CG - How We Accidentally Became Hardware Hackers

all right how are youall doing today awesome well I'm just going to run you through uh hopefully a light-hearted overview of how I stumbled my way through engineering into Hardware hacking and maybe learn a thing or two on the way mostly what not to do um so yeah we'll just we'll dive right into it and I got some time for questions at the end so you'll notice the uh the tents here uh you know things changed just a little bit instead of uh how we that should actually have a strike through but um it's how I became a hard hacker I think it's uh important for me to note that you know the guy that's in the the

other part of the heart in this photo is uh crucial to this story he and I were both uh electrial engineering students worked at a restaurant together um worked at multiple different jobs and now you know we're back together again so um this is actually a funny picture when we were double e and we took a staged photo um if you can tell he's soldering with an oscilloscope and uh we're not psychology students or faculty so that's a fun little kickart into our careers so like I said I'm just going to run through who I am and then talk about it just a few examples of you know times that I have learned a lesson by mostly

screwing up and uh what that taught me about Hardware hacking and how I think it applies um towards the end of this I'll talk about why everybody should be doing Hardware hacking and you know the this the point of this talk is not to go too far into the Weeds on Hardware hacking find me any other time and I'm happy to to nerd out about whatever you want want to all right so a little bit about me um my name is Caleb Davis I'm co-founder of solos SEC cyber security Consulting um I was an electrial engineer um I guess I still kind of am um at the University of Texas at Tyler um did a ton of embedded development

before that a lot of arm core microcontrollers free R toss uh for for HVAC so heating ventilation air conditioning we we always used to say we would close our eyes and pretend it was lasers cuz it was not that exciting um but we did learn a lot along the way as you'll see all right so some one of the first things that I wanted to to talk about um hopefully you can see here you know this is probably the biggest nudge into Hardware hacking for me was really just being a terrible electrical engineer and you know bad at circuit design and and all of you know all of the things encompassing with that I think I've gotten a little bit better

hopefully but um you know one of the things that we often see when we're putting a a board together is that we'll have to to you know modify that board or do some sort of rework right so you know i' I've got a few examples up above that I'll talk about but you know the things that we see commonly are the wrong uh component Footprints right if you lay out a part or if you have to design your own part um could be a huge problem if you get the dimensions off by you know even the slightest millimeter you could be talking about a short in a system um incorrect schematic wiring I mean if

you're if you're having to Route multiple schematics and you are reading tons of data sheets right it could be very easy to cross those wires and you know when you cross wires on a schematic it's not a big deal when you turn it on you see that factory installed smoke that I'm sure you know multiple people in here are familiar with um wrong component orientation this is another big one that we've seen where you know Screw Up try to send the board or the component to the back side of the board instead the front side get all confuse and then now we've got to you know literally flip transistors over and then solder them upside down so we have

actually done that recent too recently I would say um and then the last thing accidental shorts um you know I've done this recently as well just throwing a via down on top of traces when you shouldn't and and what that means to uh your life and how sad it's going to be to fix that problem um so some of the learning opportunities I kind of alluded to it already but you know when you have when you have these uh issues that come across you can't I mean you can run a new board and you know wait that process and it could be weeks depending on you know your lead time for boards but something that I think is kind of

inherent to what we do as as engineers and tinkerers is that we try to fix it we try to root cause it and then that will inform our next design um my argument here is that you know a lot of those tools that we just did and took for granted kind of propelled me into Hardware hacking because I think that you know the first thing you do when you start looking at uh Hardware board you need something I do actually I believe you uh made a outrageous speaker request when you signed up for this talk good Lord uh and uh I believe that you asked for the same Rider that Nicki Minaj has I did yes okay so I have uh your 24 pack

of Dan the other half is on Ice in an unspecified location great thank you uh but there's there's the on IED part I've got your uh your dried CRA uh cranberries I've got your uh your almonds here and uh I'm going to go out and get your throat drops and your Fried Chicken thank you I think she said she has no bo too delivered so just let me know where to pick that up okay right that's awesome man thank the last person who had noou uh ended up uh not being able to speak in this track because she got food poisoning so that all right thanks for anyway that that's awesome thank you all right I'll fill in the

