A Measured Response to a Grain of Rice

Joe FitzPatrick
15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training

• Applied Physical Attacks Training
• HardwareSecurity.Training


What is a Hardware Implant?

"Covert Implant"
"Hardware Implant"

Keystroke loggers


Counterfeit Bypass


RSA Tokin


Evolution of USB hardware attacks

Keystroke Logger

USB Rubber Duckie

WHID injector



Malicious Cables?

Decoupled attacks?

How do we connect a Hardware Implant?

USB or external ports
PCIe and internal ports
Tapping inter-chip communication
How many entry points do we have?

When do Hardware Attacks make sense?

Airtight Security Practices
Airgapped Systems
Heavily Monitored Networks
Supply Chain
Vulnerable Hardware
Unpatchable Vulnerabilities
Lower detection at lower layers
Social Engineering with Hardware

Why is this relevant?

"This happened at a crucial moment, as small bits of the operating system were being stored in the board's temporary memory en route to the server's central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. "

Hardware Indicators of Compromise

Do you have grain-of-rice-sized components on your boards?


That's how they're made!

Do your boards exactly match the best schematics you can get of them?


ECOs, updates and revisions guarantee that

Do you have metal housings on your ethernet jacks?



But... What do these implants do?

We still don't know!

But... What's the point?

Component Grafitti?

We have no useful information to help detection

Should we trust anyone who says they do?

Is this real?

I don't know.
Is this possible?


Is this possible?


But that's not the quesiton

Why a coupler?
No firsthand accounts
No details about what it did...
"Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow"
You may say I'm a dreamer
But I'm not the only one

Expect lots of homebrew solutions at BH USA, DEFCON, and in upcoming PoC||GTFO

How did we get here?

Spectre/Meltdown changed the landscape:

• Hardware vulnerability

• Software expliotable

• REAL response

Why do peple trust their hardware?

They don't know they shouldn't.

Would anyone listen without choreographed discosure?
So, Now that I have your attention:

Taking a measured response...

You can't find something that's not real...

You can look for it

That will distract you

A hardware implant is a compliment.

What should we worrry about?

Botnets for DDOS and Mining
Data Breaches

All for money and disruption

Hardware lets you bridge airgaps
Hardware lets you persist wipes
Hardware lets you show off your capabilities

What can we do about it?

Ripping up your servers is a waste of time.
Have you discussed supply chain security with your vendors yet?
Do you consider 5€ hardware attacks in your threat model? 100€?

Then why worry about 1M€ attacks?

What's the impact of an attack?

How common is that attack?

Risk = vulnerability * exposure

So What?

Hardware Attacks are a real threat...

...respond to the threat, not the hype

A Measured Response to a Grain of Rice

Joe FitzPatrick - @securelyfitz - joefitz@securinghardware.com