Making the most of your Hard(ware) work

we really are very privileged to have our next speaker with us our technical keynote Jay Fitzpatrick who's come all the way from the US to give this presentation Joe Fitzpatrick is an instructor and researcher at securing Hardware climb and really is one of the the best Hardware people in the world today he spent over a decade working on low level silicon debug security validation and penetration testing of CPU Sox and microcontrollers so let's welcome Joe to the stage thank you very much thank you very much for having me thank you for for coming right after lunch I was fine right after lunch be one of the most interesting times to present all I have to do is make sure

everybody stays awake and I have succeeded I know this because I am a chronic follower a sleeper when sitting down I think it's because I'm always under slept but so it goes so today we're to talk to you about making the most of your hardware work making the most of your hard work when it comes to hardware a little bit about me I'm Joe Fitzpatrick you can find me on twitter as securely fits I've spent 15 years doing lots of fun things with hardware and I would say and working on hardware for 15 years but I can't really claim it all of it has been actual work I did silicon debug on desktop and server CPUs

followed by some pen testing of desktop and server CPUs which led me into training I was training people who do hardware validation to make sure your chips function properly to help them find security vulnerabilities in silicon right so this is the people who maybe would have found the cool stuff like these side-channel architectural bugs we've been finding lately but perhaps they missed them classified years I've been doing securing Hardware comm I do physical attacks training basically let's get physical access let's take apart some hardware and let's learn what we can do but I also have been doing a couple events called hardware security training along with other people who do hardware security training aptly titled

hard what so a lot of people will dismiss hardware hardware attacks are too difficult there's a lot of work you have to get like wires and you have to have soldered have physical access to things there's also physical access it's too high a barrier for attackers right in order to attack with hardware you actually have to have some hardware knowledge you have to actually add physical hardware you have to physical access to a system right there are all these factors that make it such that hardware is a little bit harder than software so maybe it is named appropriately one that I hear a lot is that only nation states and their victims need to worry about malicious

hardware okay so for a long time people said odd this evil made attack these these these implants all these the stuff that you talk about this is all fantasy and then about eight years ago six years ago now there was this leaked ant catalog from the NSA of all these cool toys that the intelligence community had to go and exploit systems little pieces of hardware and this actually showed that there are people doing this kind of work there there there are actual real Hardware implants that are malicious and what's interesting to me is the fact that what was $50,000 in 2008 was reproducible for $100 in 2014 and you can buy on Amazon for $10 in 2018 if

you'd like to I don't have a picture up in the slides come find me the rest of the day to be or tomorrow and ask to see the USB cable I have so let's kind of go with a little little story anybody familiar with Jemima Puddleduck right this is a Beatrix Potter story Jemima Puddleduck is a goose I got a doc should I not right doc and all her eggs get taken away from her because you know that's what losses are for all right sorry Ducks are for you know you harvest their eggs so she decides to leave the farm go looking around so she's kind of like a software person looking for a hardware platform

to work with right so she doesn't really know what she's looking for she goes down the street she finds freaking fox's name she finds a fox the foxes oh you need a place to lay your eggs I have the perfect spot for you come down to my Shack I'll give you a nice warm bed okay you can lay your eggs there I'll even help you keep them warm and this is you know this is the unknowing software person going into the world of hardware and having someone say oh yeah we have secure boot yeah we have hardware crypto yeah yeah so you know she sits on her eggs they they're getting close to being hatched

and the Fox is oh you know next time you're you're in to the farm would you just grab an onion and some celery and she's like okay so she goes into the farm she's talking to the dog it says hey you know I'm staying with the Fox he's great he gave me a place to keep my eggs but I just need to get him an onion and celery I'm not sure what for the dog kind of has a clue that that she's being played so the dog calls his puppies and they follow her back and when the Fox tries to trap the goose in the duck sorry in the barn you know and sorry the

dogs come and save her okay the point being you have yet another hardware security vendor showing up to save the day the thing is when the dog shows up with the puppies the puppies go and eat all the eggs so like this is supposed to be a kids story I'm not sure where they what kids start kids were like a hundred years ago but I think it's pretty interesting so let's let's take this into consideration so all this stuff about hardware being difficult is is true right it's harder than software it has a lot longer development cycles right with software you make a change in a code you compile you're done right when it comes to hardware when we're

talking about simply like an embedded device we can make a change to code we have to compile it but then we have to get that code onto the piece of hardware right we've got some nice microcontrollers that make it a lot easier now we can do it wirelessly we can do it over the air but even when you get down to the lower levels when you have to rebuild hardware actually Rhys pin boards you're talking it instead of taking moments to rebuild or make a change you're talking about weeks or months even you because of this you get fewer development interations right the moral of the story is when we have hardware that is developed like

