Next dates Location Sign up
July 1. - 4. 2019 Recon.cx - Montreal, Canada Sign up

In this 4-day training students will learn how to attack real, on-the-market and supposedly secure devices that have sold millions of units and are widely used. Often, these devices are used in critical and/or sensitive applications.

The training focuses on teaching how to perform a hardware security analysis, starting with basic firmware analysis and going as deep as performing a man-in-the-middle attack on in-device busses.

A big focus is on identifying inherently insecure architectures: Devices that can not be made secure from a hardware perspective, for example because of design-mistakes or the selection of insecure chips.

The devices the students will hack range from point-of-sale terminals, over bitcoin wallets and automotive control systems up to industrial controllers as used in power plants.

The training also covers how the conducted attacks can be prevented and how secure devices architectures can be constructed.

Prerequisites

  • Understanding of software security testing (pen-testing, red-teaming)
  • Familiarity with the scripting language Python
  • Basic understanding of embedded development
  • Basic understanding of software attacks

What this class will teach

In this class students will learn how to find hardware security issues on real-world embedded devices:

  • Tools for embedded device analysis
  • Basic firmware analysis
  • Finding & abusing debugging capabilities (JTAG, SWD, Serial consoles)
  • Dumping memory devices & ICs
  • Identifying & extracting secrets from dumps
  • Analyzing busses
  • MITM attacks on in-device busses
  • Attacks on devices with secure-elements
  • Basic side-channel attacks
  • Processors and their (in)security features

Outline

Day 1 - The basics

Day 1 is a crash-course into the world of embedded device hacking and covers:

  • Basic firmware analysis
    • From firmware blob to extracted filesystem
    • Identifying encrypted/unencrypted firmware
    • Determining hardware-details from a firmware dump
    • Finding vulnerabilities using static analysis
  • Analyzing signals
    • Logic signals
    • Basic signal analysis using a logic analyzer
    • Signal trainer: Identifying unknown signals
    • Probing on real devices
    • Embedded protocols (SPI, I2C, UART, etc)

Day 2 - Getting our hands dirty

On day 2 we will start looking at devices from the real world and how to abuse design decisions made in the production of them.

  • Architecture analysis
    • Identifying components
    • Understanding a device architecture
    • Building a basic hardware threat model
  • Introduction to our custom and off-the shelf hardware and software tools
  • Hands-on hacking
    • Finding debug interfaces (Consoles, finding undocumented JTAG & SWD pinouts, etc)
    • Using OpenOCD to dump firmware
    • Analyzing dumped firmware & flash contents
    • Extracting secrets from dumps
  • How does a secure device look?

Day 3 - Breaking better secured devices

We don’t have JTAG, SWD, or a serial console - what now? On day 3 we will look at attacks on in-device bus systems, such as I2C and secure-elements - and how to abuse them to our advantage.

  • Introduction to secure-elements
    • ISO7816 (Smartcard protocol) and 1-wire
    • Analyzing 1-wire communication
    • Common Secure-Elements/Authentication chips and their pitfalls
    • Case-studies of real-world secure-element issues
  • Hands-on embedded man-in-the-middle attacks
    • Introduction to the MITM hardware & software tools
    • Building a Python-based MITM attack tool for different protocols
  • Real-device hands-on:
    • Man-in-the-middle attack on a secure-element
    • TOCTTU (Time of check to time of use) man-in-the-middle attack for bypassing secure-boot

Day 4 - Insecure chips & side-channels

Day 4 focuses on two other layers of security: The processors and side-channels.

Most software developers just assume the hardware to do the correct thing, but often issues exists in the processors themselves that can be exploited to gain code-execution or bypass security checks.

A side-channel attack (SCA) is a weakness in the underlying hardware or firmware that unintentionally leaks secret data stored on the device.

Next dates Location Sign up
July 1. - 4. 2019 Recon.cx - Montreal, Canada Sign up