Making the Most of Your Hard(ware) Work

Joe FitzPatrick
15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training

• Applied Physical Attacks Training
• HardwareSecurity.Training



"But hardware attacks are too difficult"
"Physical access is too high a barrier for most attackers"
"Only nation-states and their victims need to worry about malicious hardware"


They're right!

is harder than software

has longer development cycles

gets fewer development iterations

has real tangible costs

Hardware Attacks:

are riskier to deploy

have nonzero risk of bricking

just don't scale

Hardware goes a long way:

Ignorance to hardware vulnerabilities

General laziness (aka efficiency)

Massive *percieved* barrier to entry


What can we do with physical access?
Can we get our hands on some similar hardware?
Can we learn anything just by looking at it?
Can we capture or dump firmware?
*Do we even need hardware to get the firmware?*
Download firmware:
Slice and dice:
Check the shadow file:
Tell me more...


What else can we get with physical access?

Let's say we can't get firmware
What CAN we observe?
Flashy Lights?
Power Consumption?
Data Access?
Debug Output?
Find Serial Port:
Decipher with LA:
Connect with Serial Cable:
Observe crashdump:


USB: Hardware Attacks with Safety Gloves On

Really paranoid about solder and wires and stuff?
29 flavors:
4 Categories:

Malicious hardware device

Malicious firmware on exsiting device

Malicious payload on a normal device

Malicious electrical attacks

Commercial tools can do most of these!
You can homebrew almost all of these - without soldering!
Build your own birdfeeder!

You'll learn more than you expect



Attacking the Fancy Interfaces

PCIe is Hard:

It's running 2.5 to 8GHz

It's locked up inside your PC

It's not like hooking wires up to a parallel port!

PCIe is Hard:
If it were too hard, noone would use it!

It automatically connects and negotiates

It has LOTS of error checking/correction

FPGAs can do it out-of-the-box*

Thunderbolt can do it too!

Consider the security implications:

1. Connect everything inside your PC

2. Lock it in a box

3. Call it secure...

4. A decade later, make it externally accessible:
Sound similar?

Think about 386 paged memory.

Think about embedded graphics.

Think about IP blocks on an SOC.

But the thunderbolt stuff is fixed, right?

Hot swap predates thunderbolt.

Even systems that don't support hot swap - support hot swap

Don't support hot swap? Just take a nap.
Plugging in a card too complicated?
How about 3 wires:
Moral of the story?

Is an issue 'fixed' or is it just remediated?

If something seems too hard - try a different approach.


What can we learn about general techniques?

Hardware IS hard - let's make it easier:

Step 1: Use Physical Access for a Hardware attack

Step 2: Use Hardware to escalate software privilege

Step 3: Use software privilege to do all that dirty work

Don't assume it's too hard, look for shortcuts:
Is there an existing tool that does this?
Is there a dev board I can work off of?
Can observing the hardware tell me more about the software?
Can Physical Access to turn black boxes into white boxes?
Getting Help:

Is there someone who can help me with the hardware?

Is there someone I can help with the software?

You DON'T need to do it all!


Harden your Hardware

Your software runs on hardware whether you like it or not!
If you've got a hardware product, how much would someone spend to attack it?
Don't mark your testpoints
Disable debug output
Assume firmware will be dumped
Don't worry about exotic hardware defences!


Hardware isn't as hard as it seems

A little bit goes a long way (for now)

Keep your expectations realistic

Get help and share what you find!

Making the Most of Your Hard(ware) Work

Joe FitzPatrick - @securelyfitz - joefitz@securinghardware.com