BSidesNcl 2020 @Jilles_com - Hardware Hacking Workshop

cool cool okay uh it is a quarter past two so we're already running late and i have like about 110 slides to kick off so buckle up this will be fun [Music] so before we start like some disclaimers i will teach you some some stuff and you need to be responsible with it so whatever you do is for your own responsible responsibility not for mine please join the slido so if you go to https dot colon slash sly dot do and you use the hashtag ncl2020 you will get into a q a screen where i can directly react upon your questions and if i don't just shout in the group if you you are able to okay

um so one of my first questions is uh like the the people that that are watching i like to interact with them do you already code so are you a programmer are you coding fighting or whatever either tell me or put it in the group um i guess i'll go i know how to code a little bit nothing really advanced i know a few languages basic stuff yeah i think that that is very important to have like a basis in in coding there's like things uh codecademy where you can learn the the basics and if you uh already know how the different structures in a specific program work you're able to translate that and like

query your way into a new language so if you know one you can easily switch to another you have to dive into it but i still do i have to dive into it i see anonymous some experience with python and c yeah i really i started off with assembly but i think python is a really cool way really easy for people to learn that allows you to interact with hardware as well and c is like perfect for optimized uh other stuff another question is do you break so uh are you doing uh hacking uh playing ctfs working in info security uh yeah have some experience there i'm learning i'm starting to try to get experience hopefully

a job soon okay so how do you build up experiences like watching videos or doing ctf or um i've been watching videos uh i've been doing ocean ctfs and um just asking my friends if i can run vulnerability assessments on their website stuff like this and trying to turn it into you know rationale for why is this relevant what i'm doing cool yeah that's very helpful like getting your network involved for helping you out especially like things where you can play with stuff look at vulnerable machines i myself when i started i used certified secure which is a ctf environment where you can first learn things by doing uh yeah trivia questions and then you break into

websites by using sql exploits and doing other kind of vulnerability and then you change from like being the attacker attacker to becoming the incidence response guy by looking at pcap files to see what communication is over there and then you are going switching over to hardening by creating more secure code so you have the entire posture of infosec and uh yeah that's a free environment and i think their business model is selling uh videos to uh tell you more about that id so next one is do you thinker and tinker as in are you joining a makerspace or building stuff yourself arduino raspberry pi esp32 whatever so danielle joined as well hey daniel yeah um i've done a bit of stuff with

raspberry pi but nothing too in depth now i think uh the the raspberry pi is really a game changer uh especially for schools that do not have a lot of budget where they can simply have a small circuit board and just connect it to any random screen have a micro usb adapter a photo card and they're home free so but you see that it's being more and more used even in more advanced attacks where red teams use it to leave it as a device behind to [Music] get a posture in into the network so uh although it was initially meant to train children it's being embraced by the entire uh community uh this is one where you have to uh

just shout i will show you a lot of uh devices with certain ports like uh this is a uh this is an apple lightning cable so i will show you ports and if you just say whatever port it is then i have an id of the people that are joining the stream so first one oh usb that's a usb correct this one is harder so it's not related to computers yeah it looks like audio but it's basically a dmx connector which is used for boat light and also for lightning shows or for firework shows so it allows you to timing based controls this is a connector on the side and has four wires a red black a yellow

and a white one and it allows you to interact like simple devices together like it's on the side of such devices allowing you to add extra functionality so unless you're familiar with it you probably won't know no it's not hdmi htmi is more like for adding a screen to it this is a growth connector so the growth connector is for uh yeah allowing sensors being added to the device or keyboards or all other kind of stuff so this one don't think of it too hard so it's something that i photographed of a laptop but a power port that's the power port yeah it is so this one is a little bit harder or a bit harder

where you have like the circuit board and if you look at the bottom of the circuit board you might see a couple of pins so this is something that you would know if you're really into hardware hacking and already have experience with you know this kind of stuff okay this is the jtag port and the jtag port is used for programming devices so putting the the software onto the hardware so a television is able to switch channels or a washing machine is able to have certain programs on it there's a small connector next to it which is also hard don't feel bad about it i will just show you but like sometimes people are shouting out all

these names and then i know oh i already have very advanced hardware hackers in this stream so i have to up my game a bit so this is a uart port and the uart port is a console port so whenever you start up a computer uh usually like a pc or linux machine you will see all this text scrolling up like showing uh there's a hard disk inside this computer and there's a amount of memory this kind of information is being showed on the the smaller pins the uart pins so if you have a device and you are able to connect to one of these ports you're able to um interact with the device itself

so this one

will be a harder one as well so this is also a uart board uh so it's also console port but sometimes vendors will disguise these ports as like an audio port so this is a two and a half millimeter jack plug the same one that you would use for your headphones but it is actually not an audio plug but it will conceal and console port where you are able to interact with the device this one and this is a device that i connect to my xbox 360. is that a midi port yeah exactly that's a midi port so this is a keyboard that allows you to play piano in to a guitar hero and you can also

connect it to a computer so this is a midi port a midi allows you to send music over a certain protocol and people were able to play music over the internet although they were not physically together but using this midi protocol so this one these are hard disks so this is the back of the hard disk so there's usually a red cable connected to these is it sata yeah it is zappa but next to the sata connector so there's the the small one is the data and the big one is the power but there's also four pins next to this specific hard disk what is what are these pins this is actually also uart so

although this device is meant to be used inside the computer to store information and there's also like a connector to it that you can interact with the device this one this is a led panel so these are neo pixels which are rgb leds and it's a matrix of uh eight by eight so 64 different rgb leds and they can be addressed by the computer and there's a ground a vcc and one data wire so my question is is do you know what the name is of the protocol of that specific connection and the name already reveals it a bit so the name of this protocol is actually one wire so where you have like midi there's also

one that just has one wire and it's called one wire so uh this one where is it used for is it a vga no uh if you look at the vga on a computer that will actually have 15 pins so three rows and this one has just nine pins so this is something that you would usually see on older computers on desktop computers on routers so this is an rs232 port which is a serial port this one and this one you will find in your car if you remove the ashtray or it's maybe in your glove department and this is a connector that allows you to interact with with your car and actually i got a book today

