Applied Physical Attacks and Hardware Pentesting13 May 2017 in Security
This week, I had the opportunity to take Joe Fitzpatrick’s class “Applied Physical Attacks and Hardware Pentesting”. This was a preview of the course he’s offering at Black Hat this summer, and so it was in a bit of an unpolished state, but I actually enjoyed the fact that it was that way. I’ve taken a class with Joe before, back when he and Stephen Ridley of Xipiter taught “Software Exploitation via Hardware Exploitation”, and I’ve watched a number of his talks at various conferences, so I had high expectations of the course, and he didn’t disappoint.
Some basic knowledge of hardware & hardware pentesting is assumed. While you don’t need to be an electrical engineer (I’m not!) being familiar with how digital signals work (i.e., differential signals or signals referenced to a ground) is useful, and you should have some experience with at least connecting a UART to a device. If you don’t have any of this experience, I suggest taking his course “Applied Physical Attacks on Embedded Systems” before taking this class. (Which is the same recommendation Joe gives.)
During the course, a variety of topics are covered, including:
- Identifying unknown chips (manufacturers sometimes grind the markings off chips or cover them in epoxy)
- Identifying unknown protocols (what is a device speaking?)
- “Speaking” custom protocols in hardware
- Finding JTAG connections when they’re obvious – or not
- Using JTAG on devices with unknown processors (i.e., no datasheet available)
- Building custom hardware implants to carry out attacks
- Assessing & articulating feasibility and costs of hardware risks
While more introductory courses typically point you at a COTS SOHO router or similar device as a target, this course uses two targets: one of them custom and one of them uses an unknown microcontroller. These are much more representative of product assessments or red teams as you’ll often be faced with new or undocumented targets, and so the lab exercises here translate well into these environments.
Joe really knows his stuff, and that much is obvious when you watch videos of him speaking or take any of his classes. He answered questions thoroughly and engaged the class in thoughtful discussion. There were “pen and paper” exercises where he encouraged the class to work in small groups and then we discussed the results, and it was interesting to see differing backgrounds approach the problem in different ways.
One of the mixed blessings of taking his “preview” course was that some of the labs did not go perfectly as planned. I call this a mixed blessing becase, although it made the labs take a little longer, I actually feel I learned more by debugging and by Joe’s responses to the parts that weren’t working correctly. It’s imporant to know that hardware hacking doesn’t always go smoothly, and this lesson was evident in the labs. Joe helped us work around each of the issues, and generally tried to explain what was causing the problems at each stage.
I learned a lot about looking at systems that have no documentation available and finding their flaws and shortcomings. Given the ever-increasing “Internet of Things” deployments, this kind of skillset will only become ever more useful to security practitioners, and Joe is an excellent instructor for the material.