Anatomy & Impact of Hardware Attacks

Joe FitzPatrick
@securelyfitz
15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training

SecuringHardware.com:
• Applied Physical Attacks Training
• HardwareSecurity.Training

Hardwhat?

"But hardware attacks are too difficult"

"You need physical access to do a hardware attack"

"Physical access is too high a barrier for most attackers"

"Only nation-states and their victims need to worry about malicious hardware"

They're right!

Hardware:

is harder than software

has longer development cycles

gets fewer development iterations

has real tangible costs

Hardware Attacks:

are riskier to deploy

have nonzero risk of bricking

just don't scale

Hardware goes a long way:

Ignorance to hardware vulnerabilities

General laziness (aka efficiency)

Massive *percieved* barrier to entry

What is a hardware attack?

How do hardware attacks fit in the real word?

Attacks that require physical access

• Physical Modifcations
• Invasive or noninvasive observation
• Hardware MITM devices

Attacks on hardware physics and logic

• Observation of sidechannels
• Altering and glitching inputs

Attacks on hardware architecture

• Logical bugs in silicon implementations
• Subverting silicon features maliciously

Hardware-enabled software attacks

• Physical access changes software behaviour
• Physical access informs a software attack

Software-enabled hardware attacks

• Software subversion of hardware devices
• Software accessible hardware flaws

Make Hardware do the Hard work

Fun prank?

Off the shelf tools

vs.
explicit trust in hardware

Simple pentest?

Use Physical Access
to inform
the Software Attack

Red team engagement?

You don't need to be a nation state target

to be a hardware attack victim!

Organized campaign?

multiple hops through different systems

vs.
targeted hardware implant

Why Hardware?

Airtight Security Practices

Airgapped Systems

Heavily Monitored Networks

Supply Chain

Repudiation

Exfiltration

Vulnerable Hardware

Unpatchable Vulnerabilities

Lower detection at lower layers

Social Engineering with Hardware

"Because noone's gonna go to that much effort to hack me"

What can we do with physical access?

Can we get our hands on some similar hardware?

Can we learn anything just by looking at it?

Can we capture or dump firmware?

*Do we even need hardware to get the firmware?*

Download firmware:

Slice and dice:

Check the shadow file:

What else can we get with physical access?

Let's say we can't get firmware

What CAN we observe?

Flashy Lights?

Power Consumption?

Data Access?

Debug Output?

Find Serial Port:

Decipher with LA:

Connect with Serial Cable:

Observe crashdump:

USB: Hardware Attacks with Safety Gloves On

Really paranoid about solder and wires and stuff?

29 flavors:

4 Categories:

Malicious hardware device

Malicious firmware on exsiting device

Malicious payload on a normal device

Malicious electrical attacks

Commercial tools can do most of these!

You can homebrew almost all of these - without soldering!

Build your own birdfeeder!

You'll learn more than you expect

Attacking the Fancy Interfaces

PCIe is Hard:

It's running 2.5 to 8GHz

It's locked up inside your PC

It's not like hooking wires up to a parallel port!

PCIe is Hard:

If it were too hard, noone would use it!

It automatically connects and negotiates

It has LOTS of error checking/correction

FPGAs can do it out-of-the-box*

Thunderbolt can do it too!

Consider the security implications:

1. Connect everything inside your PC

2. Lock it in a box

3. Call it secure...

4. A decade later, make it externally accessible:

Sound similar?

Think about 386 paged memory.

Think about embedded graphics.

Think about IP blocks on an SOC.

But the thunderbolt stuff is fixed, right?

Hot swap predates thunderbolt.

Even systems that don't support hot swap - support hot swap

Don't support hot swap? Just take a nap.

Plugging in a card too complicated?
How about 3 wires:

A Softer, Gentle Hardware Attack?

We can use physical access to deliver malicious software

We can use physical access to extract information to aid a software attack

We can use software access to hardware features to circumvent software restrictions!

What's the difference between a LAN and and SOC?

Why should we treat them any differently?

Building software is building abstraction layers to solve your problem.
Attacking software is finding and subverting the flaws in he abstractions

Why should anyone stop when they get to the hardware layer?

Let's reconsider our original assertions:

"But hardware attacks are too difficult"

Hardware attacks are not difficult

"You need physical access to do a hardware attack"

Software can access hardware!

"Physical access is too high a barrier for most attackers"

Physical access is not a high barrier

"Only nation-states and their victims need to worry about malicious hardware"

You don't need malicious hardware to have a hardware attack!

So What?

Software is just the tip of the iceberg.

Don't ingore the hardware underneath!

Anatomy & Impact of Hardware Attacks

Joe FitzPatrick - @securelyfitz - joefitz@securinghardware.com