on interacting with uh with my car so happy to read that one absolutely [Applause] any id of the name of this connection okay this is odb2 an odb2 is the the connector where you can interact with the car and the car is using canbus and it is a protocol where whenever you turn on your windshield wipers it will say 24 24 24 24 24 and your wintry shields wipers are listening to uh all the data that's coming in and if they see a 24 it will actually turn the the windshield wiper so people have been reverse engineering these as vendors will probably not tell you uh what are the specific codes are for so there was a kickstarter pro project

where someone asked you to record all the data that was going over this bus while uh recording a video of what you were doing like opening a door like pushing the brake like pushing the horn or whatever to discover all the specific codes from the specific cars this one which is the bottom of a router so this is a circuit board and you see some metal connections at the end and eight pins per connector so what is the name of the connector or what is it used for

the name is an rj45 and it's used for ethernet so this is like your long cable where you connect a device uh to the internet for instance or to your local network uh so a little bit about myself um my name is uh gilos grunerdike and i work for deloitte in the netherlands uh in the nick and i am a hardware hacker so what i do is uh different things so i create gadgets for the red team like key loggers data persistent taxes on the network malicious devices that are used for red teaming red teaming is a [Music] certain action where you test if all your monitoring is working correctly so what you do is you monitor the security

inside of your a network but you want to see if that actually works for you so um by doing so you actually need someone to hack you but you want to be not being breached so this is like a training thing and the red and the blue teams is like in gaming like the red one is the attacking side and the blue one is the defending side so that's one thing that i do i do hardware hacking assignments so what i do is i tear apart hardware so i open up devices look at the the insides look at the the chips to see if there's any vulnerabilities inside this hardware and i suggest like improvements for the

device to help people secure their devices before they are going to uh to market uh i don't know maintain a bluetooth platform so it was like one of the previous speakers talked about seam solutions that's like stuff that that we do as well and i host like security awareness both digital and physical access controls so it's like opening doors by cloning cards that's like using lock picking to open doors uh that kind of stuff so i have some movies that really uh inspire me like the the queue in james bond is like the the thing that i do for for the writing creating the cool gadgets is not as fancy as you uh the one on the top right is

um sneakers which is about a red team assignment where uh people breach a bank but they also do hardware hacking inside uh then there's war games on the the the left where you have uh people monitoring everything it's like the the blue team and uh terminator to where there's like the john is uh breaching into a bank i believe using a bomb pilot so um most of the stuff that i do i do because i tinker my entire life so i took away took apart everything that i ever had in my hands making my parents very uh yeah drive him really crazy so um my grandfather used to have a box where i could take like a hardware out

and take it apart and that time was like radio with the the glass components inside and i could break it and make something new out of it and that that is what actually helped me learn and enter this business so what you see on this picture is one of the first thing that i did is i built a lead board the one with change me connect to the board and i made this out of a train station sign which i could buy like very cheap for five euros but the devices i could not use myself so a friend of mine uh teached me how to hack the hardware and it was like six seven years ago so what he said is

do you have like a chip off machine no i do not have a chip off machine do you cook yeah i sometimes cook do you have a creme brulee torch i do have a creme brulee torch so i he said get me the creme brulee torch so what we did is we heat up the chip and we smacked the device on the board and the chip fell off and we were able to like bypass the entire security of the device add the new microcontroller to it and make this board interactive and make it do whatever we wanted it to do the one on the right which is the board that is used in stranger things

the netflix series where joyce is looking for her son and the only way to interact with him is using a ouija board using the lights that are in her house and i was walking around on comic-con and i saw this lady carrying this cardboard thing with all the christmas lights and all the letters on it so i asked her is it interactive just i'm sorry i said is it interactive can i interact with it so i do not know what you mean i said thank you for the id so i run out i bought a uh a small microcontroller for two euros i bought a left string for eight euros and uh for 10 euros i was able to create

a thing where you just could log in to the board using your mobile phone and make it say whatever you want so if you would say hello it could say hello and uh of course it had already the sentences from the the series as well uh in as a default like a run right here help me the one in the middle in the bottom is as i'm [Music] also doing physical security is like opening doors using lockpick tools using other special tools i'm part of an organization called tool with 3os which is the the open organization of lockpickers this a little bit so i'm not as red as i am and um during that conference uh i

tend to leech a lot so just listening to the the presentations of others and not contributing any of my knowledge so what i thought was i want to have a presentation at that conference so and i want to make it like an epic one like my hollywood style so whenever you see someone breaking into a secure room they come up with this device that will show numbers on the the device that is breaking the lock and then opening the door this is something that i want to build myself so a colleague of mine was working on this z-wave vlog and when he was done with his assignment i uh try to figure out how this was

working and by recording uh the signals that were going over the one wire in this particular lock and replaying these exact signals i was able to like to brute force this lock so what i did is i drilled a hole in the front of the locks on the outside of the house i connected two little wires to the cable connecting the front panel to the back panel and i was able to inject like my codes in to the communication between the locks and every uh try to 0.9 seconds so in presumably three or four hours you would be able to uh to open the lock so another thing or is on the the bottom left which is a device that will

deface bluetooth glasses so you sometimes see people wearing these bluetooth glasses and i'm the coolest and i'm i'm the best and whatever using bluetooth and i want to learn how bluetooth worked so with a couple of friends from all over the world like someone from japan someone from america and we were from the netherlands we made like a proof concept where you could uh if you were in the vicinity of such a bluetooth glasses you were able to change the text to whatever you wanted it to happen just because uh there was no security at all so you could just connect to the glasses and send your new image to the glasses i'm a father of two twins so they're

here in the minecraft duty so it's yellow and euro and they had a hard time at school um yeah it was hard to learn technical things so uh they were uh quite early done with their lessons and just uh uh yeah annoyed or bored at school so i decided to help so i worked two days in or four days in telecom in data centers where i worked two days on monday and tuesday on wednesday was my day off where i volunteered to work at school and then thursday and friday i worked at the data center again and during this this time i tried and helped kill children to get into science and technology by showing them

stuff like teaching them about privacy teaching them about network stacks actually sniffing the the network of the the school by tapping into it with wireshark but we also did some article stuff so we turned created forms for nokia screens we made software to solve puzzle games and the one on the bottom right is a box since my grandfather made a box for me for christmas where there was like bells and lights and batteries and switches i wanted to make a box in his honor to inspire the children as well so now that we have the raspberry pi i use this as the core of this box so the the box was a raspberry pi button