gaps here because I know y'all are probably trying to figure out what's going on um in the the cfp there was a spot for like special requests for the speakers and I I'm pretty easygo I don't have any special requests so I asked for Nicki Minaj's ridiculous set of uh Green Room requests and uh what's going on for for some reason excuse me yeah I I am really sorry but uh I we rece just received a season assist letter from uh Nicki Minaj's oh yeah it it turns out someone was put out it was Nicki Minaj I I didn't realize she could patent such a thing uh yeah I'm our chief legal officer we have

one um but yeah it's come to my attention that you you've made unauthorized use of my client's copyrighted work entitled performance and security contract addendum for Anika Tanya Mirage AK Nikki Minaj in preparation of an outrageous speaker request for your 2024 conference y we reserved All rights in performance and security contract uh addendum fan blah blah blah blah blah it's too much uh first published to the world in February 4th 2012 so give me a second to keep reading this uh demand that you immediately cease and assist the operation and delivery of the outrageous speaker request but all right okay well wait a second wait a second so I think her speaker her riter says among the

other things you are bringing the fried chicken right oh all right cool but it's at 24 and we've got half on ice and half here all right cool uh we don't have 24 anymore so all right okay we've desisted enjoy we desisted we have desisted great a great talk thank you so much y'all awesome that's so funny all right well another example of you know sometimes decisions that you make can have real impacts on on how things work out um but yeah that that's hilarious I can't I can't believe that they actually obliged and I'm really looking forward to the fried chicken that they say is there and I very much doubt it is all right uh so getting

getting back the overall learning opportunities um like I said you you know when we when we drop down the wrong part when we drop down wrong orientation Etc um we've had to depopulate too many parts to count and a lot of times you know that that's going to come in handy and I'll talk some more about the specific use cases where it does um but you know the ability to do some of that fine you know micr soldering like I I talk about later um is crucial right when you're talking about attacking a microcontroller that's got you know I think everyone's talked about you know depping capacitors or something like that for power analysis if not I'll talk

about it here um but that's a that's a huge part of it in addition to you know dead bugging Parts Etc um the other thing that we've done a a tremendous amount of times um that I I think does come in handy is just cutting traces so you know if anyone's not familiar you know when you lay out a circuit board you'll have you know various layers and those layers will contain copper traces from one to another it's effectively just like wiring on a breadboard um you know a lot of times when you do run into those issues with like schematic wiring um we will have to get under a microscope cut a trace and we'll have to

sometimes even solder from that Trace which is which you can see in that picture on the left solder from one Trace to another um this is crucial and you you'll see in a second why um having the flexibility to do something like that on a board that may not give you the ability to to connect so um just quickly talking through some of the things that we have done um you know I'll just go through the uh the the bullets here and I'll talk about some of these pictures but you know sometimes signals are inaccessible right a big part of Hardware hacking is you know leveraging signals uh an analyzing it decoding it um even you know

manipulating it so you know when when those signals are not accessible via some sort of header that you can connect to or some other means a lot of times you have you'll have to hack your way into that signal right whether that's scraping a trace and soldering onto it um depopulating a component or you know any any of those things are kind of in play for you know hacking those those PCB inner uh bus communication type signals um PCB man INE middle it's the exact same thing to man- in the- Middle on a PCB you have to uh go through tremendous lengths a lot of the time um deadbugging if anyone's not familiar it's when you're taking a part or taking

a part off of a board and then soldering directly to that part um so a lot of times you'll have like a like this at Mega part will have like a ball grid array under the bottom and it's very fine uh in between and then it takes a ton of very meticulous and prec precise soldering to actually attach to those signals and then exfiltrate the data from the board modify it redeploy it you know the world is your oyster from there um another thing that I I would love to talk about and uh you know one of the things I can nerd out for for a while on is side Channel analysis I kind of

alluded to it um you know one of the biggest things for like power analysis for example uh voltage rails if if you're familiar we'll often have a ton of capacitors capacitors store electricity right so to effectively measure things like power or inject a fault um you'll often have to modify the board first before doing those types of attacks um and it just makes it you know a little more responsive to what you're doing um so depopulating components is crucial if you're even going to start doing side Channel analysis and oh just talking about the pictures so the top left is just an example of a BG a component you can see kind of the traces moving out to those

