Hardware Hacking the Internet of Things (IoT)

so uh thanks for having me back again so today we're going to be looking at Hardware hacking if I look a little awkward I'm used to wearing a lapel mic so I'm not good with a microphone so if I start drifting away from it let me know so we can stay on top of it so a little bit about myself uh I work at rapid 7 uh in the previous talk they're like how long have you been in security cyber security I didn't raise my hand I've been in cyber security for over 22 years I've been in it for I say 25 plus but that's like 30 plus years that I've been doing that so I had my hands in a

lot of research and that's what I do at rapid 7 I do research focus on iot technology and today I wanted to do something a little different I didn't want to do the typical you know iot let's hack something so we're going to go through a lot of different hacks and we're going to focus on a number of key areas so we're going to look at examining hardware and the fact that how do we map out circuits on Hardware what are some of the methods or methodologies that I use some how are some of the ones that I've like come up with or thought about often often what we end up doing is we're working on iot and we hit a

snag somewhere I'm like what do I do how do I deal with this since I helped rapid 7 kind of spin up its iot testing program one of the things I do in my research is always try to think ahead what is the new stuff that we're engaging what are the problems are we going to encounter how can we streamline those problems so the pin tester isn't wasting his time trying to figure out new methods or ways to get into things or how to figure things out and then we're also going to talk about problematic flash memory that's kind of like hey I got a memory chip I need to read the firmware off this I don't have

a chip reader that knows this I don't have a socket to drop the chip into how do I deal with this and how do I deal with this I'm dealing with a complex BGA chip how do we tap into it how do we work with that in the last we're going to talk about intership Communications this is an area that I've focused a lot of my research on in the last several years and it's the concept of when we're working with hardware and we're dealing with a device that has let's say good security it's an embedded device but we know it communicates out either cellular or Wi-Fi or Bluetooth on both ends and it's actually done secure

it's done properly how do I know what the End to End security looks like and the deal there is let's kind of focus on what's going on in the circuit board let's look at the communication between microprocessors how do we tap into that and how do we inject data into that if we need to to carry out various attacks so let's go ahead and get started so interaction with Hardware so the first one and I I I learned this trick uh from a friend in in France uh Damian um he did this back in like 2018 in a conference I was at and I thought hey that is cool I like that method let's start using this and let's start sharing

this with other people and this whole idea of overlay so it's the concept of taking images of both sides of the board and kind of overlaying them with each other so if we transpose these at like 50% and we reverse the images and overlay them this gives us the ability to see all the components on the circuit board at one time so then we can start thinking well how's the communication moving on this board what is the best way to tap into that how do I find the runs the vas of the stuff that I want to actually tap into and then on top of that like this we have a teite cellular module so we can actually overlay the

cellular module land grid array on this and the ultimate goal is is like I know this chip we have the data sheetss on this chip and we want to see what connections are one of the things we notice here is the connections are always toward the outer edge of most cellular modules this is probably the same for like satellite modules and also almost all communication ships typically you run into the leads being on the Outer Edge there which is kind of important and you'll see that further in a moment but this gives us the ability to look at this and go okay now I can see both sides of the the boards I can see all

the connection points from that ship where they're at in proximity to the overall circuit board and it makes more sense if I want to start looking for where that communication is on the circuit board I'm not wasting my time hunting and pecking across that board to try to find out what's important I can focus on the side of that board where that data is at so now we know both all the communication lines the UR the USB that we may want to tap into or on that far side of the board now we can actually start looking at close connections on that side of the board to trace out where those are and this can

often save you a bunch of time there's a number of different tools for doing this this particular one I usually just throw the images into PowerPoint which has his ability and I just overlay them transpose them that way and then I quickly can do this in 10 or 15 minutes and you don't even have to have them perfectly lined up the whole idea is just figure out where things are most probably or most likely to be on that board for actually tapping into those so the next problem this was a while back when I was doing research in cellular module we noticed on that other cellular module the key points were around the outer edge what happens if none of those

