Anatomy & Impact of Hardware Attacks

Joe FitzPatrick
15+ years of hardware fun:
• silicon debug
• security research
• pen testing of CPUs
• security training

• Applied Physical Attacks Training
• HardwareSecurity.Training



"But hardware attacks are too difficult"
"You need physical access to do a hardware attack"
"Physical access is too high a barrier for most attackers"
"Only nation-states and their victims need to worry about malicious hardware"


They're right!

is harder than software

has longer development cycles

gets fewer development iterations

has real tangible costs

Hardware Attacks:

are riskier to deploy

have nonzero risk of bricking

just don't scale

Hardware goes a long way:

Ignorance to hardware vulnerabilities

General laziness (aka efficiency)

Massive *percieved* barrier to entry


What is a hardware attack?

How do hardware attacks fit in the real word?
Attacks that require physical access

• Physical Modifcations
• Invasive or noninvasive observation
• Hardware MITM devices
Attacks on hardware physics and logic

• Observation of sidechannels
• Altering and glitching inputs
Attacks on hardware architecture

• Logical bugs in silicon implementations
• Subverting silicon features maliciously
Hardware-enabled software attacks

• Physical access changes software behaviour
• Physical access informs a software attack
Software-enabled hardware attacks

• Software subversion of hardware devices
• Software accessible hardware flaws


Make Hardware do the Hard work

Fun prank?

Off the shelf tools

explicit trust in hardware

Simple pentest?

Use Physical Access
to inform
the Software Attack

Red team engagement?

You don't need to be a nation state target

to be a hardware attack victim!

Organized campaign?

multiple hops through different systems

targeted hardware implant


Why Hardware?

Airtight Security Practices
Airgapped Systems
Heavily Monitored Networks
Supply Chain
Vulnerable Hardware
Unpatchable Vulnerabilities
Lower detection at lower layers
Social Engineering with Hardware
"Because noone's gonna go to that much effort to hack me"


What can we do with physical access?
Can we get our hands on some similar hardware?
Can we learn anything just by looking at it?
Can we capture or dump firmware?
*Do we even need hardware to get the firmware?*
Download firmware:
Slice and dice:
Check the shadow file:


What else can we get with physical access?

Let's say we can't get firmware
What CAN we observe?
Flashy Lights?
Power Consumption?
Data Access?
Debug Output?
Find Serial Port:
Decipher with LA:
Connect with Serial Cable:
Observe crashdump:


USB: Hardware Attacks with Safety Gloves On

Really paranoid about solder and wires and stuff?
29 flavors:
4 Categories:

Malicious hardware device

Malicious firmware on exsiting device

Malicious payload on a normal device

Malicious electrical attacks

Commercial tools can do most of these!
You can homebrew almost all of these - without soldering!
Build your own birdfeeder!

You'll learn more than you expect


Attacking the Fancy Interfaces

PCIe is Hard:

It's running 2.5 to 8GHz

It's locked up inside your PC

It's not like hooking wires up to a parallel port!

PCIe is Hard:
If it were too hard, noone would use it!

It automatically connects and negotiates

It has LOTS of error checking/correction

FPGAs can do it out-of-the-box*

Thunderbolt can do it too!

Consider the security implications:

1. Connect everything inside your PC

2. Lock it in a box

3. Call it secure...

4. A decade later, make it externally accessible:
Sound similar?

Think about 386 paged memory.

Think about embedded graphics.

Think about IP blocks on an SOC.

But the thunderbolt stuff is fixed, right?

Hot swap predates thunderbolt.

Even systems that don't support hot swap - support hot swap

Don't support hot swap? Just take a nap.
Plugging in a card too complicated?
How about 3 wires:


A Softer, Gentle Hardware Attack?
We can use physical access to deliver malicious software
We can use physical access to extract information to aid a software attack
We can use software access to hardware features to circumvent software restrictions!
What's the difference between a LAN and and SOC?

Why should we treat them any differently?
Building software is building abstraction layers to solve your problem.
Attacking software is finding and subverting the flaws in he abstractions
Why should anyone stop when they get to the hardware layer?


Let's reconsider our original assertions:
"But hardware attacks are too difficult"

Hardware attacks are not difficult

"You need physical access to do a hardware attack"

Software can access hardware!

"Physical access is too high a barrier for most attackers"

Physical access is not a high barrier

"Only nation-states and their victims need to worry about malicious hardware"

You don't need malicious hardware to have a hardware attack!


So What?

Software is just the tip of the iceberg.

Don't ingore the hardware underneath!

Anatomy & Impact of Hardware Attacks

Joe FitzPatrick - @securelyfitz - joefitz@securinghardware.com