Vias those holes are called Vias um that's a perfect example of if there's a signal that's coming from there that I care about it may not be exposed on the board if it's not like a a qfp which is a specific type of package um so I might have to actually you know scrape that Trace down and solder to that trace or drop a probe or solder 30 gauge wire or something like that directly to that Trace so you know the all those steps that we learned for fixing the things can also be applied to this is is the point and then in the middle it might be hard to see especially for those in the

back um we've had to do this several times where you know you think that you cut the right trace and then you realize you did not cut the right trace and everything ceases to work um and then you have to literally repair a trace so you you know you cut up some 30 gauge wire you drop it back down and you solder it back together that's crucial too in Hardware hacking right you hack the wrong thing and you you know Hardware denial of service is not really super exciting um so you have to you fix it a lot of the time and then the the picture on the right I actually did this at one point this was for a uh uh clock

glitching I believe or fault injection of some kind um but that's actually a surface mount resistor that someone had the this this was not my picture someone had the ability to pull that up and then place it on one side and then that opens up the ability to connect to both sides of that resistor which is really you know it's it's more difficult than it might seem all right so some other examples that we learned I mentioned that me and the buddy that I referenced um started in college which is where we made a lot of these mistakes early on um really a lot of that stemmed from no money no Mo Problems um you know we were broke

college kids and we were trying to be electrical engineers which turns out is fairly expensive um so a lot of what we had to do there was you know try to be resourceful so some of these boards like the board on the left um we thought we were really smart and sourced a ton of components um from Mouser and then you know we were like you know the these capacitors are orders of magnet to cheaper than these I'm going to use these and then realized that they were 04 02s and we couldn't pay for picking place and we had to solder them all by hand so that's just to give you an example 0402 is the part in the middle

and that's a match stick so you know we had to go and solder all of those by hand whereas we could use something like you know the 0805 or even bigger um and do that exact same thing we were dumb and young and thought we were just saving a couple cents um and it turned out to cost a ton of time but once again the spirit of the talk is that you know that that gave us the ability to learn and you know we've soldered as low as o1s with the naked eye and I think my partners actually soldered the 015 under a microscope before so you know I'll get back to you know what what

the point of this whole talk is but you know this example of just being you know constrained with money and trying to figure things out I mean I think that's that's part of the spirit as well of a hardware hacker because that's often your goal as well um all right so another thing that we learned is you know we we often had hostile conditions that that we started working in um just quickly talking about these pictures um we like I said we worked at residential HVAC we did it was called system extreme environmental testing um so this was a chamber where we put all the the outdoor units um it would run and Cake it with snow feet of snow and

it would be freezing temperatures and for some reason we would go and have to debug something that would break in there and we would literally have to debug in these conditions a lot of the time um and this is where you know we'll talk about learning um you know we we got the opportunity to learn with some complex tools that I'll talk about in a second but these were the the Hostile conditions uh I I mention here that you know when you're when you're freezing and your hands are shivering and you are are having to do all of these things intricate at an intricate level uh with Hardware um it really uh lends itself to

expedient root cause analysis um because you want to get out of there as quickly as possible um so just to give you that that's me and SE that's one of my business partners up on like a big lift it also does the opposite where it was like 120 Dees I think when he was doing this picture and then the this thing is called seat this chamber um so someone thought it would be funny to put a seat in seat um so someone took someone's office chair and threw it in the the snow room all right so let's talk about complex tools so the tools that we were using in those conditions um you know it

gave us the opportunity to go and debug um with these complex things right so like a logic analyzer as you see on the left um really used for decoding signals I think it's probably the most important tool to a hardware hacker um you know the you've got a big range you can buy cheaper logic analyzers and get by the the big thing is when you want to get into you know higher sample rate that you'll need or if you want multiple channels or if you want the ability to do analog signals relatively well um you can get up into the, range with like the Sala logic 16 another thing that we used consistently was a portable oscilloscope

so that's actually the third picture um this is just you know looking at all kinds of signals and waveforms uh throughout you know we not only were we working on programmatic uh boards and looking at things like I squared C and spy and uart things along those lines we were also looking at you know how discrete circuitry operated so you know we were doing electrical engineering things um up on a a forklift in the snow um with the the portable oscilloscopes and the last thing Universal programmers that's that that Seager jlink there um this is crucial this crucial for reading uh firmware from a Target or writing firmware you can attach you can debug on