box it has all kind of features switches bells whistles screens printers coin collectors so this box just had sensors and the idea was make people love to learn by creating their own software so what you could do is like if you want to have a poem printed you have to like insert uh 1 pound 50 or 3.50 or 1 euro 60. so you had to train the coin collector to recognize the coin and create some mathematics about it to accept like the different coins as values for your program but instead of just uh learning a language to learn a language it's always more cooler and more inspiring to learn a language to uh make it to

have a specific goal like i learned how to do bluetooth by hacking bluetooth classes or that the children learned how to [Music] do binary and hexadecimal by creating their own fonts so um what i did for my kids as my grandfather did for uh for me is create like a scrap box so there was a computer slow kit kiss in dutch which is a computer demolition box so whatever was in the box they could just take out use hammers use saws use whatever tools they had to tear it apart and when they became older they started like soldering and it made sure that they were not afraid of technology so whenever you have scrap laying around

this is not scrap your scrap is another person's treasure so i had someone come over yesterday to bring me their old nos and to bring me their old uh settle boxes for me to tear apart and to see how it works so that that really works and usually when people did this workshop or the hardware hacking training they tend to run to the thrift shop to buy anything with an electrical port and tear the bar to to see how it works so uh one of my boys uh yura has hacked his school but not hacked it without consent he acted with consent so as he was finished with his mathematical lessons early he got the permission to look at the

school security setup so he made some agreements up front like i will not tell this to anyone else before it is fixed i will only uh inform my father to see what any of the the solutions could be and there's a video so if you go to youtube and search for yura and heck you will find a video uh where he hacked his school uh using a lunchbox for cloning the cards and do all kind of other stuff so it's not about hacking the school it's more about the consent doing the responsible disclosure about bounty that kind of stuff so um that was like four or five years ago and he's now 18 he just joined the university

and he built his python cpu so he built the cpu in the language python so something that mimics uh uh the the functionality of cpu so you can write in your own assembler and the python will interpret it and uh yeah make that work so i started streaming uh due to covet and this is one of the last streams that that we did where uh he shows what he did and how he did and why he did it so i will show that the link to the stream later so first taking a sip of water the thing with hardware security i don't know if you've seen sean's kickoff this morning he was talking about the

90s uh in software security i tend to go as far as the 80s for hardware security so for me most of the hardware security feel like i'm in the 80s for software security so a lot of the devices are seen as trusted because people won't open them while people do open them now and in the past they used to open them to [Music] maybe add functionality or maybe upgrade it a little bit but now people uh tend to hack them for like their own commercial wins so that they can create their own botnet that they make ransomware that they steal intellectual property that kind of stuff um but we still see these devices popping up on the market

like the the baby monitor that was as secure as a paper paper bag why is it that the devices that pop into the market are less secure well there's some reasons i like uh you need to be first of my first in a market so iot is is booming uh new devices pop up and whenever you have the uh most people uh buying your product your market leader and the others are like uh unless they have some really advantage in uh functionality people are probably going to buy the device that is already well known in the markets like just whenever you tend to sell the first effects back in the time and no one will

buy it unless a lot of people will have it and people will tend to buy the same uh fax machine uh there's another thing so if you add security you will add costs so there's uh cars because uh uh people need to spend more time to look at security the the chips that you use might actually be more expensive because there's hardware crypto inside there's all kind of other stuff so uh will you lose your customers because this device is cheaper than this device you can buy this baby monitor for 300 pounds but you can also buy it for 20 pounds so which one will you buy and you will see that the security although it is uh

more pricey at the beginning if you got breached nowadays with the gdpr regulations yeah you will have serious issues for your companies um there's also the the battery that is included so if you have devices especially smaller device that will include a battery and you will include hardware crypto or of the air updates or other mechanisms that might infect battery life so people tend to use like functionality over uh security another thing is crypto so are you really using crypt cryptography in your products or are you using obfuscation so this is a xkcd comic where they say get random number it is for uh because it was uh chosen by the fair rise the uh

dice roll uh you will see that people are using xor which is a simple trick to rotate stuff because people are not able to uh to read it but there's tricks to uh to find it so if you're using xor and you have a specific key and the data that you're trying to esca encrypt or obfuscate is zero it will actually show the key itself so um it looks like a solution but it is not and these devices have chips these chips have storage and if you're not using encryption on the chips itself i can use a a hot air gun take the chip off and read its contents to see what is on the on the chip and

especially the hardware chips do not have the latest technologies uh so it will probably either be plain text data or md5 type of hashing where you are able to find the the password that is related to that user and if that user is the same for all of the devices which is the next one then you basically have to hack them all so if you're going for the easy solution and just have one device and mirror it a couple of times and someone gets one of these devices and tears it apart and finds the secrets then you're able to replicate this over the internet and uh yeah some devices are out in the field and uh are staying there forever like

uh if you have an uh an older phone uh either an android or an apple phone it will no longer be updated so all the latest attacks will still be uh applicable for the other devices even though you want to update you're not able to update unless you invest extra money in buying the latest device um and sometimes you see that vendors itself say well i don't care have people buy my stuff i won't support any updates anymore so if you're not able to update it even though this device at this moment in time is very secure it might not be in a week or a year or 10 years if you're still using that so if you have

electronic locks on your door and this is um in no way updated and these locks are here to stay for like 30 years on on the door and someone finds a vulnerability yeah that's really an issue if you break into my house but what if i have a hotel where i'm using these locks for all of the doors or if i have a hotel chain where i'm using these for all of the doors of all of the hotels so uh whenever you're buying the stuff you need to take that in mind as well otherwise you have to replace all the locks if you're not able to update them and people are getting stolen because you

are using vulnerable locks on your doors well you see a lot of measures by people to obfuscate security so what they do is they bring in special security screws they have a warranty void seals on the devices uh you see that pins are being obfuscated but [Applause] companies like ifixit will sell you and will show you the videos on how to repair your iphone what devices to buy what screwdrivers you need to open them what tools that you need so just putting a sticker on the box will not make it secure so that will prevent you from swapping a device because someone opened it so it might have some commercial value but not in a security

a manner and even though uh if you google on how to circumvent these measures like using a hairdryer will allow you to remove the sticker and place it back on after you open the device so what you see is that a lot of these older devices or cheaper devices it's probably open the device maybe you need special screwdriver connect three wires press ctrl c and then you're root you're in control of this machine you're able to look at the data that is on the devices look at the source code so you will so where if you do software testing uh you start up a program on your network and run nessus for instance or a vicari vm

assess this specific um computer and see if there's like things that you can find and maybe there's a slash up means less a wp admin on this device and it will find it but now instead of just poking it and see whenever it reacts you are on the other side of the device and you can actually just list all the devices all the files that are on the device and you can see what user is running though so if this is like a high privileged user such as root this makes it vulnerable and if it's like running a simple scripting language to handle all the the things inside the router like ping dollar one then you could actually inject a

