1

The Hardware Pivot

Joe FitzPatrick
@securelyfitz
15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training

SecuringHardware.com:
• Applied Physical Attacks Training
• HardwareSecurity.Training
2017 SAS Best Costume

Disclaimers

No hardware experience required
Most spoliers have been removed
Ask for details about anything I show today

1

Hardwhat?

"But hardware attacks are too difficult"
"Physical access is too high a barrier for most attackers"
"Only nation-states and their victims need to worry about malicious hardware"

Doesn't
look like
anything
to me

3

They're right!
Hardware:

is harder than software

costs more to develop

is riskier to deploy

just doesn't scale

Some people choose to see the ugliness in this world, the disarray;
(misconceptions about hardware)
I choose to see the beauty, to believe there is an order to our days, a purpose.
(simple, deterministic machines)
I know things will work out the way they're meant to.
(but not how YOU mean them to)

4

Consider:

How do hardware attacks fit in the real word?

10k Hosts in the park

10k hardware implants? No way!

10k unique 0days? Of course not!

1 or more 0days that deliver a software payload that propagates internally?

Now we're talking!

1 or more Hardware Implants that deliver a software payload that propagates internally?

Why Not?

There's a deeper level
to this game

5

Why Hardware?

Airtight Security Practices
Airgapped Systems
Heavily Monitored Networks
Supply Chain
Repudiation
Exfiltration
Social Engineering with Hardware
We've got it, might as well use it!
"Because noone's gonna go to that much effort to hack me"

There are things in me, things I was designed to do, that are just out of my reach...

8

Who is this hacker named Hardware?




Modchips




Counterfiets


Nation States


Bored Hackers




Anyone with $7




Anything with 5mm^2




Anyone internal access


Anyone with proximity?

I see you've already met your makers

They don't look like gods

13

We're in - now what?

Pivot!

Hardware IS hard - let's make it easier:
Step 1: Use Physical Access for a Hardware attack
Step 2: Use Hardware to escalate software privilege
Step 3: Use software privilege to do all that dirty work

These
violent
delights have
violent
ends!

These
hardware
delights have
software
ends!

14

Use Hardware when it's Easy!

Organized campaign?

multiple hops through different systems

vs.
targeted hardware implant

Red team engagement?

You don't need to be a nation state target

to be a hardware attack victim!

Simple pentest?

Use Physical Access
to inform
the Software Attack

No matter how dirty the business,
do it well

16

Is Hardware Magic?

Let's reconsider our original assertions:
"But hardware attacks are too difficult"

Hardware attacks are not difficult

"Physical access is too high a barrier for most attackers"

Physical access is not a high barrier

"Only nation-states and their victims need to worry about malicious hardware"

Everyone is vulnerable to malicious hardware

Everything in this world is magic,
except to the magician

The Pivot