target you can do a ton of things with that so those are some of the tools that we would use just to debug in in our uh conditions and you know a lot of times we would find ourselves um you know hooking up a Sala hooking up an oscope wondering you know what kind of ridiculous ambient conditions um are causing this problem and then you know I can't tell you how many times we realize that we plugged in the JTAG header upside down um so this is one of those examples where you know a stupid problem being you know you have something unplugged you've got something plugged in upside down you've got you know XYZ

something um but you you throw all these tools at it and you know really gave us the opportunity to learn how to run these tools especially in these hostile conditions all right next next lesson that we learned um oneway ticket to dependency hell I think everyone in this room has probably seen something like this at some point and hopefully it's not too triggering for anybody um but yeah the whether it's writing embedded uh C code or if it's writing you know some you know python requirements or whatever it is um will often run into dependency hell just as general software developers of some kind um so you know that that's the same for hardware for

firmware um you know what the the point here is that you know dealing with dependency hell and not shunning it away is actually something that's incredibly beneficial as well given that you know it teaches you more about your specific problem teaches you more about you know in in my case how the compilers actually work um the way that I'm you know linking libraries and you know understanding at a fundamental level how the the code I'm creating gets translated to you know machine code in my case um and that to me that's crucial to a hardware hacker as well because you're you're starting from that point you know if I go pull firmware off of a

Target you're starting from bik code right so the ability to get back to something reasonable um you know if if you have an understanding of the not just the dependencies but the intricacies of the the code that's being deployed um it's crucial in in moving forward there all right bonus slide uh I did look up the statute of limitations and they have expired in Texas where I'm from um so I can tell you that a lot of times we had the opportunity to learn all about physical pin testing um/ b& um mostly due to our general forgetfulness um if you can see that picture that's actually the picture of the uh the facility that we used to work at there's

a little cage on top that you might not be able to see that cage was added because of my my partner that I keep mentioning um we used to just forget and we would have to break into the building full disclosure um so we would have to uh jump over the fence we'd have to tailgate we'd have to you know we would clone each other's badges back before it was cool um and then other physical weaknesses like you know we never really picked a lock there we'd probably get in trouble for that um but you know the air can attack is what we use consistently you know massive air through the uh motion sensor break into the room which

is you know these are all the things that we did allegedly um and you know it's funny now looking at all those opportunities and we we had no idea and now you know if you look at the list of things we legally get paid to do now it's the exact same list so you know that that's another Spirit of you know the the point that I want to convey today is that you know all of these things that are exciting and fun and you know we thought we were just kind of taking for granted as part of our job well not I guess breaking the entering wasn't part of the job but the things we

were taking for granted could also be applied to you know a different career entirely all right so now I get to nerd out a little bit more um hopefully you know all the things that we talked about kind of come to a head when you go deep into the world of Hardware hacking and like I said the the point here is I'm not trying to go too deep in Hardware hacking I'm happy to do that with anybody at any point but you know you can see some of the same tools um just with these pictures that we're seeing here so I I'll briefly talk through some of these and and figure out you know uh

or just kind of allude to uh what they are how how we can use electro engineering to to get to this point so fault injection I guess show of hands is anyone familiar with like fault injection like voltage injection type stuff all right sweet well I'm definitely going to like go into a lot of detail then um so if you imagine like you know an embedded part is going to read memory at some point in time especially when it boots so you know a lot of these microcontrollers will have a voltage rail that voltage rail is powering the core right in order for it to read memory properly um it it has to have like a a good solid connection it's

got to be fully powered when you get it into a state where it's not operating entirely well like sort of kind of a brown out State um you can cause it to do faulty memory operations so something that happens consistently um and across the board is that if you can change that voltage to the core at a specific time um when you're targeting specific pieces of the of either the bootloader or the way that the firmware operates you can actually cause an invalid read and sometimes what happens especially with bootloaders like St micro if you're familiar with that um they will read that and then say okay well that's not the thing that I thought it was I'm

going to revert to this boot sequence right so just give you an example the the default is like level one right where it's kind of a little bit of permission um kind of not if someone enables level three you can do this type of attack and go back to level one and then you open up a ton of different things that you can do to that Target just by doing some basic electrical engineering where you're using a multiplexer to literally switch rails pretty quickly right so I think you know fault injection or or any side Channel analysis is the the perfect harmony of electrical engineering and hacking yep