[Music] security [Music] faults by just adding a semicolon and giving a command to it so uh it it needs to be uh better so if you look at it uh yeah there's ways to uh if you have it like properly secured then still there there's ways to uh find uh ways in so what you could do is like tap into the communication between different chips so if you have like a um cpu or mcu chip that's like the processor that does all the the logic and there's like some memory chips that are encrypted and there's another device that has the encryption keys you could actually solder wires to this device to eavesdrop on the the signal to

see what is the uh cpu asking from the tpm chip and how is this related to the data that is on the the memory chip uh sometimes you see that there's um data uh or information uh leaked through the release notes so if someone tells you that this is the new version and we did bug fixes [Applause] that's good but if they specify what the bug fixes are it will makes it um will make it very easy for the people that are uh reversing it or looking at the vulnerability or even exploiting these vulnerabilities to see what is going on like this one will add and encrypted to it so if you have like the

previous one it's unencrypted so if you download the previous version of this specific firmware you're able to just unzip the file and see all the data inside it well if you do that on this one you won't be able to do that so maybe if you take the old firmware and take the code out this is something that still applies to the newer version will which will give you a head start so uh be careful with sharing whatever it is you do or make sure that your customers are up to date before you reveal that information and this is like i like to listen to darknet diaries uh the the podcast and uh that has some great stories about

uh um yeah where microsoft coped with the the the issue if we're going to release this patch people will uh going to reverse engineer dispatch to see what the flaw was in the version making us our product uh even more vulnerable so people should either update immediately or we should not uh or we should may wait for a more strategic moment in time to release the the patch but it's yeah it's it's hard to uh make the uh make proper decisions on on these ones that's not something that i want to do by myself by the way i tend to aim for like the technology side and there's other stuff as well so uh what you see

here is like uh some devices are set up with default uh passwords and uh parts of the the stuff that yoda found was like stuff that was installed hardware router switches printers laptops were still having the initial passwords so if you know the vendor the product the version number you will be able to query uh these products these hardware types to see whatever it is that the initial password was and you can just try this password and that's the same with using your own password so if you're using passwords and you're using these passwords on more systems people are able to just download these passwords in plain text that have been compromised in the past and

people will try these passwords on systems that are not breached but might still have the same password and it's the same with with hardware and another thing is like stuff is exposed now so there is a google for hardware and they call it the google of the refrigerators which is called showdom and showdom allows you to query hardware that is online so uh it spiders the entire internet and uh tries to find um other ports than just the normal uh web ports as other ports like uh 80 or 443 or 8080 but like uh is poor 21 on and 21 is the ftp port so you might find an open file server on the that machine or is or

33 uh 89 on so you're able to do a remote desktop on that machine and they go as far as already showing you a screenshot of what it would look like if you connect to that device so you are uh [Music] breaking the law if you are trying to get in at that uh way like for the netherlands that will result or go to result in a jail sentence of four or five years or a fine of 20 000 euros for breaking into a system that is not yours but these um uh search engines are there so by saying well no one knows this system that's not true your system will be spider the entire internet will be

spotted so if you are not properly protecting yourself with firewall rules with proper passwords or not reusing any passwords that's so much better and others are uh other ways they will be weaponized using the network like we saw with the mirai network um i have some examples of some some other attacks so if you look at hardware hacking there's like you can connect using ports that are in the device either console ports or programming ports but all these components inside a box with a hardware pcb like sorry the green circuit board with all the components on it all these components are tested to work on the circum certain conditions so they will work on max zero volt to 5.3 volt

so what would happen if you make that 5.4 of what would happen if you make that like a negative value that's the same if you look in software technology and you have like a website and it has this fancy name and it ends with a question mark id is two what would happen if you create ids2 to an id is three would you see like the invoice of someone else or what would happen if you do id is minus one or id is aaa so these are the the kind of things that you can do with hardware as well work a little different so what you do is like a device sometimes or most of the times

have a has a clock a crystal and this will send a pulse for a number of times per second so 15 megahertz is 15 milli million pulses per second for this specific device so what would happen if you would go outside of the scope so not have an equal 15 a million but like have 10 million or 1 million or 3 instead of 1 million or 2 40 million so what would happen to the device and saying is like what would happen if you uh switch the power uh during the the signals and turn like a zero into a one by adding voltage to the the data lines uh or uh certain devices work like from

uh minus 20 till plus 60 what would happen if you overheat them or call them so uh playing with the boundaries of these devices you're able to inject faults and there's something else that you see on the screen here and this is a side channel attack it's a tempest attack as well what the name is and someone on defcon showed a setup where using a television stick you were able to see the images that were on on another laptop so by multiplying the horizontal and the vertical resolution times the refresher rate you were able to tune into that frequency and see the actual screen using a tv stick that was only 10 euros so here you would see like you could also

remove the residue from the chip so the epoxy coating that is covering the silicon parts to make connections to the to the chip someone in my hackerspace uh opened up an old chip to see an old pentium chip to see how it works and create his own microscope to have some imagery on this device to see how the logic works in inside this this chip you can even use laser beams on chip to inject faults and swap one into a zero and thus bypassing a login for instance and one of the early raspberry pi's raspberry pi 2s had a component inside uh uh 16 which was a device that was used for the power and if you made a photograph of this