points of interest are on the top surface of the board how do we get access to them well since there's a close edge of the board if you turn the B on Edge and you magnify it like a 100 times we can actually see the land grid arays up underneath the edge of that board I'm like that's cool can we get access to them yeah we're going to do it with acupuncture needles so literally I buil a set of acupuncture needles we inject those up underneath the edge of the board and we're actually able to tap into the serial line connections in this particular case and this will work on a lot of the different boards the cellular

modules not all of them we ran into some where the actual connections were like two to three millimeters up underneath the edge of the board we noticed the board had a tendency when it was laid out to have slight cup to it making that area along the edge harder to get to that that's not always the case sometimes there's a big enough Gap and you can get different size acupuncture needles so if you go out and try to buy acupuncture needles they're considered medical devices you really can't just up and buy them at least you're not supposed to be able to but they sell these for people who actually do 3D printing clean out the

nozzles and you can get them in different sizes 1 millim this was like a 35 millim the point1 are really flexible sometimes if it's a tight fit it's hard to get it up underneath the edge since these were closer to the edge they were like2 or5 mm literally a half millimeter up underneath the edge of the board I just used something that was stronger and this happened to be 35 mimet acupuncture needles a little stiffer and they were able to insert those in there and then we were able to take glue I use a E6000 glue and hold everything in place while you can do the testing this worked to be very effective can save you a lot of

time because some of the all other Alternatives we're going to talk about which I started thinking about was well what if I can't do this and often we have to chip off so we can remove the actual chip so when we remove the chip I started thinking well how can I redo this can we redesign the circuit board to give us access so I decided how hard would this be this is in my lab because obviously you know as we're building methods and methodologies we want to figure out well how difficult would it be can it be pulled off here we actually have a solder mask which is UV set solder mask and the other sheet over

there are these really small microscopic circuit board repair kit for repairing circuit boards so I thought hey we take the chip off and we reroute the circuits on the board so we lay down solder mask on the actual board we can lay down these runs this took me several tries because you can see that's magnified up pretty big so those runs are really microscopic doing it all under a microscope but if you take your time couple failed attempts and you're able to get them laid out and then the second image over on the right hand side we laid UV set solder mask to hold them in place place and then we reball the board uh the cellular module we put it back on

and then the far right one we can see it magnified up where the actual runs are now outside the UND side of that board now we can actually tap into it so it's not unreasonable to actually R design a circuit board I've done this a number of times I've had uh I've done testing where I was like Hey I'm going to do interchip communication analysis and I need to cut the runs and reroute traffic off the board but there's components in the way there's resistors in the way they're being problematic and I've actually removed resistors that were used for uh connecting to microprocessors together and moved them to the other side of the board because

all the runs were routed over that side so I moved the resistors over there giv the ability to tap into the actual board so that works pretty good so the challenge the challenge is as we start thinking through this is we're going to encounter weird things we're going to encounter problems when doing Hardware hacking do we stop do we give up or do we think of new ways new methods and that's what I'm always looking for so if anyone here does Hardware hacking and they've done something cool grab me afterward share it with me I love that stuff because I want thinking outside the box because it's really easy when we start looking at circuit boards people go hey I'm

trying to do this and it doesn't work so I gave up don't give up think up a new way of doing it have a new challenge try something different I don't care if you destroy the board oh my gosh I've lost count of the number of thousands of dollars of circuit boards I've destroyed actually trying to figure out how to do things one of the things we were doing here a few years back was the intership communication on cellular modules which we're going to talk about here uh toward the end of this presentation we started off with GPS trackers GPS trackers are inexpensive I can pick one up for 50 bucks I can enable it for 20 bucks a month and I can

do some testing with that I have I don't know how many hundreds of dollars of GPS corpses at home uh throwed in a box of devices I've destroyed trying to test things try new things try different ways of hacking on devices to be able to get access because if you want to hack the device getting access to communication reading that communication injecting into that communication pulling firmware or various things like that sometimes you have to kill things you have to break things so I challenge you if you're actually working on a project you want to hack some particular device buy two of them one of them try not to destroy it the other one just go at it take it

apart remove components off put components back on by all means learn how to solder and we're going to see we're going to see that in a minute soldering is not as difficult on circuit boards as you think sometimes it just takes patience and learning and there's tons of of uh YouTube videos out there how to do different things I published tons of work not just on YouTube but on rapid 7 site we'll have a whole list of some of my research and various things out there at the end here where that I anytime I go through and I try to figure something out I document it sometimes they even document the failures hey this is where I failed at this is how I

solved that problem so let's go ahead on the next [Music] one this one was we're going to dig a Little Deeper so this turned out to be a Sam module and I wish I'd use something that was more National to your location but this is a US penny that uh is a Sam module so it's about the size of half of Lincoln's face if you've ever seen a Lincoln penny this ISE extremely small this is like I think was 3x4 mm chip pretty small so what what I wanted to do here and again this was a total failure okay but none of the runs for this module this Sam module which is a security access module was actually on

the surface of the board everything was underneath so I removed the Chip And I started cutting down the layers of the board we did this under a microscope now you can't see uh how deep I've gone there since it's so small but we're down like three to four layers on that board the goal was how do I identify runs that I can't get to the surface of the board how do we break into this how do we get that access this was a kill unit this is one when I was done it was going in the trash I literally started delayering a board using dental picks layer after layer after layer and the goal was

eventually find all of the important circuit runs for this sand module security access module so I could tap into them again on this particular project I ran out of time I destroyed the board I didn't find what I was looking for but as you can see challenge you do it you take that next step you dig deeper I do this every once in a while it's not uncommon for me to encounter a board where what I need to tap into is not on the surface of the board and I want to go down through some of the various sublayers and I do this at least several times a year and I usually do it very effectively why

because I failed enough times I figured out the process the crazy thing is the last one I did it was a simple Bluetooth module where everything was routed somewhere else underneath the sublayer of the board so I started cutting down through the layers with through one layer two layers three layers four layer it was only six layer board I got down to the fifth layer well if IID flipped the board over I'd only had to go down one layer but it's kind of the nature of the game but I was actually able to get down far enough find the actual run and tap into it be able to get what I needed to get access to uh again it's all about

trying something different and that's kind of what I'm trying to express here in this talk do not give up do not stop when you encounter these hard spots try something different try something new this is all doable again having a microscope and you don't always have to have a super great microscope you can use one of the digital microscopes out there they're reasonably cheap to actually be able to do this but typically I think this is a 45 X so get anything it'll go up to 45x you can pretty much do anything you want at that point there so tear down for fun and knowledge so in this case we're looking at a quel EG 91 um cellular module

anytime I get a device with a cellular module we can pretty much assume that the cellular module is going to die in this process so we D take the shield off of it we see the components are packed in there pretty deep first thing I typically do is throw it into an oven first module I get or I'll go buy extras once I figure out what what I need I'll buy it for instead of buying the whole device I'll just buy the module throw it into an oven strip it bear everything off of it so why do I do that I want to look at the actual circuit board because these are like little daughter boards

that are attached to the device what can I get access on this board surface is what I'm usually looking for and I'm looking for like J tags Ser wi debug uh uh uarts USBS whatever connections may be accessible on the surface of the board CU I can pull the shield off and possibly tap in that way versus having to take the chip off and rerun circuits in this particular case most of everything coming out of these companies is well engineered from a circuit board standpoint it's very difficult to get access the data but what we do do is this has a flash memory chip on it and this one was actually pulled off a live device that had been set up

