On This Page

Applied Hardware Attacks: Embedded Systems

Joe FitzPatrick, SecuringHardware.com | July 22-23



Overview

Rebuilt from the ground up and new for Black Hat this year, this hands-on class will introduce you to the common interfaces on embedded MIPS and ARM systems, and how to exploit physical access to grant yourself software privilege.

This course focuses on UART, JTAG, and SPI interfaces. For each, we'll do a brief architectural overview, followed by hands-on labs identifying, observing, interacting, and eventually exploiting each interface. We'll also do basic analysis and manipulation of firmware images.

Developed and taught by an electrical engineer with over a decade of hardware security experience, over 70% of our time will be hands-on with current off-the-shelf hardware, supported by lectures to fill in the background. This is why classes we developed have sold out at Black Hat the past 3 years.

This two-day course prepares you with the skills needed for Applied Hardware Attacks: Hardware Pentesting - consider taking the two together for a complete 4 days.

Please note that the course is continually improved and topics might change slightly:

Part 1: UART
  • Background: UART History, Architecture, and Uses
  • UART Lab 1: Connecting to a known UART
  • UART Lab 2: Identifying and analyzing an unknown UART
  • UART Lab 3: Escalating and persisting UART privilege

Part 2: JTAG
  • Background: JTAG History and Purpose
  • JTAG Lab 1: Hardware and Software Setup
  • JTAG Lab 2: Escalating Privilege via Kernel
  • JTAG Lab 3: Escalating Privilege via a Process

Part 3: SPI
  • Background: Flash storage and the SPI interface
  • SPI Lab 1: Accessing Flash from software
  • SPI Lab 2: Sniffing and Parsing SPI
  • SPI Lab 3: Dumping SPI from Hardware
  • SPI Lab 4: Firmware Analysis

Part 4: Firmware
  • Background: More types of Flash, Storage, and Firmware
  • Firmware Lab 1: Dumping Firmware from Software
  • Firmware Lab 2: Manipulating firmware images
  • Firmware Lab 3: Finding software bugs in firmware

Who Should Take this Course

This course is geared toward pen testers, red teamers, exploit developers, and product developers who wish to learn how to take advantage of physical access to systems to assist and enable other attacks. In addition, security researchers and enthusiasts unwilling to 'just trust the hardware' will gain deeper insight into how hardware works and can be undermined.

Student Requirements

No hardware or electrical background is required. Computer architecture knowledge and low-level programming experience helpful but not required.

What Students Should Bring

  • Your own favored writing instrument, keyboard, and mouse if you have strong preferences (otherwise provided)
  • USB drive to take home copies of course files
  • Your own laptop if you prefer to use it for note taking and internet access

What Students Will Be Provided With

To avoid the thrash of compatibility, software installation, virtual machines, and bootable images, attendees will be provided with all equipment for use during the class, including laptops preconfigured with all necessary software.

Trainers

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spend the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Josh Datko is the owner of Cryptotronix, an embedded security consultancy. As a submarine officer, he was sent to Afghanistan to ensure that the Tailiban did not develop a submarine force--mission accomplished! He wrote a book on BeagleBones and crypto hardware which not many people have read and presented a better way to make a hardware implant at DEF CON which hopefully helped the NSA improve their spying.