sure yeah sure yeah so I mean the in general Hardware hacking like the know I think the point of Hardware hacking a lot of folks will say you know you have physical access who cares at this point and I think that's just it's such a misunderstanding of the capabilities of hardware and how you can secure Hardware so you know what what we're after to get you to your question is firmware we're after sensitive information we're after um you know intellectual property all those things that we can take that firmware and reverse engineer it and conduct a broader attack at you know the infrastructure that's supporting the hardware device or we can you know exploit that IP uh gray Market attacks

are a huge thing with Hardware um and even just you know manipulate something if it's you know a critical infrastructure component right you can manipulate it uh and cause it to to perform errand operations whether it's you know flashing a a device like a End of Line run test or you know some some sort of safety operation you can if you can compromise that you know it's a major problem right um so one other thing I'll talk about power analysis too because I think it's just it's awesome um so everyone's familiar with AES right AES encryption Okay cool so AES I think the for AES 128 if you try to brute force it takes like

a billion billion years or something like that I'm sure someone will correct me afterwards um with with correlated power analysis and certain conditions certain encryption modes you can get that to as low as 5 minutes right because what you can do is you can look at the the power analysis and you can look at the all the permutations of an AES key and there's a with with some boards there's a a property where you can correlate those two data sets and you can infer specifics about the the operation the cryptography of the the system just by the power analysis right so you know to to me as an electrical engineer reading power and you know

writing some code to process the data that's trivial right um and then if you couple that with the the cryptography piece of it you know we're talking about electrical engineers can can break into to things that they should not within with relative ease um and this is you know I I don't want to minimize like this these are microcontrollers that are everywhere STM microcontrollers INX P you know you name it they they're in everything and with the emergence of iot um you know it's going to be more and more of a problem and vendors are just now starting to fix it much less you know your your run-of-the-mill manufacturer that's trying to get to Market as quickly as

possible and be as cheap as possible so you know these attacks are not just in Academia these attacks I think are going to be more and more pertinent as as we progress um and as as these things become you know easier to use which I I could talk about more at a later time as as well all right so what now um this my my colleague made me put this quote in there if Hardware hacking is cool then consider me Miles Davis I stand by that I I I don't know who Miles Davis is but Hardware hacking is cool um all right so the the topics and you know takeaways that I want to give here um the growth

mindset and then celebrating small wins you know a lot of times we would go and we we'd have to break into our our employer use all their awesome gear and fix all the boards that we broke at school um we didn't that seemed daunting at the time seemed like we were screwing up it seemed like um you know we didn't know anything about electrical engineering but you know the the things that we were learning I can see now we completely invaluable um we learned the the resilience of you know having a broken board and fixing it we learned all of the specifics of how um how to do that and you know all all the skills

that we can now apply to our careers um and you know the I think key to that is is that growth mindset and making sure that you keep track of you know even when it's terrible and you feel like you're not learning anything you're banging your head against the wall it's it's always progress right so making sure that you know everyone uh as much as I can everyone has that same mindset moving forward that you know it's for a greater purpose at some point um the other thing is that you know I went I think 5 years as a double uh not realizing the world of embedded Hardware hacking and you know I tell people now that if anyone would have

told me what you could do as an electrical engineer in the world of cyber security and Hardware hacking I would have never done anything else uh and I really mean that I think the just the the side Channel stuff alone is is so awesome and fascinating and you know there's a lot of really smart people that know how to do it but it's a relatively untapped space I would say so you know taking it and making it more approachable to you know good people hopefully that are making the world more secure um I I I would say why why do anything else uh yeah yeah um and then the last thing I think this is clear don't be

afraid to fail right failures where we learn uh all of our mistakes I hopefully I was a little bit uh vulnerable with all the dumb mistakes that I've made over the past 10 years or so um and you know realize now what what that led to now you know I'm uh I get to Hardware hack all the time and uh you know without without all the failures without all the challenges that that I face in my career that wouldn't have been possible so that's that's the biggest takeaway there and I think that's it so any any questions from anybody all right