configured the whole nine yards because we wanted to actually get a live configured memory chip off a cellular device and where it was configured this is one of the things we often run into this is 162 ball BGA chip but in this particular case uh if you look at this pin out this is a common at least pin Arrangement as you look at it for an embedded multi-chip package embedded multi-chip packages normally have embedded controllers on them and you can drop them into a reader and instantly mount it up as an SD card that's not the case here this is does not have the embedded controller on it it does have RAM and it does have flash

on it but then how do I deal with this so the way we deal with this is in this particular chip here there's no data sheets available on it couldn't find any data sheets but since all the manufacturers of almost every cell module use these type of chips in most of their cellular modules I did find a pin out showing this no data sheet but a pin out and we can see upper top of that we see those kind of a bluish green or turquoise looking those are actually the pinouts for the flash so we know what that is what do we do next well what we do next is we ball the those connections out so

why do we do this so the the ultimate goal is we're going to solder wires every one of these how do I make this more simpler it's about process well I found out to actually do this process and make it extremely simple is you reball it and you can use solder mask or you can use uh you know balls like this you can put them on there or you can use solder paste you can use screen you can do anything you want just get the balls on there first cuz once the balls are on there first you can take 40 gauge wire press it up against the Ball tap it with a solder iron and actually rewire

it so we're going to rewire this up but then we have a problem one we don't have a chip reader that can actually read this but the cool thing about memory chips flash memory chips especially multi- chip packages manufacturers do not recreate silicon different for every device they make so more than likely what what's in this chip package is probably in the same company's other chip package structures so what you do is you get a sales slick sales Slick's going to tell you the type of flash it is how big it is it's bit levels all the key things you want to know and then you just go back to the manufacturer start looking at all of its other chips and

find one that meets those same stats and then what you do I built these zip sockets so I can hand wire all of those connections into reader like this right here and then we lie to the chip reader instead of saying hey it's this type of Chip and this particular case I just told it it was from the same manufacturer but it was actually a 48 pin ship that matched all those same stats now eight out of 10 times the chip reader going you're right and every chip has an ID and it's going to say it matches the ID for that because the silicon's the same this particular case it did not so all I did was say well

just ignore that because we know the design of the chip the chip settings chip structure are pretty much the same as this other one so just lie to it and say just ignore the identifier for that chip and read the data anyways and that's what it did and it actually dumped all of the flash memory off of it without a problem trying to get uh other team members to do this it kind of freaks them out to be honest with you it's like oh my gosh Daryl when I hold that chip in my hand I can't even see the balls well put it under a microscope give it a try so the typical way it takes place is

when one of our team members encounter something like this we don't have a chip reader it's a BGA we don't have a socket for it they usually drop it in an envelope and mail it to me and I usually do this and it takes me about an hour to set one of these things up and actually get the flash memory off of it most of the time it it's it's pretty simple once you have a process in place place and I wrote a Blog on this entire process so if you go to Rapid 7 site look for my blogs you're going to find detailed stepbystep approach on how this whole thing is done and how the process was

streamlined uh putting the balls on there I actually lay those by hand um it's it's everyone goes it it's not that hard trust me I'm like 62 years old and I usually drink too much coffee in the morning and if I can pull it off most of you should be able to pull it off too if you're Hardware hacking you just got to challenge yourself and kind of go to that next step so circuit board intership Communications so oh gosh yeah we have this was a project I was working on so we were wanting to look at cellular Tech and uh this board this right here actually has is a field camera so this is a trail camera it's cellular

based and um I was using this to Hackle on it because I was looking for a cellular module that was used in USB for communication between the main microprocessor so it turns out when you look at cellular modules there's two ways for the main CPU to communicate to cell your module it's either USB or uart so it's USB what's known as Manu art it'll use one of those but it won't use both of them if it happens to be a device that is uh just send in Telemetry data which is low bandwidth type data it'll often do it all over uart it'll also take commands to the cellular module via that same uart this I

purchased because I know it's moving audio video um images High images so I knew it was going to need more bandwidth and it uses USB typically one of two of those will be used the other ones often completely disconnected in that case you use acupuncture needles up underneath the board to gain access or it's in circuit but just not being used turns out this was actually still connected in circuit not being used so we had the USB uh this is a beagle 480 I purchased this device for the main purpose of actually tapping into inter chip coms with USB it's 480 MHz for high-speed interchip and there's no logic analyzers that any of us in this room can afford that can

run at those speeds uh and OC Scopes are even more expensive to run at that speeds there so in this case here uh there's manufacturers that create USB sniffers most USB sniffers are designed to do in line that means you plug the device in it runs through the device here I was looking for a device that would allow us to do interner chip connectivity sniffy turns out the total phase said hey our device can do that so I bought it gave it a try and it works amazingly well so to be able to make it work you have to add some new circuits so you have to put in 20 to 40 ohm resistors and connect them goes to the uh D+ D

minus on the device before you connect your device up that's for impedance matching purposes manufacturer points that out and that's almost the case with anything dealing with USB because it's very easy to load down a USB bus so you tap those in you hook the wires up to your USB reader like we have here uh the uh the red and the black that's ground and 5 volts because uh the power isn't available for the USB because it's in circuit and it was running somewhere on the board I want to find it so I just hooked up an external uh power supply to it to trick the Beagle but there's also some software changes you can make into

the Beagle that'll allow to just ignore those voltage requirements before it'll start listening so let's go ahead and look at this yeah I'm running out of time here but uh so the goal is I want to capture this device and remember for interchip comms we know everything going out on sell this thing is encrypted okay so we can't see it the thing we find out about interchip comms it's rarely if ever encrypted so let's go ahead and take a look at this so Power It Up we turn our device on it starts communicating a bunch of handshake data we're going to go ahead and we're going to select data we're going to filter out just a data go into

the cell module get rid of the USB handshake crap we don't want to actually look at that and we instantly see a lot of AT commands anyone remember I don't think anyone's old enough the old cable the old modems they had AT commands cellular devices or communication devices still use at commands Okay so whether it's cellular or satellite modules or even Wi-Fi modules a lot of them like Express FS will take USB or at commands so we can see the AT commands and we kind of drill into this stuff and we can see all the configuration data being sent to the device we can see who it's connecting to out there uh for its cellular

service uh we can see a lot of configurations but the cool thing here is let's go ahead and sort through this thing take a quick look at actual data we're going to look for bucket cuz I know that's a key term that I'm looking for in there and uh we can actually see the actual Communications unencrypted going out to the cloud so here we can capture all the keys the passwords we got one of them will actually show the buckets we're connecting to they has three buckets so we can see everything is connecting out there all the authentication for all the transfer so now I can basically if this device or this service is online the S3

buckets typically would be we can just get rid of this device and then we can start testing directly into the cloud services and check the security related to that for a particular product so and that's the configuration of the device there so all the devices settings and configurations that are being going back and forth we can actually capture all that so this makes it really easy I don't have to worry about the encryption taking place on any end of this device I can go between microprocessors on the device between the microprocessor and the cellular device and actually capture all this cool data to do further testing and checking and Analysis from a security standpoint so at commands so we're not

going to go deep deep into AT commands but there's five types of AT commands we listed here we have test read write and execute these are used to configure their cellular devices all cellular devices out there publish their at command modules the interesting thing is the at command modules are not comp or manuals are not complete so just because it's not listing certain commands don't mean they're not valid so to test this we created a bunch of scripts where we put all like um the different manufacturers AT commands in and we can run the test mode and check to see if they're valid or not on a particular device we can also do a read and pull back all the