this hardware gets pushed out a lot quicker and a lot more unreal the software that we expect you to use on top of it and lastly it has real tangible costs right it's pretty easy to install a development environment on your laptop that you already have and start coding away when you want to actually dive into the hardware you have to go to a conference and get a cool badge that comes with a microcontroller to get you started so when it comes to attacking with this hardware right Hardware attacks are riskier to deploy you actually have to physically be somewhere you might actually get caught right when you do it over the internet you could be

that 400-pound hacker in your basement or a troll farm in Russia or anywhere else in the world who knows right there's a nonzero risk of you bricking the equipment you're dealing with right if you have a hardware attack that involves opening up someone else's computer and soldering to it you better be very confident in your soldering skills and lastly they just don't scale because of this because you need this physical access because you have to have devices that cost money right you can't scale this like you could have software attack it's easy to go and fire off you know Amer I'd type attack on a bunch of IOT devices because you can just do it with a loop right we

don't have the ability that like for I equals 0 to 1 million with hardware because of this though hardware goes a long way right there's a lot of people who are ignorant to hardware vulnerabilities we taught or heard earlier today about the whole spectrum meltdown realm of issues and what's interesting to me is it's been over a decade that we've known that they are timing side channels in CPUs but it was only in the past few months that people started realizing like we can actually exploit these and it's only in the past you know a couple months we've actually seen a response where we actually fix some of these things there's also a general lady laziness aka

efficiency right when a hardware attack is not realistic why would you bother putting all your effort into protecting against it and again there's this perceived barrier to entry you can't get into hardware without some hardware to get started right whether that means you have to go to a conference and get your badge or whether you have to go in order parts whether those parts cost five dollars or $50 or $50,000 that's something that just doesn't exist without a hardware situation so another story we've got the ugly duckling I think you've all heard of this one right so the ugly duckling is actually a one that is born into a family of ducks and just doesn't fit in right no matter

where the ducks go the lucky in this like yeah you don't belong here you're not you're not welcome I didn't go so far as well yeah just depends inversion of the story depending how kid-friendly the version of the story is or or PCI's the story is this ugly duckling is outcast and I kind of see hardware as the ugly duckling for a long time but now that we start to see a lot of these issues the ugly duckling is kind of you know growing its feathers and showing up to be quite a potent actor and you know a beautiful swan perhaps so what can we do with physical access right so let's go through a couple scenarios of how we

might attack with hardware if we decide that you know we want to we're doing a pen test or red team engagement against someone something an office that has a certain model of router so how can we get our hands on the same model of equipment that they have eBay right or just actual retail channels and then can we learn anything just by looking at it so when you get a piece of hardware that when I get a piece of part of the first thing I do is open it up and I and see what I can find and usually the most valuable thing to grab off of this hardware is the firmware right so we've

gotten here a picture of a spy flash chip this little chip cost maybe a dollar this is the chip that holds your BIOS when you boot your PC this is the first code that's run this is the chip that holds the firmware for your your Wi-Fi router when it powers on it loads an entire Linux kernel right off of that so this tiny little chip is quite potent in what it can do and how it can give you control so if you sorry take a step back also it runs very standard protocols when we're building Hardware right hardware is kind of the bottom of the barrel now every everyone wants to make it cheap as possible so this chip

is made by Wynn bond I can tell that because of the label on it but there's 15 other manufacturers that'll make an identical chip that fits in the same spot in order for this to work and make hard hardware reliable and and affordable we need to go and have standard protocols so it's totally trivial for me to hook up a logic analyzer and listen to this protocol and know it's gonna be the exact same protocol that I see on any other spy flash chip but here's this thing do we even need to go to that level of details we need to go and put the effort into hooking up wires to the system or can we get the

firmware another way right so what happens if we just go to neck dears website welcome to the Netgear download center to find documentation firmware software or other files enter a model number so you type in the model number of the device someone else has and there you go you've got your firmware image you don't always get a full firmware image so you know that can be a dilemma you might actually want to go and get an actual system to dump it you may not get all the revisions of the firmware so you may actually have to find a hard piece of hardware to dump it get the exact same you know revision of the firmware on

