The Hardware Pivot

Joe FitzPatrick
15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training

Applied Physical Attacks Training
HardwareSecurity.Training
2017 SAS Best Costume

Hardwhat?

"But hardware attacks are too difficult"

"Physical access is too high a barrier for most attackers"

"Only nation-states and their victims need to worry about malicious hardware"

Doesn't
look like
anything
to me

They're right!

Hardware:

is harder than software

costs more to develop

is riskier to deploy

just doesn't scale

Some people choose to see the ugliness in this world, the disarray;
(misconceptions about hardware)
I choose to see the beauty, to believe there is an order to our days, a purpose.
(simple, deterministic machines)
I know things will work out the way they're meant to.
(but not how YOU mean them to)

Consider:

How do hardware attacks fit in the real word?

10k Hosts in the park

10k hardware implants? No way!

10k unique 0days? Of course not!

1 or more 0days that deliver a software payload that propagates internally?

Now we're talking!

1 or more Hardware Implants that deliver a software payload that propagates internally?

Why Not?

There's a deeper level
to this game

Why Hardware?

Airtight Security Practices

Airgapped Systems

Heavily Monitored Networks

Supply Chain

Repudiation

Exfiltration

We've got it, might as well use it!

"Because noone's gonna go to that much effort to hack me"

maeve quote

We're in - now what?

Pivot!

Hardware IS hard - let's make it easier:

Step 1: Use Physical Access for a Hardware attack

Step 2: Use Hardware to escalate software privilege

Step 3: Use software privilege to do all that dirty work

These
violent
delights have
violent
ends!

These
hardware
delights have
software
ends!

Use Hardware when it's Easy!

Organized campaign?

multiple hops through different systems

vs.
targeted hardware implant

Red team engagement?

You don't need to be a nation state target

to be a hardware attack victim!

Simple pentest?

Use Physical Access
to inform
the Software Attack

No matter how dirty the business,
do it well

So What?

Let's reconsider our original assertions:

"But hardware attacks are too difficult"

Hardware attacks are not difficult

"Physical access is too high a barrier for most attackers"

Physical access is not a high barrier

"Only nation-states and their victims need to worry about malicious hardware"

Everyone is vulnerable to malicious hardware

Everything in this world is magic,
except to the magician

The

Pivot