pwning iot via hardware attacks - chase schultz - iot village - defcon 23
TRANSCRIPT
![Page 1: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/1.jpg)
P w n i n g I o T v i a H a r d w a r e A t t a c k s
Chase Schultz, Senior Security Consultant [email protected]
![Page 2: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/2.jpg)
About ISE
Analysts• White boxPerspective
• Hackers; Cryptographers; RE
Research• Routers; NAS; HealthcareCustomers• Companies with high value assets
Exploits• iPhone; Android; Ford; Exxon; Diebold
![Page 3: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/3.jpg)
whoami• Chase Schultz• Senior Security Consultant • Independent Security Evaluators• Twitter – @f47h3r_b0• Interests:
– Reverse Engineering, Hardware, SDR, Fuzzing, Embedded Systems, Python & Go
![Page 4: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/4.jpg)
Agenda① Importance of Hardware Hacking & IoT Research② Scope of Workshop③ Hardware Hacking Background④ Tools of the Trade⑤ Methodology⑥ Examples⑦ Photo Journal⑧ Hands On!!⑨ Resources / Further Reading⑩ Open it up to attendee’s. What do you want to
see?
![Page 5: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/5.jpg)
Why is this important?
![Page 6: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/6.jpg)
A Journey of Pwnage
• Started getting interested in Hardware Hacking & IoT
• Software guy goes to school …
• Great way to get access and leverage for further research.
![Page 7: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/7.jpg)
IoT?• IoT is a buzzword (duh) …
– Lots of embedded devices doing all the things …
– Smart Homes– Medical Devices / Entertainment /
Health Fitness / Toys / Sensors etc
![Page 8: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/8.jpg)
Hardware Hacking• Interfaces
– UART (Universal Asynchronous Receive & Transmit)
– JTAG (Joint Test Action Group) – HW Debug
– SPI (Serial Peripheral Interface) – I2C (Inter-Integrated Circuit)
![Page 9: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/9.jpg)
![Page 10: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/10.jpg)
Tools of the Trade
![Page 11: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/11.jpg)
![Page 12: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/12.jpg)
ISE Confidential - not for distribution
![Page 13: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/13.jpg)
![Page 14: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/14.jpg)
![Page 15: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/15.jpg)
![Page 16: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/16.jpg)
![Page 17: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/17.jpg)
ISE Confidential - not for distribution
![Page 18: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/18.jpg)
Hardware Attacks (Methodology)0) Open the device, void your warranty, and join the exploitation party.1) Identify Device, hardware revisions, document hardware
components2) Research chip datasheets - figure out features3) Identify hardware communication interfaces possibilities4) Continuity Testing and Electrical Pinout Reversing5) Identifying wireline protocol logic (How the hell do I talk to these
chips?)6) Hardware tools for accessing interfaces7) Wiring up to to the board8) Device Interrogation9) Firmware Reverse Engineering10) Vulnerability Research / Exploitation
![Page 19: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/19.jpg)
Void Some Warranties
![Page 20: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/20.jpg)
RTFM• Datasheets are your friend!
![Page 21: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/21.jpg)
Identifying HW Interfaces
![Page 22: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/22.jpg)
![Page 23: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/23.jpg)
![Page 24: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/24.jpg)
![Page 25: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/25.jpg)
Pinout Reversing
![Page 26: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/26.jpg)
ISE Confidential - not for distribution
![Page 27: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/27.jpg)
![Page 28: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/28.jpg)
• VCC Pin – Steady Voltage (Also chirps)
• GND Pin – Metal Piece & Pin• Tx Pin – Fluctuation upon boot
• Baudrate
![Page 29: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/29.jpg)
UART to Root Shells
![Page 30: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/30.jpg)
ISE Confidential - not for distribution
![Page 31: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/31.jpg)
ISE Confidential - not for distribution
![Page 32: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/32.jpg)
• JTAG – Joint Test Action Group– Finding TDI (Test Data In), TDO (Test
Data Out), TCK (Test Clock), TMS (Test Mode Select), TRST (Test Reset) optional.
– Hardware Debugging via OpenOCD / GDB
– Jtagulator is awesome for brute-forcing pinout
ISE Confidential - not for distribution
![Page 33: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/33.jpg)
Dumping Flash w/ Flashrom
![Page 34: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/34.jpg)
Resources to Learn• Trainings:
– SexViaHex.com – Software Exploitation Via Hardware Exploitation - Xipiter
– Hands on Hardware Hacking – Joe Grand
• Blogs– http://www.devttys0.com/ – https://
dontstuffbeansupyournose.com
![Page 35: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/35.jpg)
HANDS ON!!• If anyone would like to try wiring up a
shikra to a UART interface and playing around with a device.
• Presoldered SOHO Routers & Home Automation Hubs
![Page 36: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/36.jpg)
![Page 37: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/37.jpg)
Accessing Shikra via Screenscreen /dev/cu.usbserial-145 115200
^ ^^
cmd device namebaudrate
ISE Confidential - not for distribution
![Page 38: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/38.jpg)
Your Turn!• Enable yourself as a security
researcher.
• Initial access for further research.
• You can do it too! Its fun!
ISE Confidential - not for distribution
![Page 39: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/39.jpg)
Thank You!• DEF CON / @IoTVillage / You!• Contact ISE --
https://securityevaluators.com/
https://github.com/f47h3r/firmware_collection
@f47h3r_b0
![Page 40: Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23](https://reader036.vdocument.in/reader036/viewer/2022062416/587d06781a28ab1e7e8b76b5/html5/thumbnails/40.jpg)
Get Involved