15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training
Applied Physical Attacks Training
2017 SAS Best Costume
is harder than software
costs more to develop
is riskier to deploy
just doesn't scale
Some people choose to see the ugliness in this world, the disarray;
(misconceptions about hardware)
I choose to see the beauty, to believe there is an order to our days, a purpose.
(simple, deterministic machines)
I know things will work out the way they're meant to.
(but not how YOU mean them to)
10k Hosts in the park
10k hardware implants? No way!
10k unique 0days? Of course not!
1 or more 0days that deliver a software payload that propagates internally?
Now we're talking!
1 or more Hardware Implants that deliver a software payload that propagates internally?
There's a deeper level
to this game
multiple hops through different systems
targeted hardware implant
You don't need to be a nation state target
to be a hardware attack victim!
No matter how dirty the business,
do it well
Hardware attacks are not difficult
Physical access is not a high barrier
Everyone is vulnerable to malicious hardware
Everything in this world is magic,
except to the magician