specific raspberry pi that was running it would reboot because there was not there was no silicon housing on this ship and it was [Music] um vulnerable for light attacks so by taking a flash photo uh of the of the raspberry pi would result in uh the reboot of the of the device other things that you could do is like listen to the power consumption of devices by listening to how the power is being used uh on the device on a very accurate level uh you could actually see what kind of encryption has been used and even if you're able to reproduce key actions you you could even obtain the key information so even though you

have like a proper hardware security hardware using these advanced attacks you will be able to sniff in and obtain key information so if people are able to get their hands on your hardware so if it's on your premise in your secure room you're all safe but if these are devices that are in everyone's house and people are tearing them apart they are able to do these kind of uh these kind of attacks and um i'm a big fan of life overflow as well and he is doing uh some epic videos on uh security on buffer overflows on fault injection and he has been doing videos on breaking the uh the encryption so not only listening into the the signals like this

differential power analysis but also uh breaking in by doing power glitching so by creating short circuits in time to turn a zero into one or one into a zero so uh if you are a hardware manufacturer and you're having your hardware released get it tested so there's a lot of companies that are doing that do not send your product out in the market do not only do a qa test also have your devices tested by people that have a like a security mindset and try to also do stuff that you won't expect like you can have people test your software entering dates and someone will try like a dutch date another one an american date

but what if you just type all kind of special characters to uh uh see what what happens then so it's like the the looking with the security mindset to uh to hardware testing and i think it's even cooler if you do it yourself so learn how to test it and even though it is not your role to do the security test just attending this hardware hacking workshop or doing a real hardware hacking training will teach you uh about security so you're able to great security reports on the security as well and as sean already told earlier there's also an o wasp on hardware security so there's uh things on how the device is locked how did the

the the data is stored in transit or address all these things so follow the o wasp to look or to test the security and yeah same as with the which on it is um not something that you can add at the end it's not like i have a new product and i add like this fancy a lock in my url and now it's https so this entire product is secure are you collecting data that you're not supposed to because otherwise you're violating the gdpr and it will have you end up with a major fee that even will make your company bankrupt so are you storing the data at rest are you storing the data in transit um are you creating your own

cryptography or are you using an xor uh thing uh all these things need to be part of your system life cycle so uh people need to build the code the code needs to be to be reviewed uh it needs to be tested needs to be patched and then you go up and down again so if you look at the different steps in arthur hacking i've been jumping up and down to the the differences but here are our these are the the ones that that are important so if you open up a device there's like the simplest one is just adding the three wires so adding uh a uart device which is basically a device that will allow your

windows apple linux computer to communicate on the chip level um so this will allow you to see the console information and interact with with the computer so the other one is connecting to the jtag port and the jtag port is meant for provisioning the devices for putting the new software on the device but also for testing these but if the fuse bits of the device are not properly set people will be able to extract the software from your hardware and create their own hardware using your software so actually stealing your intellectual property or extracting your data and then debugging the data or searching for crown jewels that are in their private keys passwords rp addresses

other secrets you could read the communication between different components so there's different protocols different serial protocols where a microcontroller or a microprocessor is communicating with a memory module or with a encryption module these are usually two different protocols it's either i squared c that's i2c or spi and you can just connect wires to the chip or stole the wires to the chip or clamp on the wires to the chip or to pins nearby to eavesdrop this data using a logic analyzer or using even an arduino to sniff what is going on in the communication between the different components you could take off the chips and just read the content of the the chips using eeprom programmers or

flash dump hardware you could inject faults so this is a chip whisperer this is a one of the the entry models but this allows you to listen to the communication between the chips even on a voltage level to see the voltage and the current to read the data and the consumption of a specific device to reveal the secrets like a private key or a encryption mechanism or inject faults by turning a one into a zero so are you still with me or have questions in between okay so what we're going to do now we're going to deep dive into one of the protocols and i think if you've seen one protocol you've seen them all same as if you programmed one

language you've seen them all it's just a little different in another one so there's a lot of protocols so for wireless you have like wi-fi zigbee z-wave lorawan gsm bluetooth ble and for line ones it's like modbus rs232 s422 485 so there's all kind of different uh protocols and if you want to know more about those uh there's uh descriptions that you can find by the different um either manufacturers or

organizations that allow you to see how they they work for auspicious pacific version but what i want you what i want you to learn is like how this communication works so this one for me communication is like this so i had sausages for lunch so these are two cans and there's like a wire in between and this allows you me to communicate with from one side to another so one side is talking while the other one is listening and this is how it works with communication as well so especially serial communication where uh one side is the the tx the transmit the send and the other one is the rx to receive uh [Music] or rx um and

data is being sent using ones and zeros so logical levels it's like the power is on and the power is off and if a one it means like five volts that could be but could also be three to three volt or 1.8 volts so there's different ways of telling what is a one and what is a zero then that differs per protocol so here you see the data being transmitted over the line so the data is first in a buffer and then this buffer is uh sent over the other uh over the line and because of that buffer uh like the middle part is rotated so this was just a little animation to show you why the bits are

in a different order so as an example i want to show the communication between a an old computer a pdp 11 and a windows computer so the pdp 11 is using absolute which is like something that we had before oski and it is communicating over a serial port and the serial port is the nine pin port that was on the back of your computer and it is identified as com communication so it could be the com1.2.3 depending on how many of these ports you have inside of your computer i'm using putty as the the software here and the speed is in bought so since there's only three wires so there's a ground wire there's an rx

and a dx so the rx on one side should be connected to the tx on the other and the dx on one side should be connected to the rx on the other just like the tin can and [Applause] because there's no clock you do not know when the zero starts and the zero ends so if we have no clock signal we have to make a clock ourself and we can create a clock by uh using a protocol using uh predetermined uh agreement where you say i will be sending the data on 12 100 baht 1200 bits per second and this is uh like 120 characters that i will be sending each uh each second so the other

end should not be listening at 2400 baht but also at 1200 baht otherwise you will be [Music] sending or receiving different information so these two ends need to line up so i'm saying we are sending 1200 bits per second my data bits are 7 instead of the normal 8 that we use now and we're using two stop it and we're using uh even uh parity and even flow control request to send clear to send so first thing that we see is if we take a multimeter and measure the voltage on that line then we measure between the ground and the transmit one on the sending a computer we measure a voltage let's say it's five

