Applied Physical Attacks 4: Hardware Implants

Overview

Hardware-based Evil Maid, Interdiction, and other attacks sound fancy and exotic. They might make headlines, but many of the techniques are accessible to hobbyists.. They may not be as small as a grain of rice, but in this two-day course you’ll combine hardware hacking with rapid prototyping to build real custom hardware implants.

In the span of two days, you will design, build, and program:

• A hardware man-in-the-middle device
• A wireless ‘tap’ for a wired hardware protocol
• A standalone hardware protocol payload delivery device
• A malicious device embedded inside another device

This class builds upon the previous Applied Physical Attacks classes, combining the hardware hacking basics and the rapid prototyping skills into one end product. Combining this course with Applied Physical Attacks 1: Embedded Systems, Applied Physical Attacks 3: Rapid Prototyping, or both should help you fill in any background you need.

Length

2 days

Audience

This course is specifically geared towards attendees who have some hardware hacking under their belt plus familiarity with rapid prototyping techniques.

Format

20% lecture

70% Lab

10% discussion

Outline

This course is still in development. The format will be less linear than my other classes.

We’ll start off by introducing four cases. Individually or in groups, you will be guided through the process of:

1. Identifying the target and measure it mechanically and electrically
2. Designing the circuit to interface with the protocol
3. Laying out and milling a PCB to help them interface
4. Designing and printing an enclosure/jig for the implant
5. Coding the microcontroller to perform the malicious action
6. Testing and demonstrate the result.

There should be sufficient time to complete 2 of the test cases within the class time, possibly more depending on prior background. In the unlikely even that all the prototyping equipment fails, reference designs will be available.

The case studies are still in development but will likely be:

• UART MITM to filter traffic
• JTAG-based implant that plays back a stored payload
• Remotely-triggered I/O override
• Malicious USB Cables (if feasible with the limited manufacturing precision available on-site)

Prerequisite

This two-day course assumes some experience:

• An introductory hardware hacking course (Joe Grand’s Hardware Hacking Basics, Applied Physical Attacks 1: Embedded and IoT Systems) or similar knowledge
• Soldering experience is beneficial - we’ll be able to help, but won’t have time to teach how to solder
• Practice poking around a few hardware devices on your own
• Completion of the Applied Physical Attacks 3: Rapid prototyping or similar experience:
  • PCB layout using KiCad or Eagle.
  • Electrically interfacing to various busses
  • Coding microcontrollers in C

• Applied Physical Attacks 1: Embedded and IoT Systems
• Hardware Attacks, Risks, Threats, and Mitigations
• Applied Physical Attacks 4: Hardware Implants
• Hands-on JTAG for Fun and Root Shells!
• Applied Physical Attacks 2: Hardware Pentesting
• Applied Physical Attacks 3: Rapid Prototyping
• Applied Physical Attacks on a Raspberry Pi
• Side Channel Attacks for Hardware N00BZ
• Applied Physical Attacks and Silicon Defenses
• WTFpga
• Applied Physical Attacks on x86 Systems