The document presents a workshop on hardware attacks and IoT research led by Chase Schultz, a senior security consultant. It covers the significance of hardware hacking, methodologies for exploiting devices, and tools used in the process, emphasizing the importance of understanding hardware components and communication interfaces. Additionally, it invites attendees to engage hands-on and explore further resources for learning.

1. P w n i n g I o T v i a H a r d w a r e A t t a c k s
Chase Schultz, Senior Security Consultant
cschultz@securityevaluators.com

2. About ISE
Analysts
• White box
Perspective
• Hackers; Cryptographers; RE
Research
• Routers; NAS; Healthcare
Customers
• Companies with high value assets
Exploits
• iPhone; Android; Ford; Exxon; Diebold

3. whoami
• ChaseSchultz
• Senior Security Consultant
• IndependentSecurity Evaluators
• Twitter– @f47h3r_b0
• Interests:
– Reverse Engineering, Hardware, SDR, Fuzzing, Embedded Systems,
Python & Go

4. Agenda
① Importance of Hardware Hacking & IoT Research
② Scopeof Workshop
③ Hardware Hacking Background
④ Tools of the Trade
⑤ Methodology
⑥ Examples
⑦ Photo Journal
⑧ Hands On!!
⑨ Resources / Further Reading
⑩ Openit upto attendee’s. What do you want to see?

5. Why is this important?

6. A Journey ofPwnage
• Started gettinginterested in Hardware Hacking
& IoT
• Software guy goes to school …
• Great way to get access and leverage for further
research.

7. IoT?
• IoT is a buzzword (duh) …
– Lots of embedded devices doing allthe things …
– Smart Homes
– Medical Devices / Entertainment / Health Fitness / Toys
/ Sensors etc

8. HardwareHacking
• Interfaces
– UART (Universal Asynchronous Receive & Transmit)
– JTAG (Joint Test Action Group) – HW Debug
– SPI (Serial Peripheral Interface)
– I2C (Inter-Integrated Circuit)

10. Tools of the Trade

12. ISE Confidential - not for distribution

17. ISE Confidential - not for distribution

18. Hardware Attacks (Methodology)
0) Open thedevice, void yourwarranty,andjoin the exploitationparty.
1) IdentifyDevice, hardwarerevisions, documenthardwarecomponents
2) Researchchipdatasheets- figure outfeatures
3) Identifyhardwarecommunicationinterfacespossibilities
4) ContinuityTesting andElectrical PinoutReversing
5) Identifyingwireline protocollogic (How the hell doI talktothesechips?)
6) Hardwaretoolsforaccessing interfaces
7) Wiring uptoto theboard
8) Device Interrogation
9) FirmwareReverseEngineering
10) VulnerabilityResearch/ Exploitation

19. VoidSome Warranties

20. RTFM
• Datasheetsare your friend!

21. Identifying HW Interfaces

25. Pinout Reversing

26. ISE Confidential - not for distribution

28. • VCC Pin– Steady Voltage (Also chirps)
• GND Pin– Metal Piece& Pin
• Tx Pin– Fluctuationupon boot
• Baudrate

29. UARTto Root Shells

30. ISE Confidential - not for distribution

31. ISE Confidential - not for distribution

32. • JTAG – Joint Test Action Group
– Finding TDI (Test Data In), TDO (Test Data Out), TCK(Test Clock),
TMS (Test Mode Select), TRST (Test Reset) optional.
– Hardware Debugging via OpenOCD / GDB
– Jtagulator is awesome for brute-forcing pinout
ISE Confidential - not for distribution

33. Dumping Flash w/Flashrom

34. Resourcesto Learn
• Trainings:
– SexViaHex.com – Software Exploitation ViaHardware
Exploitation - Xipiter
– Hands on Hardware Hacking – Joe Grand
• Blogs
– http://www.devttys0.com/
– https://dontstuffbeansupyournose.com

35. HANDSON!!
• If anyone would liketo try wiring up a shikra to a UART
interfaceand playing around witha device.
• Presoldered SOHO Routers & Home Automation Hubs

37. AccessingShikraviaScreen
screen /dev/cu.usbserial-145 115200
^ ^ ^
cmd device name baudrate
ISE Confidential - not for distribution

38. Your Turn!
• Enable yourself as a security researcher.
• Initialaccess for furtherresearch.
• You can do it too! Its fun!
ISE Confidential - not for distribution

39. ThankYou!
• DEF CON /@IoTVillage / You!
• Contact ISE --https://securityevaluators.com/
 https://github.com/f47h3r/firmware_collection
 @f47h3r_b0

40. GetInvolved