volts so it is set to a one at this moment so there's like one one one but it hasn't been started yet so it needs a start bit for a bit first so my start bit will actually pull the one that is being sent to a zero so my first zero is actually the start of this character that i'm sending over the line then it's sending the bits for the capital letter s over the line and at the end of it uh it is uh sending a parity and a parity bit we're not using these anymore but a parity bit is actually a way to check the integrity of the data where we now use

hashing to see uh if you're downloading a large iso file there's like the x or and the five hash to see if you downloaded your iso file correctly and there were no like hiccups in the line making this file unusable this is like the same thing but not for an entire file but just for one character so that's the reason that we're not using it anymore we're testing it on a larger scale but back in the days we were using this to make sure that the data was coming in correctly so and there's different ways so uh it's not like nd5 or sha but it's just counting the number of or ones of the line so uh

we have set it to even so on one side creating a parity bit with uh the the setting even and on the other end of the line interpreting it with the setting of even if there's like the number of ones is even it should be zero and uh so there's like one two three four ones so this should be a zero if this had be a one or if uh one of the other ones was a zero then this would not be matching up uh resulting in an error or at the other end of the line so knowing that the uh data was uh corrupted so we'll show uh crc yet now not or sierra but the data color of some

kind and then there's uh the two stop bits and this is basically like the spaces between words so this is to indicate uh this character is stopped is transmitted now we wait a little while and now we are sending the next one and you can send these two one one off and two so why one half sorry you can send them to one and a half because it doesn't matter how long it is it could be 1.1 because the next character or next bite that you will be sending starts with a zero so it can be one as long as you want because it starts with a uh with the zero again as you will see

here so uh important do not talk at the same time with the two cans do not listen at the same time with the two cans so you need to connect one and two directs and the other end to the tx and vice versa so what's this thing with our hardware handshaking so uh back in the days when we had modems so the the uh you connected a modem to a telephone line and there was like all this beeping uh thing uh going on um your computer needed to know if uh someone was ringing for instance so uh if you let me see if i can bring up a mouse uh there was a ri like pin 9

which was showing that someone was calling you so it was like a light flashing someone is calling me and will show like a ring ring ring in my logging on my computer uh then i could say answer the phone so send the special command uh at a 80 is a haste command set an a4 answer the phone for me and then it would try to negotiate if both had the same baud rate so are you like 12 volume no are you like 2400 no let's talk uh 300 on each channel yeah works and now we have a connection and if they had a connection called the carrier then uh this pin one would uh show that there was like a standing

connection there was like a [Music] communication possible between the both ends but because computers at that time were so slow there was like a stop you need to stop with communication so i can process all the data you can continue just like a flag on an airplane taxiing them to the correct spot so these flags are two wires uh that are crossed to tell on one side uh you can you have to stop communicating you can start and the other one can do that too and you could either do that using request to send and clear to send but also data set ready data turned already sometimes you only had the three wires and not more

cables and you still needed to somehow halt the communication and for that uh situation they had software handshaking so if you look at putty and minicom and serial you see that except for non rts and dsr there's also exxon xov and x1 xov is actually a character in the ascii character set that that you can send to stop the communication over serial so if you would send like alt 19 as a command you would actually pass the the communication between the serial communication and if you press alt 17 it will will continue so that's ctrl s or ctrl q or alt 19 or alt 17 or hex 13 or 11 so there's different ways for explaining that but exxon exoff is a

software handshake right so you see that if both ends do not have the same speed it will measure in a different way so where the 115 200 baht one has like each section a different measure point for testing if it is a bit high or bit low one or zero uh for um half of the speed it will measure like double the size of the the interval so that will read something completely different so there's a ctf at the end of this presentation where you are able to [Music] experience whatever we learned here and do this on your own computer so you don't need any hardware you can just use a browser to test the

[Music] yeah how it works to hack a specific hardware so inside the computer is a clock and the clock will uh tick for a number of cycles per second so this clock is set for 1843 2200 ticks per second so if you divide this one in to 248 you will come up with certain [Music] numbers that are magical so these magical numbers will be used for configuring devices so what you see is like i'm using like one one five two zero zero that is something that you see a lot with newer devices and even with very new devices you will see 230 or 921 but if you look at all the devices or switches that you need to configure you

might run into 9600 or a 19 200 or if you have effects it's 4800 so these values are derived from the this component that is in the computer this is a crystal and by dividing that into [Music] different parts you're able to come up with this solution

this is a little bit about the protocol so now you've seen how these protocols work it's just sending data from one end to another where you have a certain agreement on how you send the the data in bits how a certain character is represented in a number of ones and zeros and how to stall the data and continue the data but it's also not a part of hardware hacking so what i do if i start hardware hacking i do re-common sense or analysis first so i open up the box and i take pictures i take pictures of the device when it's still closed even i take pictures of the box itself that's unopened then i look at the

security screws i look at seals that are there so am i able to open the box without people knowing that i open the box or do i need to drain more my way into the device and will people immediately see us see that i tempered with it so if you have a pin terminal to make a payment in the shop and you see that there are holes drilled into the device you will not trust it well if it still has the seals on it and if it's still closed and it looks okay then you trust the device so is there any temper measurement applied to this device whenever i do my hardware hacking assignments like time is my worst enemy

so time in the amount of [Music] hours that i get to test a certain device hours days people depending on what device i i got but this i can bend a little bit to my advantage so if there's something that i am not able to do within uh within scope and i really really really want to uh uh finish that thing that i found then i might stay a little bit longer at the the office and dive into it and make it work but sometimes they have a deadline where they turn off the production environment so i'm no longer able to connect with the back end or after this installation this will be released to the companies that will

print the device or create a device or assemble the device so if the time between uh the contract and the the actual assignment might sometimes even be a month and sometimes i open up the box and i see a certain device here like if you see the pins on the right those have a higher width between them than the ones on the the right so the ones on the left are uh 2.54 millimeters while the ones on the the right is two point millimeters so if i do not have the pin headers for this one it will be hard for me to make a connection to this one that i might need to order that

