Black Hat already let the cat out of the bag when they opened registration earlier than I expected, but I’d like to take a moment to share the background and purpose of this new class.
When I started developing my own hardware security training materials in 2012, there was a huge gap between Joe Grand’s excellent introductory hardware hacking course and the very low level hardware classes by Chris Tarnofsky, Dmitry Nedospasov, Colin O’Flynn, and others.
I began developing the course that would become Software Exploitation via Hardware Exploits to pick up right where Joe Grand’s class leaves off. After teaching the material to hundreds of attendees over multiple years, I built a completely updated and revised class, Applied Physical Attacks on Embedded Systems. There are now a handful of similar classes purporting to cover the same material, including multiple web-based options. (Although, how you can teach a web-based hands-on hardware class is beyond me!)
Applied Physical Attacks and Hardware Pentesting picks up where all of those classes leave off. You may have already learned about JTAG, UART, and SPI, and dumped some firmware to make some trivial changes - but all of that is the equivalent of hijacking unencrypted sessions and calling it a day.
The objective of this course is to go a layer deeper:
- You may have taken a look at a known CPU’s JTAG port…
What happens when you know nothing about the target’s architecture and software?
- You may have sniffed, spoofed, and MITM’d a standard chip-to-chip protocol…
What can you do when you encounter an unfamiliar interface?
- You may have already dumped firmware off a well-documented embedded Linux system…
What about a bare metal or realtime system where static analysis isn’t enough?
Combined with several advanced hardware hacking techniques, Applied Physical Attacks and Hardware Pentesting also covers some of the more procedural parts of pen tests that include hardware in scope:
- How do you decide whether hardware is in scope and why?
- How do you prioritize and plan different approaches to some common hardware situations?
- How do you document hardware threat models, and rate them against software/remote threats?
While the full course outline is still in development, the course overview and outline (subject to revisions) is on this site: Applied Physical Attacks and Hardware Pentesting is a 2- to 3-day hands-on workshop which expands on the embedded class, incorporating more advanced attacks and fitting hardware into a standard penetration testing workflow.
The first public offering of the course will be at Black Hat USA in July, 2017. It will be offered immediately following Applied Physical Attacks on Embedded Systems, which will cover all the prerequisites.:
In preparation for Black Hat, I will be running a ‘rough cut’ of the class in Portland, OR this May. It is offered at a significantly reduced rate since it will be the first time the material is presented to a full group and may not be as polished as the Black Hat Presentation:
Finally, for those who aren’t interested in the Vegas scene or have other commitments, I am planning to run both classes in San Francisco in late October. Exact dates and location will be determined by April, but you can reserve a seat at a discount until then:
Of course, if you’ve got a group of 12 or more, private training is always an option, and you can pick and choose from all the training content I offer: