hardsploit
play

HARDSPLOIT Framework for Hardware Security Audit a bridge between - PowerPoint PPT Presentation

Jun 14, 2023 •392 likes •803 views

HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware pentester Who am I ? Julien Moinard - Electronic engineer @opale-security (French company) - Security consultant, Hardware & SoDware pentester -

  1. HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware pentester

  2. Who am I ? • Julien Moinard - Electronic engineer @opale-security (French company) - Security consultant, Hardware & SoDware pentester - Team project leader of Hardsploit - DIY enthusiast 16/03/2016 2

  3. Opale Security in 1 slide 16/03/2016 3

  4. Internet of Things & Privacy concern ? • Any IoT object could reveal informa@on about individuals • Wearable Technology: clothes, watches, contact lenses with sensors, microphones with cameras embedded and so on • Quan@fied Self: pedometers, sleep monitors, and so on • Home Automa@on: connected households using smart fridges, smart ligh<ng and smart security systems, and so on • … 16/03/2016 4

  5. Internet of Things & Privacy concern ? • Last news : (you can update this slide every week L ) Firmware can be read without any problem (SPI memory) VTech was hacked in November, exposing millions of accounts. In response, the firm took some essen<al services offline, meaning products could not be registered on Christmas Day. 16/03/2016 5

  6. Iot Eco-system (20000 feet view) • Privacy Risk level : Where? HF communica<on (ISM Band) + Wifi + 3G-5G , Bluetooth, Sigfox, Lora etc.. IoT devices Central servers, User Interface, API, Backoffice etc. Classical wired connec<ons 16/03/2016 6

  7. Security speaking, hardware is the new soDware ? SOFTWARE To secure it: • Security products (Firewall, An<virus, IDS,…) • Security services (Pentest, Audit, …) • Tools (Uncountable number of them) HARDWARE To secure it: • Few or unimplemented solu<ons (Encryp<on with key in a secure area, an<-replay mechanisms, readout protec<on, …) 16/03/2016 7

  8. Hardsploit & hardware hacking basic procedure • 1/ Open it • 2/ Fingerprint all the component if you can else automa@c brute forcing • 3/ Use those that may contain data (Online / Offline analysis ?) • 4/ Perform read | write opera@on on them • 5/ Reverse engineering, find vulnerabili<es and exploit them 16/03/2016 8

  9. Global Purpose 16/03/2016 9

  10. Why ? • Because chips contain interes<ng / private data • Passwords • File systems • Firmware • … 16/03/2016 10

  11. How ? • A hardware pentester need to know electronic buses and he need to be able to interact with them PARALLEL CAN UART JTAG / SWD Custom 1-Wire 16/03/2016 11

  12. Hardsploit framework Hardsploit database Module (SWD, SMBus, I2C, SPI, etc..) Same hardware but a sofware update is needed to add a new protocols Input / Output IoT target 16/03/2016 12

  13. Hardsploit bus indenSficaSon & scanner (in progress, not published yet) Hardsploit Database of components Module (I2C, SPI, etc..) Database of pagerns Scanner IO hardware mixer Input / Output IoT target 16/03/2016 13

  14. Tool of trade FUNCTIONALITIES BUSPIRATE JTAGULATOR GOODFET HARDSPLOIT UART Bus iden<fica<on SPI PARALLEL I2C JTAG / SWD Bus iden<fica<on MODULARITY Microcontroller Microcontroller Microcontroller uC / FPGA EASE OF USE Cmd line + datasheet Command line Command line Official GUI / API / DB I/O NUMBER < 10 24 < 14 64 (plus power) WIRING TEXT (but MOSI = SDA J ) TEXT / AUTOMATIC TEXT LED / TEXT/ iden<fica<on AUTOMATIC iden<fica<on 16/03/2016 14

  15. Hardsploit: CommunicaSon 16/03/2016 15

  16. Prototype making • Applying soldering paste (low budget style) 16/03/2016 16

  17. Prototype making • Manual reflow oven (DIY style) 16/03/2016 17

  18. Prototype V0.1 aka The Green Goblin J 16/03/2016 18

  19. Prototype making (with a budget) • The rebirth 16/03/2016 19

  20. The board – Final version • 64 I/O channels • ESD Protec<on • Target voltage: 3.3 & 5V • Use a Cyclone II FPGA • USB 2.0 • 20cm x 9cm 16/03/2016 20

  21. Hardsploit organizaSon 16/03/2016 21

  22. Chip management • Search • Create • Modify • Interact 16/03/2016 22

  23. Wiring helper GUI <–> Board interac<on Datasheet representa<on Hardsploit Wiring module representa<on 16/03/2016 23

  24. Se[ngs 16/03/2016 24

  25. Command editor 16/03/2016 25

  26. What are available on github (Open) ? • Microcontroller (c) • API (ruby) • GUI (ruby) • Create your own Hardsploit module : VHDL & API (ruby) 16/03/2016 26

