Overview

You’ve learned about JTAG, UART, and SPI in your introductory IOT hacking class, but how does this apply to real world devices you encounter on actual engagements?

This course will put what you’ve already learned into context. We’ll analyze how and why hardware hacks belong in scope of certain pen tests, and what that means to threat modeling and deliverables. We’ll build upon your basic skills and see how more advanced hardware and firmware analysis tells us more about the software vulnerabilities in a system. We’ll prototype some hardware exploits into compelling demos or helpful red-team tools.

This course focuses on approaching hardware as part of a pentest or red team engagement, implementing advanced hardware hacks, and managing the hardware ‘problem’. This two-day course builds directly upon the skills covered in Physical Attacks on Embedded Systems - consider taking the two together for a complete 4 days. If you’ve already taken another class that covers the basics of embedded/IOT/hardware hacking, including UART, JTAG, and SPI, you should have sufficient background.

Targets

This course targets two ARM-based embedded devices representative of a wide range of consumer electronics, medical devices, industrial control hardware, and mobile devices. This course builds directly on the content of Applied Physical Attacks 1: Embedded and IoT Systems.

Length

2 days, 16 CPEs

Audience

This course is well suited to pen testers, red teamers, exploit developers, and product developers looking to more smoothly incorporate hardware elements into their daily operations. In addition, security researchers and enthusiasts unwilling to ‘just trust the hardware’ will gain deeper insight into how hardware works and can be undermined.

Format

20% lecture

70% Lab

10% discussion

Outline

  1. What is Hardware Pentesting
    • Case Study 0: The Nikon WU-1A
    • Hardware Hacking Vs. Pentesting Vs. Development
  2. The Hardware Pentesting Process Overview
    • Pre-Engagement
    • Intellegence Gathering
    • Threat Modelling
    • Vulnerability Analysis
    • Exploitation
    • Post-Exploitation
    • Reporting
  3. Case Study 1: Solid State Drive
    • Complete each stage of the process to plan the pentest
    • Apply Advanced and black-box JTAG techniques to get control of the device
    • Conduct online and offline analysis to undermine the device
  4. Case Study 2: Smart Thermostat
    • Complete each stage of the process to plan the pentest
    • Apply black-box analysis techniques to both compontents and protocols
    • Implement hardware attack devices and embeddable implants
  5. Case Study X: Target of your choice

Prerequisite

This course picks up where Applied Physical Attacks 1: Embedded and IoT Systems leaves off. Successfully completing it or another similar embedded/hardware/IOT exploitation course before taking this one is strongly recommended so that you can keep pace with the class.