from china from america from whatever and that will cost me a lot of time so what i do is uh devices that are regulated by the fcc and that is devices for the american market that emit radio signals that need to be registered by fcc so if you go to fcc.io and you type in the fcc id that is on the back of your device or in your phone or on your computer or on your router then you're able to read all the security reports of that specific device and that will include the setup where they tested the radio frequency radiation in a cage of air day but will also include like the manual of this

device and the workings but also the circuit board so if i am going to work on a specific device then and i know this device has a radio component in them i asked for the fcc id so i can already do some reconnaissance based upon the uh the circuit boards that i see because i can now already see there's like chips as larger chips smaller chips there's chips with eight pins with 16 pins and maybe i can even read the the signing that's on the chip to find out whatever it is it does by the way this is a lego ev3 module that has been torn apart so by just looking at an fcc id you will

be able to see how this device is tested and how it is working without having to open it another thing is if it is a router there's probably someone especially when it's a consumer based router it is connected it's probably documented on open wrt so um [Music] openwrt is a website open source website for opensource router firmware and what you see there is tricks to make the the hardware run into programming mode so you can program that specific open source router firmware on your closed source router so this will show you special tricks we'll show you where the jtag is we'll show you where the uart is we'll show you how to force the device into a

programming mode so that could be an interesting as well another thing is the uh the data sheet the date sheets like manual 600 pages that will show you um what the components are of the chip how to program those what the ranges are in the chip so what is the temperature that is optimal for the ship and what will introduce faults when it's too high or too low but also like if i look at a certain pin of a chip then i can also find this is the the pin that will give me a console if they did not properly configure it or will allow me jtag if they did not set the security bits properly

so when i look at the chips inside a device i look at the form factor so i try to make it as simple as possible so if you look at the device and let's go another way this is these are bigger chips these are smaller chips with eight pins these are rectangular chips uh pins on the long side pink pins on the short side these are the the chips that i'm interested in so i'm interested in all the black components with at least eight pins basically and i look uh take a picture of all of these and find that date sheet to tell me if they're uh storage or if they're memory or if they're like computing

uh power in of some sort so for the eeproms uh the one on the right is like ancient so you will find these in like a traffic light installations or like very old industrial machines these chips need to be emptied by using ultraviolet light so you need to physically remove these devices put them in a box with an ultraviolet lamp inside and then you can reprogram them so upgrading the software on these devices is sending an engineer to that installation having take out the old ship put in the new chip and it's running on the new version of the software so there's a glass window on this chip and this glass window allows you to erase it but since the

normal daylight also contains ultraviolet light you need to place a sticker on top of it so it will not be accidentally erased so usually that sticker will contain a version number like this is version number 1.0 or 1.2 of this specific software that we're using for that specific installation but since uh upgrading software by sending a mechanic a mechanical engineer around is very expensive we decided to create newer chips which are electrically erasable programmable read only memory chips so this is basically a room chip something that you actually cannot change easily uh and but it can be upgraded through some upgrading process but this is not like a rom where you constantly read and write

data from and these chips usually have a 24 or 25 in their version number or in their model number so the 24 means it's i squared c which is one protocol and the other one is 25 which means it's spi which is the other protocol so why is this important that it's like a 24-25 first of all because it makes it easier to identify the chip that you want because this will contain the firmware that you might want to extract and the other way is like the spi chips are ones where you can just clamp on probes to read it without desoldering it while the i square c chip you need to desolder the chip and put it into a

special soccer to read the data from it so the chips on the above are the chips that contain logic of some kind it could be either wi-fi chip or bluetooth chip or a microcontroller microprocessor fpga which is like programmable controller so this uh if it's a microcontroller an mcu it probably contains a eeprom inside as well maybe even contains uh logic inside as well so these are the chips that you would attack using jtag by extracting all the data extracting all the intellectual property the ones on the left if they have pins on the long side they're not that interesting because it's memory and if you turn off the uh the power memory is gone basically

and the ones on the short side those are the storage so these are the chips that you will find in an sd card in the usb stick in an ssd device so uh whenever you turn the device on the one with the pins on the long side is empty the one with the pins on the right side yeah it's like your hardest this is where your data resides uh and that you can use um after rebooting again so this is where your pictures are where your data is well the eproms that also contain data those will have like the settings so will it boot from the hard drive or we'll do it from the usb statistic

there is usually smaller uh kinds of information like serial number uh license number while the other one is like a large chunk of data so looking at the [Music] the device i i could also look at the circuit board so what you see is like if you look at the pcb all the dark green parts are non-conductive and all the light green parts are conductive and the white is just ink to explain it or paint and what you see is some of the pins are small and others are larger and you will see like with the switches there's even pins that are connected to the entire surface so by looking at the circuit boards you

can already see like if it's connected to the entire surface this is a ground pin so uh this is my negative pin uh for my computer so if it's like a larger one like the plus five volt here this is a power pin so and you need both to power up the device and if it's like smaller pins it's probably data so by looking at the size of the lanes on the circuit boards you're already able to see and identify what they are used for so uh you can do it by using measuring as well so i created a special method for myself so what i do is i turn off the power i connect the multimeter

to the uh like to one of the metally shiny parts of the circuit board and i uh probe each and every pin while the multimeter is on the continuity setting and i call this the wi-fi setting because it has like these audio waves on it so this means that it beeps whenever there's com continuity between one pin another one so it has a connection so these are connected to these two lines so that's the first one so i first identify all the ground pins and then i turn on the device while i probe a pin that's not ground and that could result in a reading while my multimeter is of course on the voltage setting for zero volt

for three to three volts for five volts or it could be fluctuating and if it's fluctuating you will probably see data coming by because it's like high low high low these are like the ones and the zeros that are dropping by so why do we need to measure the ground pin we need to measure the ground pin because the voltage is different potential difference so if you have a fan inside your computer these are connected uh through two cables and usually there's like a small connector to it that allows you to connect it to one of the molexes and the modex's are used to connect a hard drive to your computer this is like for the older hard drives

so the black pins are the ground pins the red ones are 5 volt and the yellow ones are 12 volt so by connecting between a black one and a red one you're a five-volt between a black one and a yellow one you have twelve volts but you could also connect them between the yellow and the red one and that would have the difference of uh 12 volt and 5 volts meaning 7 volts so instead of having your fan run slow or fast you even have like a medium setting by doing this like this way so if you're not measuring the correct ground pin you will probably not measuring the correct signal so if something is zero volt

