hacking Session i
 
Project
ProjectProject
Project
 
Omar faruk CV
Omar faruk CVOmar faruk CV
Omar faruk CV
 
Near field communication(NFC)
Near field communication(NFC)Near field communication(NFC)
Near field communication(NFC)
 
Test First, TDD e outros Bichos
Test First, TDD e outros BichosTest First, TDD e outros Bichos
Test First, TDD e outros Bichos
 
Tap into NFC Meetup - Boston
Tap into NFC Meetup - Boston Tap into NFC Meetup - Boston
Tap into NFC Meetup - Boston
 
Nfc power point
Nfc power pointNfc power point
Nfc power point
 
Routers.ppt
Routers.pptRouters.ppt
Routers.ppt
 
OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017
OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017
OpinionWay pour Prévoir - Les Français et la prévoyance santé / Janvier 2017
 
Global Snapshots from a Changing Climate
Global Snapshots from a Changing ClimateGlobal Snapshots from a Changing Climate
Global Snapshots from a Changing Climate
 
The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)The NEW Way to Win Friends & Influence People (social media in events)
The NEW Way to Win Friends & Influence People (social media in events)
 

Similar to Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23

WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
NetSPI
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bag
Beau Bullock
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
 

Similar to Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23 (20)

Advanced Machine Learning for Hardware Trojan Detection_v2.pdf
Advanced Machine Learning for Hardware Trojan Detection_v2.pdfAdvanced Machine Learning for Hardware Trojan Detection_v2.pdf
Advanced Machine Learning for Hardware Trojan Detection_v2.pdf
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
fingerprinting blackhat by pseudor00t
fingerprinting blackhat by pseudor00tfingerprinting blackhat by pseudor00t
fingerprinting blackhat by pseudor00t
 
Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bag
 
Defense-in-depth for embedded devices
Defense-in-depth for embedded devicesDefense-in-depth for embedded devices
Defense-in-depth for embedded devices
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 

Recently uploaded

一比一原版UVM毕业证佛蒙特大学毕业证成绩单如何办理
一比一原版UVM毕业证佛蒙特大学毕业证成绩单如何办理一比一原版UVM毕业证佛蒙特大学毕业证成绩单如何办理
一比一原版UVM毕业证佛蒙特大学毕业证成绩单如何办理
kywwoyk
 
Memory compiler tutorial – TSMC 40nm technology
Memory compiler tutorial – TSMC 40nm technologyMemory compiler tutorial – TSMC 40nm technology
Memory compiler tutorial – TSMC 40nm technology
Ahmed Abdelazeem
 
NO1 Uk Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Amil In La...
NO1 Uk Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Amil In La...NO1 Uk Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Amil In La...
NO1 Uk Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Amil In La...
Amil baba
 
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
kywwoyk
 
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
eemet
 

Recently uploaded (7)

一比一原版UVM毕业证佛蒙特大学毕业证成绩单如何办理
一比一原版UVM毕业证佛蒙特大学毕业证成绩单如何办理一比一原版UVM毕业证佛蒙特大学毕业证成绩单如何办理
一比一原版UVM毕业证佛蒙特大学毕业证成绩单如何办理
 
Memory compiler tutorial – TSMC 40nm technology
Memory compiler tutorial – TSMC 40nm technologyMemory compiler tutorial – TSMC 40nm technology
Memory compiler tutorial – TSMC 40nm technology
 
NO1 Uk Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Amil In La...
NO1 Uk Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Amil In La...NO1 Uk Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Amil In La...
NO1 Uk Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Amil In La...
 
MATHEMATICS BRIDGE COURSE (TEN DAYS PLANNER) (FOR CLASS XI STUDENTS GOING TO ...
MATHEMATICS BRIDGE COURSE (TEN DAYS PLANNER) (FOR CLASS XI STUDENTS GOING TO ...MATHEMATICS BRIDGE COURSE (TEN DAYS PLANNER) (FOR CLASS XI STUDENTS GOING TO ...
MATHEMATICS BRIDGE COURSE (TEN DAYS PLANNER) (FOR CLASS XI STUDENTS GOING TO ...
 