  27. Already available (github) Parallel non mul<plexed memory dump • 32 bits for address • 8/16 bits for data Helping wiring I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automa<c full and par<al dump SPI mode 0,1,2,3 up to 25 Mhz • Read, write, automa<c full and par<al dump SWD interface (like JTAG but for ARM core) • Dump and write firmware of most ARM CPU GPIO interact / bitbanging (API only for the moment) • Low speed < 500Hz read & write opera<ons on 64 bits 16/03/2016 27

  28. More to come (see online roadmap)… • Automa<c bus inden<fica<on & Scanner (@30%) • Component & commands sharing platorm (@90%) • TTL UART Module with automa<c detec<on speed (@80%) • Parallel communica<on with mul<plexed memory • I2C sniffing (shot of 4000 bytes up to 1 Mhz) • SPI sniffing (shot of 8000 / 4000 byte half / full up to 25Mhz) • RF Wireless transmission training plateform (Nordic NRF24, 433Mhz, 868Mhz transcievers) • Metasploit integra<on (module) ?? • JTAG • 1 Wire • CanBUS (with hardware level adapter) • … 16/03/2016 28

  29. Concrete case • An electronic lock system • 4 characters pin code A – B – C – D • Good combinaison – Door opens, green L.E.D turn on • Wrong combinaison – Door closes, red L.E.D turn on 16/03/2016 29

  30. Concrete case: Open it 16/03/2016 30

  31. Concrete case: Fingerprint SPI MEMORY 25LC08 STM32F103RBT6 I2C MEMORIES 24LC64 16/03/2016 31

  32. Concrete case: Online / Offline analysis ? 16/03/2016 32

  33. Concrete case: hardsploit scenario 1. Open Hardsploit to create the component (if not exist) 2. Connect the component to Hardsploit (wiring helping) 3. Enter and save the component seungs (if not exist) 4. Dump the content of the memories (1 click) 5. Change the door password by using commands (few clicks) 6. Try the new password on the lock system (enjoy) 16/03/2016 33

  34. Concrete case: Read | Write operaSon, I2C, SPI, SWD … • Time for a live demo ? 16/03/2016 34

  35. Parallel bus memory 16/03/2016 35

  36. Concrete case: Fingerprint 16/03/2016 36

  37. Concrete case: Offline analysis 16/03/2016 37

  38. Concrete case: Ready to dump the content 16/03/2016 38

  39. Conclusion • IoT Device are (also) prone to vulnerabili<es help you to find them • Security policy need to be adpated, nowadays, it is not so difficult to extract data on IoT • Designers need to design with security in mind • Skills related to pentest a hardware device is mandatory for Security Experts (but training exist) • Industry need to take care about device security 16/03/2016 39

  40. Thank you ! Hardsploit board is available at shop-hardsploit.com (250 € / 277 USD / 370 CAD excluding VAT) To learn more about Hardsploit and follow the development Hardsploit.io & Opale-Security.com • Julien MOINARD (Project leader of Hardsploit) • Yann ALLAIN (CEO) • julien.moinard@opale-security.com • yann.allain@opale-security.com • +33 9 72 43 87 07 • +33 6 45 45 33 81 Hardware & Sofware, Pentest, Audit, Training 16/03/2016 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rendezvous: A search engine for binary code Wei Ming Khoo, Alan Mycroft, Ross Anderson

Rendezvous: A search engine for binary code Wei Ming Khoo, Alan Mycroft, Ross Anderson

Rendezvous: A search engine for binary code Wei Ming Khoo, Alan Mycroft, Ross Anderson University of Cambridge MSR 2013 19 May 2013 Demo: http://www.rendezvousalpha.com 1 To audit or not to audit You cant trust code that you did not

294 views • 15 slides
Open Source in M&amp;A Transactions Ibrahim Haddad, Ph.D. Oskar Swirtun VP of R&amp;D and Head

Open Source in M&amp;A Transactions Ibrahim Haddad, Ph.D. Oskar Swirtun VP of R&amp;D and Head

Open Source in M&amp;A Transactions Ibrahim Haddad, Ph.D. Oskar Swirtun VP of R&amp;D and Head of Open Source Founder and CEO Samsung Research America FOSSID AB @IbrahimAtLinux Oskar.Swirtun@fossid.com IbrahimAtLinux.com Agenda Open

749 views • 34 slides
So#wareSupportforSo#wareIndependent Audi3ng GabrielleA.Gianelli,

So#wareSupportforSo#wareIndependent Audi3ng GabrielleA.Gianelli,

So#wareSupportforSo#wareIndependent Audi3ng GabrielleA.Gianelli, JenniferD.King , EdwardW.Felten,WilliamP.Zeller CenterforInforma3onTechnologyPolicy DepartmentofComputerScience