in what uh circumstance you did the physical pen testing if you are into aring physical pin like breaking into a building yeah yeah I the the best example um we had a a building in Downtown LA and uh you know we we just had to go and we impersonated you wore wore the the nice three-piece suit and uh you know walked into the building and realized that they did have like security guards and got scared walked out came back around um and then we just literally tailgated and uh tailgated went up to the floor I was sitting next to the CFO um and just plugged into their Network and sat there for about 45 minutes until we got bored and then just

left I mean it was it's one of those things that especially me as a I don't know if youall know I'm from the south from Texas um just general talking to people is pretty easy um and people are too trusting I would say so I I had a pleasant conversation with a lady that uh almost gave me just the Wi-Fi password just by me asking so you know that's kind of what you're up against a lot of the time is that you know I I'd rather me do it than somebody else but you know if someone goes to that those means of you know just getting access to your network it's it's pretty easy a lot

of the time without all the crazy you know lockpicking air can type stuff any other questions y what do you think the risk is of people not understanding their Hardware I mean they've got great software they got great programs but they don't understand what's actually sitting on the border their backbone or switches routers and stuff for actual physical components yeah great question so I I don't think people understand the downstream impact of how the hardware can interact with the broader ecosystem so the best example that I have with that is not like you know networking gear it kind of makes sense you understand that it's kind of the backbone of of a uh an Enterprise but I had one where you know

something innocuous where it was a uh a water filtration system and that water filtration system had API keys that were stored on Target and I pulled it out of like non-volatile memory on target through a uard interface and then I took those keys and then I attacked the API and then I attacked the API API had indirect object referencing and then I went from a physical device that probably would get thrown away to i' take down your entire API for all of your customers right so understanding Downstream effects and you know how easy it is to actually reverse engineer something intelligible about a system I think is the biggest thing that people just miss because they they see it like

I said they see it as you know you have Hardware attack you could just pull the power plug denial of service game over that's not the case there's a lot more that that could be done what's the most question thing you oh gosh oh man question I mean we we've seen art like uart is universal asynchronous receiving and transmitting just like a a Serial interface but we've seen root on uart on Advanced devices that have no business exposing root level access to someone with just general physical access so that's probably the most egregious I mean we've seen everything from you know unsigned firmware that we could just you know I've been able to text the device

um and change the upgrade server with an SMS message and then host a malicious uh firmware file and bypass their signature verification um to you know overwrite that firmware on a embedded device and you know lock it out do some crazy stuff with the io you know agre there's a lot of egregious that that goes on out there so I wanted to actually kind of like reinforce the the the answer that you gave to this gentleman's question so I I too am an electronics engineer who somehow managed to get himself a role as an embedded penetration tester and yeah this is like this is they're paying me to hack what Yep this is so cool so

anyway yeah and a lot of threat matrices having physical access to something is usually considered like pretty low like if you you go ahead and calculate your risk scores they'll come out low but this is the caveat is just like you said it's like so what'll happen is is a real world real world attackers if they want to like attack your infrastructure whatever at scale what they're going to do is try to get a hold of one of your devices yep that's could be just buying it off eBay and they will attempt to reverse engineer it to find things like what he just talked about like hardcoded API keys in the firmware and clear so if

you didn't lock J tag then that becomes trivial to dump the firmware if you did lock J tag then you got to that's when you got to start jumping into things like fault injection and all that to get it out but once you do and you get it then it allow and you or you find that okay there's hardcoded credentials in there and they're the same for every device like they're not unique per device and then yeah pretty much like what I what he just described then it's like okay then things get really fun

yep yeah uh so for those of us who may have come in a little bit late would you mind sharing or going back to must have tools or capabilities for people trying to get in yeah sure so I think I I mentioned these because I think these are probably should be top of your list logic analyzer hands down is the best it gives you the ability to decode signals right whether that's inbus communication um or you know if it's something that's like an external signal sometimes that's helpful too if you don't you don't want to buy like a custom uh transceiver for everything like rs232 45 whatever um so a good logic analyzer I think is the best um

