Practical hardware attacks against SOHO Routers & the Internet of Things
Click here to load reader
-
Upload
chase-schultz -
Category
Technology
-
view
1.159 -
download
3
Transcript of Practical hardware attacks against SOHO Routers & the Internet of Things
P r a c t i c a l H a r d w a r e A t t a c k s a g a i n s t S O H O R o u t e r s a n d I o T
Chase Schultz, Senior Security Consultant [email protected]
@f47h3r_b0
About ISE
Analysts• White boxPerspective
• Hackers; Cryptographers; RE
Research• Routers; NAS; HealthcareCustomers• Companies with high value assets
Exploits• iPhone; Android; Ford; Exxon; Diebold
whoami• Chase Schultz• Senior Security Consultant • Independent Security Evaluators• Twitter – @f47h3r_b0• Interests:
– Reverse Engineering, Hardware, SDR, Fuzzing, Embedded Systems, Python & Go
Agenda① Importance of Hardware Hacking & IoT Research② Scope of Talk③ Hardware Hacking Background④ Tools of the Trade⑤ Methodology⑥ Examples⑦ Photo Journal⑧ Demo!!⑨ Resources / Further Reading⑩ Thanks!
Why is this important?
A Journey of Pwnage
• Started getting interested in Hardware Hacking & IoT
• Software guy goes to school …
• Great way to get access and leverage for further research.
IoT?• IoT is a buzzword (duh) …
– Lots of embedded devices doing all the things …
– Smart Homes– Medical Devices / Entertainment /
Health Fitness / Toys / Sensors etc
Hardware Hacking• Interfaces
– UART (Universal Asynchronous Receive & Transmit)
– JTAG (Joint Test Action Group) – HW Debug
– SPI (Serial Peripheral Interface) – I2C (Inter-Integrated Circuit)
Tools of the Trade
http://int3.cc/products/the-shikra
http://www.grandideastudio.com/portfolio/jtagulator/
https://www.saleae.com/
Hardware Attacks (Methodology)0) Open the device, void your warranty, and join the exploitation party.1) Identify Device, hardware revisions, document hardware
components2) Research chip datasheets - figure out features3) Identify hardware communication interfaces possibilities4) Continuity Testing and Electrical Pinout Reversing5) Identifying wireline protocol logic (How the hell do I talk to these
chips?)6) Hardware tools for accessing interfaces7) Wiring up to to the board8) Device Interrogation9) Firmware Reverse Engineering10) Vulnerability Research / Exploitation
Void Some Warranties
RTFM• Datasheets are your friend!
Identifying HW Interfaces
Pinout Reversing
Saleae Logic Analyzer
UART to Root Shells
• VCC Pin – Steady Voltage (Also chirps)
• GND Pin – Metal Piece & Pin• Tx Pin – Fluctuation upon boot
• Baudrate
Accessing Shikra via Screenscreen /dev/cu.usbserial-145 115200
^ ^^
cmd device namebaudrate
ISE Confidential - not for distribution
ISE Confidential - not for distribution
ISE Confidential - not for distribution
Demo!• In process of Responsible Disclosure.• Details to be published in the future.
• JTAG – Joint Test Action Group– Finding TDI (Test Data In), TDO (Test
Data Out), TCK (Test Clock), TMS (Test Mode Select), TRST (Test Reset) optional.
– Hardware Debugging via OpenOCD / GDB
– Jtagulator is awesome for brute-forcing pinout
ISE Confidential - not for distribution
Dumping Flash w/ Flashrom
Resources to Learn• Trainings:
– SexViaHex.com – Software Exploitation Via Hardware Exploitation - Xipiter
– Hands on Hardware Hacking – Joe Grand
• Blogs– http://www.devttys0.com/ – https://
dontstuffbeansupyournose.com
Your Turn!• Enable yourself as a security
researcher.
• Initial access for further research.
• You can do it too! Its fun!
ISE Confidential - not for distribution
Thank You!• Derbycon Staff / Research / You!• Contact ISE --
https://securityevaluators.com/
https://github.com/f47h3r/firmware_collection
@f47h3r_b0
Get Involved