377 views • 22 slides
Treasurer Club Officer Training Agenda Treasurer Treasurer Treasurer Role

Treasurer Club Officer Training Agenda Treasurer Treasurer Treasurer Role

Treasurer Club Officer Training Agenda Treasurer Treasurer Treasurer Role Responsibilities Resources www.toastmasters.org Session Objectives Identify your role Fulfill your responsibilities Find resources that help

318 views • 19 slides
2 PuLSE-DSSA PuLSE-DSSA is based on the generic architecture development process shown in Figure

2 PuLSE-DSSA PuLSE-DSSA is based on the generic architecture development process shown in Figure

Creating Product Line Architectures 1 Joachim Bayer, Oliver Flege, and Cristina Gacek Fraunhofer Institute for Experimental Software Engineering (IESE) Sauerwiesen 6, D-67661 Kaiserslautern, Germany {bayer, flege, gacek}@iese.fhg.de Abstract .

260 views • 7 slides
Telehealth use of telecommunication techniques for the purpose of providing telemedicine, medical

Telehealth use of telecommunication techniques for the purpose of providing telemedicine, medical

I mmersive A ug m ented Real ity (I Am Real) --- A Remote Clinical Consultation System Qin Qing Zha hang April 2019 @ The Australian Telehealth Conference THE HE AUST STRALIAN E-HEA HEALTH RESEA SEARCH CEN CENTRE Telehealth use of

560 views • 14 slides
Constructed, Augmented MaxDiff Method and Case Study Chris Chapman , Principal Researcher,

Constructed, Augmented MaxDiff Method and Case Study Chris Chapman , Principal Researcher,

Constructed, Augmented MaxDiff Method and Case Study Chris Chapman , Principal Researcher, Chromebooks Eric Bahna , Product Manager, Android Auto August 19, 2019 International Choice Modeling Conference, Kobe Slides: https://bit.ly/2NfWPEA (2 N

958 views • 36 slides
Chapter 10.3 Counting walks in directed graphs Prof. Tesler Math 184A Winter 2017 Prof. Tesler

Chapter 10.3 Counting walks in directed graphs Prof. Tesler Math 184A Winter 2017 Prof. Tesler

Chapter 10.3 Counting walks in directed graphs Prof. Tesler Math 184A Winter 2017 Prof. Tesler Ch. 10.3: Counting walks Math 184A / Winter 2017 1 / 20 Review of dot product Take two vectors of the same length. Their dot product is defined

432 views • 20 slides
FOCUS ON SATISFYING CUSTOMER NEEDS PROFITABLY MARKETING MIX Marketing Mix is the set of

FOCUS ON SATISFYING CUSTOMER NEEDS PROFITABLY MARKETING MIX Marketing Mix is the set of

FOCUS ON SATISFYING CUSTOMER NEEDS PROFITABLY MARKETING MIX Marketing Mix is the set of controllable, tactical marketing tools that the firm blends to produce the response it wants in the target market. The marketing mix consists of

706 views • 55 slides
Building a digital business Kalman Tiboldi Founder &amp; CEO ( Former CBIO of TVH) TVH Group: 2

Building a digital business Kalman Tiboldi Founder &amp; CEO ( Former CBIO of TVH) TVH Group: 2

A TVH Parts company Building a digital business Kalman Tiboldi Founder &amp; CEO ( Former CBIO of TVH) TVH Group: 2 Business Units 6800 colleagues worldwide Digital innovation at the core of TVH In-house developed IT &amp; Business Close

639 views • 25 slides
Augmented Statistical Models: Exploiting Generative Models in Discriminative Classifiers Martin

Augmented Statistical Models: Exploiting Generative Models in Discriminative Classifiers Martin

Augmented Statistical Models: Exploiting Generative Models in Discriminative Classifiers Martin Layton &amp; Mark Gales 9 December 2005 Cambridge University Engineering Department NIPS 2005 Augmented Statistical Models: Exploiting Generative

726 views • 25 slides
Foundations of Property Introduction to the property industry Tanya Steinbeck, CEO, UDIA WA

Foundations of Property Introduction to the property industry Tanya Steinbeck, CEO, UDIA WA

Foundations of Property Introduction to the property industry Tanya Steinbeck, CEO, UDIA WA What is an asset class? A category of investments that exhibit similar characteristics in the marketplace. The investments within a single asset

435 views • 24 slides
Building Support for and Facilitating Change February 29, 2016 LS.1.6_Building

Building Support for and Facilitating Change February 29, 2016 LS.1.6_Building

Building Support for and Facilitating Change February 29, 2016 LS.1.6_Building Support.Facilitating Change.2.29.16 1 Organizational Change Lasting success lies in changing individuals first; then the organization follows. Black and