Universal programmers is probably second on the list where you know you imagine the same same sort of deal with the ability to just be dynamic and you know deal with multiple targets a universal programmer inherently does that where you know thousands and thousands of uh microcontrollers like like this gentleman mentioned with JTAG if if that interface is enabled you know you can use JTAG you can wire up to it or you know a lot of folks FKS will just leave a handy dandy header for you connect to that dump the firmware and then you know you got a ton of stuff you can do from there uh last thing I'll say probably uh a universal well I say Universal

programmer that's more of a universal debugger but a universal programmer um to the extent that you can dump like external flash is another big thing where you know if you depop something off of a board you throw it down on something else you know a lot of times that's where you'll find like the API Keys hard-coded credentials all that kind of stuff and you know those Universal programmers are the same where you know different form factor you can uh exfiltrate information from you know memory or whatever it is so I'd say those those big three are probably the most I'll give you a bigger list if you want to stop by later hey for someone no sorry next go okay um for

someone wanting to dive deeper into this um what do you recommend for for example I I went to a coding boot camp there's a lot of like online resources for learning on your own how to code without going through an e program yeah what do you do on the hardware side of things like I wouldn't know what I'm looking at if I picked up a a logic analyzer or an oscilloscope today how would I learn that on my own yeah that's a great question because I I don't think I think it's inherently difficult to learn Hardware hacking because you know you it's very easy if you if you touch the wrong thing and you solder to the wrong

spot like that factory insult smoke is real I've seen it a lot of times right so um it is more difficult I think that we're seeing more and more uh you know challenges like hack the box or try hack me are trying to do some more Hardware based things and there are kits that you can buy online um I actually if you see me after this I I can point you to some stuff I actually made a uh an open source uh you know learning environment where you learn some of these things the the barrier to entry though is always the hardware right so getting your hands on something that's cheap enough to understand the the premise and then you

know you can work your way up you know nice tools whenever you you know you earn your earn your keep and you understand like what's going on um but I would say you know there are some great books out there no sarch press released um iot practical iot hacking I think and then the hardware hackers handbook those are two great books that i' I'd mention too yeah back hello um I believe you mentioned SMS earlier were you referring to a mobile device or just like an eded device with LTE or something yeah so a lot of these devices will be cellular for a number of reasons right um cellular is probably you know when something's not close to U an access

point or you know you don't have long-term connection cellular is often used in a variety of Industries so you know the the risk to Cellular is is crucial right and I think that there are a lot of issues with um you know it's less so on the the cellular piece there are there are things that you can look at I think they're a little more complicated and then sometimes when you're testing cellular um you can get into trouble and like have black vans roll up to your house if you broadcast the wrong signals and like interrupt uh emergency uh response so be careful doing that um but I think one of the biggest things with

SMS is just general you know improper parsing of of data and trusting data that you shouldn't and that's that's the issue that I ran into it's like I use SMS as a vehicle to bypass bad signature verification of firmware in addition to you know improper access control of you know elevated function like firmware updates so SMS is a vehicle you can attack that just like anything else but yeah it's it's super prevalent with Hardware

devices so this actually was a really good talk and presentation there's a um a field of systems engineering called anti-tamper yeah yeah and if anyone here hasn't heard of it I highly suggest you actually start researching it because there are jobs that not only that pay you to break into systems but pay you to develop counter measures to exactly what you're talking about here and a lot of that field of study came out of the fields of reliability so to answer your question sir for C's components like we're talking about here you can get all the specs and schematics online and that's the first place that our adversaries in certain countries go to First yeah that's a great point the

best way the reason why they are surpassing us is because we let it happen it's because everything is out there yep and that's how you all can obtain this stuff it's all out there it's all free you can get the spec sheets the data sheets you can pull it all and that's where you learn if you learn how it works and you can learn how to dismantle it excellent talk thank you yeah thanks yeah fcci .io if you're familiar like you know anything that has an FCC ID on it go look it up a lot of times you'll you'll be able to dump the entire schematic the the testing from FCC it's just it's a function of of

exactly what he said you know a lot of this is in the open domain some vendors are better than others but you know just go Google this stuff don't read like an a thousand page data sheet figure out how to read data sheets first um but yeah I I can agree more and then anti-tampering I know we're we're almost up on time um just to give you an example so I mentioned correlated power analysis is what I was talking about um some of these chips will do some crazy stuff like injecting random noise and current consumption which breaks that correlation so you know I I can't remember who asked but in in the spirit of where we're moving as an industry

we're seeing more and more of components like that that strengthen the hardware at a fundamental level that we need to see more and more the problem is you know it's bomb cost it's complexity it's Dev time you know that's why we're not seeing it as much as we should all right thank you I think your Fried Chicken getting cold thank you appreciate it [Applause]