your actual target but it's a great place to start so we've got this firmware image what do we do with it well slice and dice it there's a tool called bin walk it's pretty straightforward you run bin walk and the file name and it goes through and it looks for all the files all the file systems everything in this in this piece of hardware and so we here see here we have a Linux kernel we have some compressed data and we have a file system okay that's all pretty cool when we extract that filesystem we have a whole bunch of files and we just look for the right file so there we go we've got our shadow file we've got a bunch of

hashes and you know if you're a bottom of the barrel cheap hardware manufacturer you're not gonna put a lot of effort into having good root passwords I bet so a few minutes of cracking those hashes you'll find that one of them is a and the other one is admin or something silly like that the point being we're done with the hardware at this point right we have instead of spent all our time spending all the time taking hardware apart disassembling Hardware desoldering anything we taken what we know about hardware we've extracted the firmware we've turned it into a software problem and we've got credentials right so making the most of hardware is making the most of all the information you have

to meet at least turn around spin it and turn it into a software approach we win so if you want to learn more about this whole process of reading firmware there was a recent presentation that I thought was really great by the cyber Gibbons you can go check it out and he gave different ways of bypassing code we protection so it's not always as easy as having a chip that's a standard shift that has an own way of dumping stuff out it could be that the microcontroller has a fuse blown a manufacturing bit set that says oh no you're not allowed to read the firmware so you have to use some more advanced Hardware techniques

but we won't worry about those now so we've got another little Aesop's fable the the the duck and the golden eggs right so a farmer had a duck and every day the doctor would go and lay a golden egg and the farmers pretty happy about this because you know golden eggs are made of gold and gold's valuable so he you know got a golden egg every day for the next couple of days like oh wow like I want all the golden eggs now right I want all the firmware I want all the secrets this hardware can give me so let me go get that duck and slice it open and find all the eggs of course he

slices the duck open it only finds one egg I guess the moral of the story and how it applies to hardware is get what you need off of a system dump the firmware you want get as far as you need to without destroying your hardware because once you've destroyed your hardware it's a lot more difficult to repair it and get it back that might be a stretch but again if you're if you're hooking up to hardware you're reading stuff off of there loose clips can fry chips so be careful when you hook your wires on there you might destroy things and it really stinks when you only have one piece of hardware and you're trying

to get firmware off of it and you fry it and you then realize immediately exactly what you did and then you go and buy another piece of hardware for another three hundred dollars and then you hook it all up and do the exact same thing again and I wish I had only done that once as in the whole scene just drawing two pieces in a row it happens so what else can we do with physical access let's say we can't get firmware for some reason we have a chip that has hood readout protection or something enabled well let's look at other things that we can observe okay what can we observe does the system have flashy lights right

flashy lights are kind of great because everybody loves flashy lights so if we look at those lights you know you might have hardware at home that has flashing lights and all you know is it flashes that's not true it doesn't just flash it flashes for a reason right whether it's telling you CPU usage whether it's telling you disk access network activity those lights are actually useful information and if you can observe your system long enough to understand what it's doing you can literally characterize a system just by watching flashing lights these are actually special flashing lights you'll notice I have clips attached to them on this actual system the flashy lights also serve as JTAG pins so I have

a debugger hooked up to those flashy lights well that's another story what about power consumption right every single system that you have consumes power now you can do this at a course level you can you can look at the power at an AC wall jack and see how much how many watts of power systems consuming and it it'll give you the course information am i doing a lot of computation am i processing video or crypto stuff or am i sitting there idle just that much information is useful or you could get a lot more fine too and use an oscilloscope and look at the voltage over a small resistor in the system and you can see very carefully

what we're looking at in this image on the left side we have a blue line which is a normal operation mode and then this chip it goes to sleep for 15 microseconds and then it wakes up and it spikes well the reason this chip goes to sleep for 15 microseconds is because they don't want you to know how long it took to solve to to match your password right so what happens is we we start we compare passwords let me give this stuff back so I can explain this is doing this is a pin matching system so you type in a four-digit pin it checks your pin and it unlocks the the safe when it matches

so what it's doing is it's going to go and calculate those four digits and say okay your four digits match or your words just don't match but I don't want you to know that I figured that out yet let me wait a few more seconds and time it but by looking at the power consumption we can see oh it actually took let's say three microseconds to calculate and then it spent the rest of the time idle right we can tell what the system is doing by looking at fine-tuned power consumption I even tried at one point in time to reverse engineer a cookie recipe by looking at the power consumption of a stand mixer and while I

was able to identify whether I was adding eggs or flour or butter I never actually got the quantities act so I did a lot of testing and lots of things were really good but not many of them look like cookies a system is gonna access data whether that data is stored on flash or firmware or it's stored over a network interface it doesn't matter every time data is accessed something's happening to the system so if we take the time to observe whether it's flashing lights whether it's power consumptions whether it's data and we can get a steady-state image of what the system is when it's doing nothing then we start poking it then we start making

