Joe FitzPatrick
15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training
Applied Physical Attacks Training
HardwareSecurity.Training
2017 SAS Best Costume
Doesn't
look like
anything
to me
is harder than software
costs more to develop
is riskier to deploy
just doesn't scale
Some people choose to see the ugliness in this world, the disarray;
(misconceptions about hardware)
I choose to see the beauty,
to believe there is an order to our days, a purpose.
(simple, deterministic machines)
I know things will work out the way they're meant to.
(but not how YOU mean them to)
10k Hosts in the park
10k hardware implants? No way!
10k unique 0days? Of course not!
1 or more 0days that deliver a software payload that propagates internally?
Now we're talking!
1 or more Hardware Implants that deliver a software payload that propagates internally?
Why Not?
There's a deeper level
to this game
maeve quote
These
violent
delights have
violent
ends!
These
hardware
delights have
software
ends!
multiple hops through different systems
vs.
targeted hardware implant
You don't need to be a nation state target
to be a hardware attack victim!
No matter how dirty the business,
do it well
Hardware attacks are not difficult
Physical access is not a high barrier
Everyone is vulnerable to malicious hardware
Everything in this world is magic,
except to the magician