F5 LTM TROUBLESHOOTING Guide latest.pptx
F5 LTM TROUBLESHOOTING Guide latest.pptxF5 LTM TROUBLESHOOTING Guide latest.pptx
F5 LTM TROUBLESHOOTING Guide latest.pptx
 
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
 
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
一比一原版SDSU毕业证圣地亚哥州立大学毕业证成绩单如何办理
 

Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23

  • 1. P w n i n g I o T v i a H a r d w a r e A t t a c k s Chase Schultz, Senior Security Consultant cschultz@securityevaluators.com
  • 2. About ISE Analysts • White box Perspective • Hackers; Cryptographers; RE Research • Routers; NAS; Healthcare Customers • Companies with high value assets Exploits • iPhone; Android; Ford; Exxon; Diebold
  • 3. whoami • ChaseSchultz • Senior Security Consultant • IndependentSecurity Evaluators • Twitter– @f47h3r_b0 • Interests: – Reverse Engineering, Hardware, SDR, Fuzzing, Embedded Systems, Python & Go
  • 4. Agenda ① Importance of Hardware Hacking & IoT Research ② Scopeof Workshop ③ Hardware Hacking Background ④ Tools of the Trade ⑤ Methodology ⑥ Examples ⑦ Photo Journal ⑧ Hands On!! ⑨ Resources / Further Reading ⑩ Openit upto attendee’s. What do you want to see?
  • 5. Why is this important?
  • 6. A Journey ofPwnage • Started gettinginterested in Hardware Hacking & IoT • Software guy goes to school … • Great way to get access and leverage for further research.
  • 7. IoT? • IoT is a buzzword (duh) … – Lots of embedded devices doing allthe things … – Smart Homes – Medical Devices / Entertainment / Health Fitness / Toys / Sensors etc
  • 8. HardwareHacking • Interfaces – UART (Universal Asynchronous Receive & Transmit) – JTAG (Joint Test Action Group) – HW Debug – SPI (Serial Peripheral Interface) – I2C (Inter-Integrated Circuit)
  • 9.
  • 10. Tools of the Trade
  • 11.
  • 12. ISE Confidential - not for distribution
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. ISE Confidential - not for distribution
  • 18. Hardware Attacks (Methodology) 0) Open thedevice, void yourwarranty,andjoin the exploitationparty. 1) IdentifyDevice, hardwarerevisions, documenthardwarecomponents 2) Researchchipdatasheets- figure outfeatures 3) Identifyhardwarecommunicationinterfacespossibilities 4) ContinuityTesting andElectrical PinoutReversing 5) Identifyingwireline protocollogic (How the hell doI talktothesechips?) 6) Hardwaretoolsforaccessing interfaces 7) Wiring uptoto theboard 8) Device Interrogation 9) FirmwareReverseEngineering 10) VulnerabilityResearch/ Exploitation
  • 22.
  • 23.
  • 24.
  • 26. ISE Confidential - not for distribution
  • 27.
  • 28. • VCC Pin– Steady Voltage (Also chirps) • GND Pin– Metal Piece& Pin • Tx Pin– Fluctuationupon boot • Baudrate
  • 30. ISE Confidential - not for distribution
  • 31. ISE Confidential - not for distribution
  • 32. • JTAG – Joint Test Action Group – Finding TDI (Test Data In), TDO (Test Data Out), TCK(Test Clock), TMS (Test Mode Select), TRST (Test Reset) optional. – Hardware Debugging via OpenOCD / GDB – Jtagulator is awesome for brute-forcing pinout ISE Confidential - not for distribution
  • 34. Resourcesto Learn • Trainings: – SexViaHex.com – Software Exploitation ViaHardware Exploitation - Xipiter – Hands on Hardware Hacking – Joe Grand • Blogs – http://www.devttys0.com/ – https://dontstuffbeansupyournose.com
  • 35. HANDSON!! • If anyone would liketo try wiring up a shikra to a UART interfaceand playing around witha device. • Presoldered SOHO Routers & Home Automation Hubs
  • 36.
  • 37. AccessingShikraviaScreen screen /dev/cu.usbserial-145 115200 ^ ^ ^ cmd device name baudrate ISE Confidential - not for distribution
  • 38. Your Turn! • Enable yourself as a security researcher. • Initialaccess for furtherresearch. • You can do it too! Its fun! ISE Confidential - not for distribution
  • 39. ThankYou! • DEF CON /@IoTVillage / You! • Contact ISE --https://securityevaluators.com/  https://github.com/f47h3r/firmware_collection  @f47h3r_b0

Editor's Notes

  1. Talk about the current landscape of IoT… So many new products hitting the streets… Smart Home is here / So many personal devices / … Light Bulbs, Home Appliances, Lighting & Energy Control Systems.
  2. Need to Add Refrences
  3. Piper Night Vision Camera and Home Automation System
  4. 1) MX25L32 2) PIC32MX5