This course introduces and explores attacks on several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience implementing and deploying a number of low-cost hardware devices to enable access, privilege, and deception which is in some cases imperceptible from software.
The course has several modules. Each begins with an architectural overview of an interface, and follows with a series of labs for hands-on practice understanding, observing, interacting with, and exploiting the interface, finishing with either potentially exploitable crashes or directly to root shells.
Depending on allotted time, topic interest, and class pace, not all topics will be covered completely, but all materials are included for reference and individual practice.
This course primarily targets a MIPS-based network router which is representative of a wide range of embedded devices that span consumer electronics, medical devices, industrial control hardware, and mobile devices.
In-person: 2 days, 16 CPEs. Custom offerings may include advanced topics and run longer
Online: 2 days, 16 CPEs for the standard set of labs, not including optional background and deeper exploration topic.
This course is geared toward pen testers, developers and others with a security background who wish to learn how to take advantage of physical access to systems to assist and enable other attacks. No hardware or electrical background is required. Computer architecture knowledge and low-level programming experience helpful but not required.
With the availability of self-paced online training, we have switched to assembling per-attendee toolkits.
This outline is representative of a 2-day in-person offering of the course. The online content covers 4 full days, and labs are broken into smaller units. All attendees of live courses, even 2-day classes, will have access to the additional online content.
- Background: UART History, Architecture, and Uses
- UART Lab 1: Connecting to a known UART
- UART Lab 2: Identifying and analyzing an unknown UART
- UART Lab 3: Escalating and persisting UART privilege
- Background: JTAG History and Purpose
- JTAG Lab 1: Hardware and Software Setup
- JTAG Lab 2: Escalating Privilege via Kernel
- JTAG Lab 3: Escalating Privilege via a Process
- Background: Flash storage and the SPI interface
- SPI Lab 1: Accessing Flash from software
- SPI Lab 2: Sniffing and Parsing SPI
- SPI Lab 3: Dumping SPI from Hardware
- SPI Lab 4: Firmware Analysis
- Background: More types of Flash, Storage, and Firmware
- Firmware Lab 1: Dumping Firmware from Software
- Firmware Lab 2: Manipulating firmware images
- Firmware Lab 3: Finding software bugs in firmware
Applied Physical Attacks 2: Hardware Pentesting continues where this course leaves off, covering more advanced hardware hacks, as well as how to incorporate them into a formal pentesting process
- Applied Physical Attacks 1: Embedded and IoT Systems
- Hardware Attacks, Risks, Threats, and Mitigations
- Applied Physical Attacks 4: Hardware Implants
- Hands-on JTAG for Fun and Root Shells!
- Applied Physical Attacks 2: Hardware Pentesting
- Applied Physical Attacks 3: Rapid Prototyping
- Applied Physical Attacks on a Raspberry Pi
- Side Channel Attacks for Hardware N00BZ
- Applied Physical Attacks and Silicon Defenses
- Applied Physical Attacks on x86 Systems