761 views • 40 slides
1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

Politics and Information: Discussion Notes 1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No democratic society worthy of the name can govern itself without transparency and information. Onthecommons.org

461 views • 5 slides
Managers and Leaders: Are They Different? by Abraham Zaleznik FROM THE JANUARY 2004 ISSUE The

Managers and Leaders: Are They Different? by Abraham Zaleznik FROM THE JANUARY 2004 ISSUE The

8/6/2019 Managers and Leaders: Are They Different? MOTIVATING PEOPLE Managers and Leaders: Are They Different? by Abraham Zaleznik FROM THE JANUARY 2004 ISSUE The traditional view of management, back in 1977 when Abraham Zaleznik wrote this

526 views • 18 slides
Organisational change in the digitalization era how to bring the myth to life? Milja Nohynek

Organisational change in the digitalization era how to bring the myth to life? Milja Nohynek

Organisational change in the digitalization era how to bring the myth to life? Milja Nohynek Karoliina Kettukari 14.3.2019 Nice to see all of you here! Introductions Bold promise Promising yet boring content Awkward

745 views • 45 slides
The Inaugural Audit of the General Fund of the U.S. Government 2019 CIGIE/GAO Financial Statement

The Inaugural Audit of the General Fund of the U.S. Government 2019 CIGIE/GAO Financial Statement

The Inaugural Audit of the General Fund of the U.S. Government 2019 CIGIE/GAO Financial Statement Audit Conference May 7, 2019 What is the General Fund of the U.S. Government? The General Fund of the U.S. Government (General Fund) is the

125 views • 10 slides
Urban Development Office of Inspector General Fort Worth, TX February 15, 2012 Presenters

Urban Development Office of Inspector General Fort Worth, TX February 15, 2012 Presenters

U.S. Department of Housing and Urban Development Office of Inspector General Fort Worth, TX February 15, 2012 Presenters Nikita N. Irons Regional Inspector General for Audit New Orleans, LA Tracey Carney Assistant Regional Inspector

509 views • 36 slides
33:010:458 33:010:458 Accounting Information Accounting Information Systems Systems Dr. Peter

33:010:458 33:010:458 Accounting Information Accounting Information Systems Systems Dr. Peter

33:010:458 33:010:458 Accounting Information Accounting Information Systems Systems Dr. Peter R. Gillett Associate Professor Department of Accounting, Business Ethics and Information Systems Rutgers Business SchoolNewark and New

846 views • 39 slides
Funding Authorities: DASNY and EFC 2 REDI Documentation REDI award letters were sent by the

Funding Authorities: DASNY and EFC 2 REDI Documentation REDI award letters were sent by the

1 Lake Ontario Resiliency and Economic Development Initiative (REDI) Funding Authorities: DASNY and EFC 2 REDI Documentation REDI award letters were sent by the REDI Commission on November 1, 2019 REDI Intake Form due to the REDI

477 views • 36 slides
Introduction to Federal Grants Federal Funding Conference February 2019 Uniform Grant Guidance

Introduction to Federal Grants Federal Funding Conference February 2019 Uniform Grant Guidance

Introduction to Federal Grants Federal Funding Conference February 2019 Uniform Grant Guidance Put into law on July 1, 2015, and applies to all federal grants. Focus shifted away from after -the- fact auditing and best practice

534 views • 32 slides
Preliminary Levy Certification 2020 Payable 2021 September 28, 2020 Willmar Public Schools

Preliminary Levy Certification 2020 Payable 2021 September 28, 2020 Willmar Public Schools

Willmar Public Schools Willmar Public Schools Preliminary Levy Certification 2020 Payable 2021 September 28, 2020 Willmar Public Schools Willmar Public Schools What is the levy? A levy is the amount of money a school district intends to

480 views • 17 slides
Construction and Use of Common Fiscal Policies Benjamin Hart Vice President, Assurance Services

Construction and Use of Common Fiscal Policies Benjamin Hart Vice President, Assurance Services

Construction and Use of Common Fiscal Policies Benjamin Hart Vice President, Assurance Services March 3, 2015 The webinar will begin at 10:00 a.m. CST Administration If you need CPE credit, please participate in all polls throughout the

599 views • 41 slides
A Green Bank for Economic Recovery Maine Green Bank Summit June 25, 2020 1 More than 10% of

A Green Bank for Economic Recovery Maine Green Bank Summit June 25, 2020 1 More than 10% of

A Green Bank for Economic Recovery Maine Green Bank Summit June 25, 2020 1 More than 10% of Maine workers out of work, Federal Government still focused on disaster relief From March-June 2020, 175k Maine residents have filed for

308 views • 17 slides

More recommend