ME! Who am I to tell you about hardware anyway? Security
Researcher Day: Malware/Botnet Analysis Night: Hardware
Hacker Founder of HacDC and ReverseSpace Founder of Q Labs
TOOOL Member Physical Security / Lock Picking Electronic
Security Systems Speaker/Trainer Blackhat HOPE Shmoocon
Defcon Hack in the Box HackCon RobotFest … and I’ve only
been doing this for < 5 years
How I got
started? :
How I got started? Dove in head first Proxmark3 Project
Major fail but I learned more in 1 project than most people
do in a few years RFID Radio Electromagnetic Wave
Propagation Analog Signals FPGA VHDL ARM Architecture
Debugging Building a sane build environment in Linux for
ARM-GCC I don’t recommend this route, I’m an idiot Sanity
was tested on a daily basis Nearly gave up the entire field
Attended conferences Surprisingly there aren’t many
“hardware hackers” at hacker conferences Find a conference
that specializes in what you want to know Radio,
Microcontrollers, etc. Texas Instruments holds a number of
events throughout the year READ, READ, READ! Data sheets,
Books, White Papers, Journals, etc. I’ve read everything
about everything and continue to do so Currently I think my
brain is full
How I got
started? :
How I got started? Again, first project Surface Mount 0603
(mm) 100+ Components 4-Layer Board RFID Radio is
complicated!
The idea behind
this series :
The idea behind this series I gave this original talk to a
senior class at Drexel and it was horrible Advanced
Algorithms course – bright kids! I updated the slides to be
a bit more “fun” Turns out what I think it interesting and
what the rest of the population does are two different
things I spoke about theories, math, advanced equipment They
fell asleep until I showed them how I broke their
(Philadelphia) parking meter system Using this feedback my
purpose of this series is to first provide you with an
introduction about what is possible Future sessions will
become more exciting because I’m going to stress the
hands-on aspect I have a setup of 15 soldering iron stations
I use for workshops Bring things to break apart, reverse
engineer and build!
The idea behind
this series :
The idea behind this series What do you want to learn? What
would be your ideal topic and format? Is there an aspect of
this lecture that might relate to a client project? Not
necessary but something to keep in mind If there is, please
come see me I’d love to help It would also justify me
wasting so much of your valuable time G2, Inc. is a unique
environment Many different talents and skills Most of us are
bright individuals We enjoy and love what we do “Teach what
you know, Learn what you don’t.” – HacDC Adage Why isn’t
there a lecture a few times a month? We have the people, the
topics and I’m sure we can make the time
What is hardware
hacking? :
What is hardware hacking? Originally titled “Security
Analysis of the Physical Medium” Bait and switch! It sounds
more academic Did I lie? Hardware hacking is a very general
term Think of how you would look at me if I said “software
hacking” It refers to the idea of modifying hardware to
allow functionality which was either restricted by the
designer or never intended Why do this? I can’t answer this
for you, but because you’re here it suggests you either have
something in mind or dig the free food Although I’m guessing
the latter, please prove me wrong
Why aren’t
devices secure? :
Why aren’t devices secure? Physical: “having to do with the
material world” When you give users access to an object, bad
things will happen, eventually Why does this occur? Cost of
security Is it really that expensive to design or develop
with security in mind? Hardware Costs Decent encryption
requires better hardware It will cost a lot more when your
product or device has been compromised Especially if that
device is storing any PII or financial data Skill level
Security conscious employees are uncommon in most companies
Most designs are built to function QA usually don’t involve
any security threats for embedded devices
Why aren’t
devices secure? :
Why aren’t devices secure? “Security through Obscurity” I’m
sorry but it had to be mentioned Anyone who follows security
is probably tired of this statement Feel free to throw
something at me, at this time Preferably a sandwich!