settings and configurations that are actually on the cellular module and see what's going on there that gives us the ability to find other cool interesting things associated with it so now that we can go to inter chip and start looking at this data what about injecting data so in this particular case I said the USB and at were both hooked up but the USB was the only one used for commands in this particular case and transfering of actual data so we can tap into the uart we have to cut the lines because if the lines are connected in on uart you still can't inject data you can sniff it but you can't inject data because you're not ter you're not a

terminating point in the actual serial Communications but if you cut the run you can do that so we literally we hooked up the wires we cut the runs we route everything out to a board so we can hook up any kind of test equipment we want to hook up we use that for capturing analysis injecting so if we're going to work on cellular modules My My My ultimate goal is understand how do we take these devices and weaponize them how do we take a device and go hey I want to test the overall ecosystem but I'm only one part of the ecosystem and I may not even have access to the other part of the ecosystem that case it would

be like a private APN now this device here is using a public APN it's a specific iot but it's still public public APN it goes to the cloud services which we can get access to but we encounter a number of devices that's not the case only the device has access to this private connection if we have the device we have access to this private connection and the way we would do that is taking control of the cellular module in circuit to actually do things so we're going to do an example here now I've run this several times I'm never quite sure where the audience gets what I'm doing here this device is functioning normal it is acting like a

camera it is taking pictures that are synony to the internet but what we're going to do is we ran our test scripts against this and we found out that there was a bunch of commands that weren't documented for this particular module socket commands socket commands gives us the ability to set up TCP or UDP sockets outgoing from that device so the goal was let's go ahead and do it so in this case here we have a Serial console hooked up so that we can see the device come online because the module will still send a command back to the CPU the CPU is just ignoring it so we're going to run this and what we're going to do

is we are going to actually see this go into ready mode we're going to shut that down we're going to spin up a script we wrote using the socket commands and we're going to turn that Mo module into a port scanner so you see me powered up and you'll see a ready come up over here so we know the module's up and running got to make sure it's all configured connect it Power It

Up okay we're ready so we're going to shut that down we're going to set up our python SC script and the python script set up to go out and carry uh out these uh Qi open and Qi close here's a different command so that's closed that's open that one's closed and we're open and closing socket ports to devices on the internet uh to validate that Port 80 is open port 3389 is closed on this device so literally we turned the device into a port scanner so if we think about this and we are actually connected into to a private APN now we have the ability to scan their backend services that no one on the internet has access to we have the

ability to set up connections also a lot of these modules are capable of doing uh basically USB Ethernet so literally you could reprogram it turn it into a a basically ethernet router and gain access to the backend isolated services for further testing and potential attacks [Music] so I want to do this really quick so uh to point out something we also looked at a Smart Lock a number of years ago we did the same thing it was a ble Hub we connect out to it we cut the runs on this thing rerouted it out to a breakout board and we can capture various data in this particular case we can capture this control in this lock and we were able to

decode the communication structure it had a Mac encoding that was for the BL this Mac encoding turned out that we can actually feed various commands to the B and it would respond back with this Mac encoding to the point where we're able to map out the actual encoding mechanism and then we're able to send commands to the B and reprogram it even though it was designed to only connect to one lock we were able to reprogram it to connect to multiple locks and control multiple locks at the same time and that last unknown that happened to be a c the certificate the authentication code one lock we had this was actually fixed I think this is fixed it never changes so

if that's compromised and that's a derivative of what you enter in when you register the device if you crack that at that point you can weaponize any of these BL units to take over other locks and control them potentially so uh to expand on that we wrote a tool called a Caren proxy it's a proof of concept but it's actually a python tool that lets us actually proxy inner chip communication Sero interchip communication so we can capture data going in both directions we can see it going in both directions we can actually save it and then we can actually set it up to rewrite it and inject it back in automatically as a testing method for

doing that so running out of time here I I'll make sure we got time to transfer uh to the next speaker so that's my presentation here is um different blogs and papers I've different written on different things please check those out uh I'm always generating new research projects and Publishing every year and I think they're fun and interesting and hopefully you guys got something out of this he enjoyed it