at the start and it will show a 5 volt and you're measuring another 5 volt bin the difference between those 5 volt pins is 0 volts so your multimeter is showing 5 volts while you're measuring between two five volt pins so by having the correct ground pin you will always measure the correct voltage and reading the voltage voltage is halfway to reading the data so this is the wi-fi setting uh this is like audio signals i call it the wi-fi setting has nothing to do with wi-fi but uh you use this setting because it will beep whenever there's a connection between two pins so you don't have to watch your multimeter you can just watch

your circuit board and listen to the beeps so i was talking about fivefold about about 3.3 volt this actually depends on the chips that are that you are using so it could be that like in the first example uh a zero is actually a signal from 0.5 to 1.5 and a 1 is actually a signal from 3.5 to 4.44 but could also be that you have a device that's five-fold but also 3.34 tolerant so this has a higher tolerance for the one pin so that's 2.0 till 4.44 so this kind of chip works on both signals but what is important that is that you're using the proper equipment for the proper router and on my youtube channel i have

a video explaining on how to actually connect those cables together that will help you get through there step by step so if you're seeing the fluctuating data the variable data you're actually neo in the subway seeing the the matrix so you will see the code and you could also make that visible by connecting a logic analyzer to it and interpreting the ones and zeroes to to read it so um almost at the end so this is slide 103 of 107. so uh it has been a fast walkthrough in the hardware security as of uh the start of kovit i have been shipping out i void warranties for a living stickers so if you're into stickers and are not

able to go to conferences i will gladly send them to you everywhere if you are into hardware hacking and like gadgets uh take a picture of this uh this slide it contains the jadok yardock666 url and this is the [Music] a pdf 600 pages that will have like every gadget that you will ever need for doing hardware hacking for doing pen testing for doing wireless attacks it's like red teaming blue teaming it will discover people that are trying to hack your system it's very cool i think i have one third of this list and i have a lot of stuff but very cool list and these are the links to the youtube channel so they're all the same but i'm

broadcasting saturday 1900 bsd and on that channel is how to do jtag how to do a uart connection to your router even how to communicate over laser beams creating your own telephone so if you're into geeky stuff this is something that you might like to uh to see so to get you started you do not need a lot of stuff so like 15 euros is enough to get there you need a multimeter that has like the wifi setting the one on the top right is the ftdi and the ftdi is a device that allows to communicate between a computer and digital pins on a device and this one works for 5 volt and 3.3 volts so i think

95 of the devices use these voltages uh i included some dupont cables these are the 2.54 millimeter connections that you need to connect to a router or a set-top box or whatever and this is on the top right bottom right is a banana connector to a crocodile clamp and this allows you to put this into the multimeter and connected to the dupont cable to have like a firm uh connection i have a workshop but i also have a scavenger hunt and so i was like uh sucked into this scavenger hunt so for the scavenger hunt uh if you can send me a picture of uh a communication device that i just created for yourself to me on twitter at

healers.com i will send you for the first 10 people that do that a circuit board that you can solder yourself to any address of choice so that's like something simple and a gimmick and the other one is this one and this is a ctf so if you go to this address https column slashless portal.hey and you need an invite go to start and the invite code is 58558 so that will allow you entrance on this ctf portal for this specific challenge and this will take you from the par that you connected to the wires and you need to establish the baud rate so take a picture of this um or snapshot or whatever of this slide

because this will be helpful as this will include the different battle rage that you can try it will include the uh passwords that you might need to enter somewhere so uh this device has vulnerability it uses default passwords you you can search those and there's a real crypto in there but people left a private key on the machine you might need to google that on on your computer so that should get you started so uh enjoy um [Music] yeah if you have questions you can ask those uh via slack fire slido via twitter whatever you need and if you have questions please ask them feel free all right uh thank you for that that was

really interesting there's a lot of information um i've tried to follow along i you know definitely a lot of information in two hours yeah um but very very interesting i learned a lot um and plenty of places to get started uh could you just repeat the thing you said about the twitter not the ctf but the what was the other thing uh this one the scavenger hunt yeah what did you want so the idea is i have 10 circuit boards that needs to be soldered and if i click on this this is how it is supposed to be but this is very fast uh and uh i will send those to people that will uh show me a picture on

twitter of this communication device so if you have like two cans and a piece of wire in between and send me a picture of that uh with a reference to b-sides newcastle i will and i will uh send that you are one of the ten and uh will ship it uh to any address of uh yeah obvious choice oh okay cool thank you yeah this is like a gimmick so uh i had a lot of fun getting all kind of stuff out of my house for scavenger hunt that we had here so i want to include one in the hardware hacking training as well so [Music] cool uh yeah if you want you can can join this one

it is uh yeah you should be able to do it and if you are stuck somewhere just reach out and i will help so this should be fun all right great thank you very much you're welcome yeah uh one more question will you upload the slides onto uh anywhere uh did not talk about it but could do i need to talk with the organization to find a place to uh to upload these all right thank you okay anyone else i saw exclamation mark connecting audio

do not hear anything yet let me meanwhile look at my slack

okay uh in the slack channel of uh workshop hardware hacking there's also the unroll where i show the contents of my hardware hacking books so these are all the catches that i carry around like a soldering iron and a multimeter like a very tiny one so this is a twitter feed i posted a little while ago and someone today made an enroll thread for it so you could even download it as pdf if you want so i'm uh using twitter a lot twitter for me is an environment where i'm able to learn from the experts and that are really helpful so if you get out all the drama out of your bubble it can be a very very

cool place where you learn a lot and where people help you where you can help people and i'm on twitter for i think 11 years and it brought me a lot it brought me more than linkedin by the way even from a business perspective

it even got me my job twitter five years ago so i'm hanging around here so if you have questions just feel free i have to get going but um thank you again very much and i'll i'll be in touch about the other stuff yeah and thank you very much for your interaction that's uh always cooler to have people uh like asking questions and having the interaction oh i i uh teach at university and if you give like a lecture anything and all the students are blank it's very awkward so i figured i'd just show up as a human responding yeah it's awkward thank you very much all right nice to meet you thank you again bye

bye