Proprietary is not secure, it just hasn’t been broken yet
Simply ∞Time + physical_access = broken So why isn’t
everything in the world broken? We have finite resources
Resources People who know the skill Time
projects :
projects The following projects are to give you an idea of
what’s possible and how easy it is to get started Please
don’t ask me where I “obtained” anything because I don’t
know There are plenty of mediums to obtain lots of
hardware you think might be questionable, though just
because this is what I concentrate on doesn’t mean you have
to
PPA :
PPA Philadelphia Parking Authority Parking meters are based
on 10 year old smart card technology Easily discovered
correct protocol Analyzing “Gold ISO Pad” and ATR Found the
entire protocol in PDF in 10 minutes
http://www.epsys.no/gemalto/dwnld/GemClubMemo.pdf It took 1
weekend in a lab to break Built ppaPwner.py Couple hundred
lines of Python Able to send any APDU to the card Able to
ignore certain requests Like updating the CTC1 counters
Total control of the system
PPA :
PPA
PPA :
PPA Methodology “Sniffed” between smart card interface and
serial bus Allowed us to quickly analyze “correct data” and
perform a replay attack using my ppaPwner.py tool against
any other PPA smart cards
Radio Pager :
Radio Pager “Obtained” a pager from a local restaurant
Decided it would be interesting to figure out how it works
Turns out it’s rather simple Uses exact design of 90’s style
pagers Same protocol (POCSAG) Common frequency: ~435MHz band
Simple modulation Easily decoded Nothing is protected here,
just obfuscated
Radio pager :
Radio pager After figuring out how things worked I decided
it would be fun to see if I could design something to
trigger pagers with a remote device Determine command
options See if they have a “ping all” ability Video tape
Laugh Move onto a new project This concept is still in
prototyping stages Can anyone guess what this device is? The
funky things with probes
IM-ME :
IM-ME Objective: Take a girl’s pink chat device and make it
into something useful
IM-ME :
IM-ME General electronics device, has a TI CC11xx series
radio chip that we happen to been using in another design
During Shmoocon a friend happen to write new firmware to
interface with the device At this point everyone with an
IM-ME (a few of us collaborated) began hacking away The best
outcome was that a friend wrote an entire spectrum analyzer
using the IM-ME device in very little time and all for $16
IM-ME :
IM-ME Found debug points! “Hidden” behind battery panel,
manufacturer too lazy to remove
IM-ME :
IM-ME Soldered wiring to the device Used single-pin female
connectors to attach to my GoodFET device Used the GoodFET
device (seen in later slides) to re-program
IM-ME :
IM-ME Ended up with $16 spectrum analyzer Michael Ossmann
wrote the firmware A few people and some time at a
conference and we wrote new firmware for a device that was
not meant to do anything close to this Also found out there
are multiple frequencies that are able to be used but not
documented by the device or by the manufacturer of the radio
FUN!
Techniques :
Techniques Microprobing Uses tiny needles to connect to the
bus inside of a chip Allows you to capture data Allows you
to determine CPU architecture Voltage Glitching Takes
advantage of the CPU to leak data or skip instructions CPU
expects a certain voltage range Go outside of that range and
“funny” things start to happen Data is leaked Instructions
are skipped This is when exploitation occurs at the hardware
level
Prototypes :
Prototypes GoodFET Project created by Travis Goodspeed
http://goodfet.sourceforge.net/ I am currently a developer
for this project Purpose Open-source, affordable JTAG
adapter based from Texas Instrument MSP430FET board
Universal Serial Bus Interface Allows for the communication
between many protocols SPI I2C JTAG AVR Firmware being
developed to do voltage-glitching attacks against a number
of different micocontrollers
goodfet :
goodfet
Prototypes :
Prototypes BusPirate
http://code.google.com/p/the-bus-pirate/ Project created by
the Hack-a-Day folk Universal Serial Bus interface Serial
protocols supported 1-Wire I2C SPI JTAG Asynchronous Serial
MIDI PC Keyboard The device is meant to connect to unknown
chips from a serial terminal The project hopes to continue
adding support for many chips/protocols and become as
“universal” as possible
Bus pirate :
Bus pirate
Silicon die
analysis :
Silicon die analysis Purpose: Expose interface to a REALLY
small chip Decap Chips Purpose To remove silicon substrate
from the chips package Usually use Fuming Nitric Acid (HNO3)
I’m probably the only idiot with this in his apartment It’s
okay I’m a budding Chemist! Clean up with Acetone Output
Exposes die of the chip Image Layers Determine if a mesh
layer exists If so, very hard to circumvent Expensive
machinery needed FIB (Focused Ion-Beam) Modify materials at
the Micro or Nano scale Subtractive and Additive Adds or
Removes at the atom layer Wire bond pads Essentially these
pads connect to the silicon chip and run to the external
leads Used to breakout lines from the chip These are your
connections to the chip itself and your end-goal
Picture time! :
Picture time!
Picture Time! :
Picture Time!
Picture time! :
Picture time!
Picture time! :
Picture time!
How can you get
started? :
How can you get started? Local hacker spaces HacDC –
Washington D.C. ReverseSpace – Herndon, VA These are public
clubs for nerds They offer machinery, knowledge, intelligent
conversation, assistance, parts (very useful!) Get on the
mailing list, become a stalker, lurk until you have
questions and then ASK I promise you will not get “flamed”
or yelled at or embarrassed because of your skill level We
are “mostly” adults Buy kits http://www.ladyada.net/http://www.makershed.com/http://dangerousprototypes.com/http://www.seeedstudio.com/http://www.arduino.cc/
What you should know? To start, almost nothing As long as
you understand why shoving a soldering iron in your eye is a
bad idea You have most of your fingers and toes Most people
think electronics and electrical engineering is
“complicated” Anyone can do this The best person I’ve ever
taught to solder was a 5 year old girl at RobotFest She
smoked the adults Pick a technology, device or anything that
interests you and open it up!
EOF :
EOF Thoughts about where to go with this? Help me make it
suck less Please email me to post on the blog q...@theqlabs.com
Thanks!
