La ingeniería inversa y el análisis de seguridad de dispositivos hardware suele requerir herramientas especializadas que el usuario medio no tiene disponibles en casa. Durante esta charla presentaremos las herramientas y métodos básicos a utilizar durante el análisis de este tipo de productos, buscando introducir a los asistentes en el mundo del hardware hacking sin necesidad de emplear excesivos recursos. Se empezará desde la búsqueda de información inicial, el análisis de interfaces interesantes (RS232, i2c, USB, etc ), pasando por la obtención del firmware utilizado por el dispositivo y finalmente por la emulación yo debugging en tiempo real del código utilizado por el dispositivo via JTAG. Para cada uno de estos aspectos se realizarán demostraciones sobre hardware común (off-the-shelf).

1. Hardware hacking on your coach
Intro to affordable embedded hacking
Eloi Sanfelix <eloi@riscure.com>
Javi Moreno <javi.moreno@nruns.com>
#rootedHW

2. The life of a software security guy
during the day

3. The life of a software security guy
during the night

4. Hardware = FUN
Source: http://www.flickr.com/photos/neimod/

5. This is NOT about....

6. ... but more ...
Source: http://dontstuffbeansupyournose.com

7. Overview

8. Info
Gathering

9. Classic Embedded System

10. Mapping of the device
10

11. Open Source Info Gathering
• Search the web
– Part # / Chip model  Datasheets
– Similar models
– Exploits for similar devices
– ...

12. Interfacing
Embedded Systems

13. Interesting interfaces
Interface Typical uses
RS232 Shells , debug output
Debug output, peripheral management,
i2c / SPI
serial EEPROM, ...
JTAG Testing and debugging
USB / Ethernet / SATA / Etc Same as your PC ;-)

14. Finding interfaces

15. Bus Pirate v3.x

16. Openbench Logic Sniffer

17. DEMO: Interfacing & sniffing

18. Dumping
Firmware

19. How to obtain firmware?
• Online firmware updates
• Flash dumping
– SPI for serial ROMs
– Via debug access (e.g JTAG)
– Desoldering + external flash readers
• Commercial readers
• Microcontroller-based dumpers

20. Placa ROMs

21. Binary Visualization

22. Firmware Reverse Engineering

23. Debugging

24. JTAG interface

25. Debugging with JTAG
• Boundary Scan only:
– Reading / Modifying memory
– Checking control lines (inputs/outputs)
• Using additional aids:
– Private instructions
– Debugging logic
• ARM: EmbeddedICE
• MIPS: EJTAG
• Motorola: BDM

26. Debugging with JTAG (2)
• Provides:
– Hardware breakpoints
– Hardware watchpoints
– Register access
• Example: EJTAG

27. DEMO: Meet the BUS BLASTER

28. Locating JTAG
A
B
D
C

29. Locating JTAG (2)

30. Locating JTAG (3)

31. Locating JTAG (4)

32. Image source: www.hirox-usa.com

33. BGA (2)
• Drilling through the PCB
Balls on CPU: Balls through PCB:

34. Can’t debug? Emulate!
• You still can use emulators
– Qemu
– GXEmul
– Skyeye
– ...

35. Securing
Embedded Systems

36. Secure Embedded System

37. Key security features
Feature Description
Internal boot code / core must assure
Secure boot
integrity of loaded firmware
Security subsystem must assure integrity
Runtime integrity
of running code
Debug interfaces must either be disabled
Interface protection
or (securely) protected
Sensitive keys must be stored within the
Key storage chipset and not readable to the
application
Content stored in external memory
(RAM) during runtime must be protected
External memory protection
from attackers.
(scrambling and maybe authentiaction)
Need to withstand SCA/FI attacks in
Protected crypto cores
order to properly protect keys.

38. Conclusion
• Embedded hacking = FUN
• Attacker’s challenges
– Info gathering often difficult
– Interfacing trickier than with software
• Defender’s challenges
– Device running under hostile environment

39. Shopping list
Item Price
Arduino / Other dev boards 20-60€ each / 20 to 300€
Bus Pirate 25€
Bus Blaster / GoodFET 30€ / DIY
Openbench Logic Sniffer / Saleae Logic Analyzer 40€ / 120€
Cables, solder, screwdrivers, probes, ... -
DSO Oscilloscope Nano / Quad 70€ / 150€
USB Microscope ~20 €
OpenVizsla (when available) 100 – 200 EUR

40. Some things to look at
• Routers, modems, STBs, MFPs ...
• Gaming consoles, modern TVs
• PC parts
• (Smart)phones
• Smart meters, alarms, SCADA/PLCs...
• Car or vehicle electronics
• Home appliances, domotics
• Gadgets

41. HW Hacking resources
• Hack a day – www.hackaday.com
• /dev/ttyS0 – www.devttys0.com
• Bunnie’s blog – www.bunniestudios.com
• Debugmo.de – debugmo.de
• Pagetable – www.pagetable.com
• HW vendors’ forums: SeedStudio, Sparkfun ,
adafruit.com, Dangerous Prototypes , ...
• Fritzing – www.fritzing.org
• [... The list goes on ...]

42. Thanks!
Eloi Sanfelix (@esanfelix) Javi Moreno (@vierito5)
eloi@riscure.com javi.moreno@nruns.com