Applied Hardware Attacks 1 - Embedded And IoT Systems

This hands-on class will introduce you to the common interfaces on embedded MIPS and ARM systems, and how to exploit physical access to grant yourself software privilege. This course focuses on UART, JTAG, and SPI interfaces. For each, we'll do a brief architectural overview, followed by hands-on labs identifying, observing, interacting, and eventually exploiting each interface. We'll also do basic analysis and manipulation of firmware images. Designed for newcomers to hardware, over 70% of our time will be hands-on with current off-the-shelf hardware, supported by lectures to fill in the background. This is why classes we developed have sold out at Black Hat every year. This two-day course prepares you with the skills and comfort needed to get started working with embedded systems, and prepare you for Applied Hardware Attacks 2 that will be back and updated in 2021. UART: Once we've learned a little bit about it, we will use a logic analyzer to find a UART on our target device. Once we've done that, we'll hook up the proper cable to communicate with it, find out what's inside, and see what's exposed. SPI: After a brief introduction, we'll look for clues to tell us how to connect to the SPI device on our system. We'll use a logic analyzer to observe what's going on, then use a dedicated SPI adapter to extract firmware from our system. Firmware Analysis and Modification: Using the firmware we previously extracted, we'll use the firmware image to guide simple patches to the device's memory, make simple changes to the firmware image to permit further access to the system, and do some basic binary analysis to help us find some remotely vulnerable issues. JTAG: As soon as we've covered a bit of background information, we'll connect a JTAG adapter to our system and use it to examine the contents of memory. Once we get over that thrill, we'll see how easy it is to attach a debugger to the kernel and take control of the system. JTAG Exploitation: Once we've got full debugger access to the system over JTAG, we'll test out a few methods of escalating privilege on the system to enable a root shell.