Date 10 February 2020 - 13 February 2020
Hosted by The Westin Grand
Location Friedrichstraße 158-164, 10117 Berlin, Germany
Trainer Thomas Roth
Language English
Capacity 16

Registration

€4,000.00
€5,000.00
Until January 15.
After January 15.

Prices exclude 19% VAT (MwSt.) for customers from Germany.

We also offer group discounts and on-site trainings! Feel free to contact us either via the form below or at info@leveldown.de.

Sign up now! Group discount request

Overview

Have you ever looked at a physical device and wondered what was possible? How does it work? Why is it secure? What does information flowing between components look like using a logic analyzer? And most importantly, can we hack it?

This course is all about hardware exploration, from understanding how common devices are designed and manufactured up to manipulating each component to behave how you want it to behave, and not how the manufacturer anticipated.

For manufacturers, understanding how controls are subverted is vital in designing more robust and secure devices. For security personnel, understanding how to attack devices and how to review a device for security is critical for working with the new wave of connected devices. For developers, this class will teach the methods used by hackers and teach them to defend against them.

The devices the students will hack in this course range from access control systems (such as used in some embassies and power plants), connected cameras, smart lightning controllers, industrial gateways and more.

The training focuses on teaching how to perform a hardware security audit, starting with basic firmware analysis and going as deep as performing a man-in-the-middle attack on in-device busses.

Finally, we also look at how the conducted attacks can be prevented and how more secure device architectures can be designed.

Learn how to hack fingerprint access control systems, smart cameras, wearables, bitcoin wallets and more.

What this class will teach

In this class students will learn how to find hardware security issues on real-world embedded devices:

  • Building a hardware security lab
  • Tools for embedded device analysis
  • Basic firmware analysis
  • Finding & abusing debugging capabilities (JTAG, SWD, Serial consoles)
  • Dumping memory devices & ICs
  • Identifying & extracting secrets from dumps
  • Analyzing busses
  • Man-in-the-middle attacks on in-device busses
  • Attacks on devices with secure-elements
  • Basic side-channel attacks
  • Processors and their (in)security features

Who this training is for

  • Security engineers getting into IoT/embedded security
  • Developers
  • Hardware designers
  • Everyone who is curious about securing the Internet-of-Things

Outline

Day 1 - The basics

Day 1 is a crash-course into the world of embedded device hacking and covers:

  • Basic firmware analysis
    • From firmware blob to extracted filesystem
    • Identifying encrypted/unencrypted firmware
    • Determining hardware-details from a firmware dump
    • Finding vulnerabilities using static analysis
  • Analyzing signals
    • Logic signals
    • Basic signal analysis using a logic analyzer
    • Signal trainer: Identifying unknown signals
    • Probing on real devices
    • Embedded protocols (SPI, I2C, UART, etc)

Day 2 - Getting our hands dirty

On day 2 we will start looking at devices from the real world and how to abuse design decisions made in the production of them.

  • Architecture analysis
    • Identifying components
    • Understanding a device architecture
    • Building a basic hardware threat model
  • Introduction to our custom and off-the shelf hardware and software tools
  • Hands-on hacking
    • Finding debug interfaces (Consoles, finding undocumented JTAG & SWD pinouts, etc)
    • Using OpenOCD to dump firmware
    • Analyzing dumped firmware & flash contents
    • Extracting secrets from dumps
  • How does a secure device look?

Day 3 - Breaking better secured devices

We don’t have JTAG, SWD, or a serial console - what now? On day 3 we will look at attacks on in-device bus systems, such as I2C and secure-elements - and how to abuse them to our advantage.

  • Introduction to secure-elements
    • ISO7816 (Smartcard protocol) and 1-wire
    • Analyzing 1-wire communication
    • Common Secure-Elements/Authentication chips and their pitfalls
    • Case-studies of real-world secure-element issues
  • Hands-on embedded man-in-the-middle attacks
    • Introduction to the MITM hardware & software tools
    • Building a Python-based MITM attack tool for different protocols
  • Real-device hands-on:
    • Man-in-the-middle attack on a secure-element
    • TOCTTU (Time of check to time of use) man-in-the-middle attack for bypassing secure-boot

Day 4 - Insecure chips & side-channels

On day 4 we focus on two other layers of security: The processor and unintentional side-channels. Most software developers just assume the hardware to do the correct thing, but often issues exists in the processors themselves that can be exploited to gain code-execution or bypass security checks. We also look at side-channel attacks: Unintentional information leakage, for example through the power consumption of a device, can cause secrets to leak from devices or be used to bypass access protections.

  • Processor security features
    • Fuses, crypto accelerators, read-out protection
    • Attacks
      • Glitching
      • Boot ROM issues
  • Side-channel attacks
    • Timing side-channels
    • RF side-channels
    • Power side-channels
  • Hands-on
    • Exploiting a timing side-channel
    • Bring-your-own/choose-your-own target lab

The trainer

Thomas Roth is a security researcher and founder of leveldown security. His main focus is on mobile and embedded systems with published research on topics like TrustZone, payment terminals, and embedded security. In recent years, his main focus has been on critical infrastructure and communication, with published research on industrial control systems, industrial IoT devices and secure communication. In 2018, Thomas Roth and his research was named as one of the 30 under 30 in Technology by the Forbes Magazine and was named TCCA Young Engineer of the Year 2018.

Sign up now! Group discount request