it do things and we can actually learn more about what it's doing one of the greatest things we can get off the system is debug output right it'd be really cool if we could just hook up a wire and login and get a root shell but it doesn't always work that way right sometimes we'll look at a board and we'll find just a serial port this PCB is the same as the PCB that's inside a monitor that I used to have and it's not a smart TV it's nothing fancy it's literally just a monitor but it is running Linux on a mips CPU and it does have debug ports and it does have firmware all to run the on-screen

display so we go and we look we find the serial port circled in red at the bottom and we hook some wires up to that and we can decipher it with a logic analyzer right so logic analyzer is a tool that 10 years ago cost $10,000 maybe 15 years ago it cost $10,000 but now you can have one I have one somewhere like 10 dollars for a cheap knockoff logic analyzer 50 to a hundred dollars for a decent you know low spec a simple logic analyzer and we can sit there we can observe these signals and know exactly what the system is saying once we have characterized exactly what we're looking for we can use a purpose-built tool a

serial cable I carried a half a dozen of these with me at any point in time because once you figure out how to hook them up you just want to leave and hooked up they're so cheap you hook it up and you get a serial console and you may not get an interactive console you might just get a debug output and what's that useful for let's say you have an IOT device right and your software you're a web app person you go and you hook it up to the network and you start doing your web app B stuff and using those software tools that web app people use I don't know much about it so I

think that's obvious from the way I'm talking about it but you gotta get into a login screen like oh I want to log into the system so I want to log in as use a right and you hit enter and then the system doesn't respond for like two minutes what's it doing it's rebooting that doesn't really help you so you know it reboots when you hit a AAA but if you have a debug output and you get the crash dump every time it crashes what do you get you get register so you get instruction pointer you get code you get stuff out of memory so you get all the information that you need to go and turn

what is a physical access attack I'm sorry use the physical access you have to enable your software attack and you win so maybe you're a little bit paranoid who here is soldered before who here has burnt themselves soldering before who here has destroyed Hardware soldering before keep doing it you'll eventually stop doing it and you'll still do it just less often so if you're really paranoid and solder and wires and stuff there's USB USB is great because it's like hardware attacks with a safety gloves on right there was a report done by a group in Israel where they they said there are 29 flavors of USB attacks and they grouped them into four different categories and I think that

there were a couple redundancies in there but it was a really nice index so we have a malicious hardware device this is a piece of hardware that's designed specifically to be a bad USB device right it's a development board or a chip or a circuit board designed to be malicious then we have malicious firmware on an existing device right and I like this better because as much as I am a hardware person hardware is a lot of work why would I build a hardware device when I can just take someone else's existing hardware device and reprogram it it's a whole lot easier or you even have a normal device that behaves properly right and you put a

malicious payload onto that device so you might take a USB Drive and put some bad files on it you might take a network adapter and modify how it routes things and lastly there's malicious electrical attacks the USB killer scenario where you have a device that you plug in and electrocute electrocutes your computer with lots of voltage volts and makes it smoke come out a less elegant attack but depending on the scenario I might be really effective make backups what's cool to me is there a commercial tools to do most of these so if you want to dabble with hardware attacks even if you have no hardware skills and you don't even want to look at a circuit board you can go to hack

five and you can buy the bash money or the USB rubber ducky and implement a lot of these different categories of attacks right at the same time you can homebrew almost all of them and not need to solder this is a teensy microcontroller I really like these because they have a really robust USB stack and they also are doing compatible who really loves Arduino who really hates Arduino the reason why I like Arduino is because it's a single click installer and if there's something I dislike more than software it's toolchains so I like Arduino because you could just get a tool chain you just single click install the stuff you have everything you need to program and write code for a device

so this is the teensy it does a lot of USB stuff I've used them for scripting you know keyboard attacks I've used them for more bespoke USB maliciousness they're quite powerful and they're like 10 US dollars and here's a little bit about another factor in this like it makes sense even though you can go and you can buy a USB rubber ducky it makes sense to go and grab a micro controller and program your own USB HID attack your USB keyboard attack because if you're familiar with POC or GTF code the International Journal of proof-of-concept or get the eff out it's a periodically published journal in quotes with lots of neat hacks and tricks and other things and Travis

Goodspeed in one of the very early issues of it mentioned a parable about building your own bird feeder and the moral the story is basically you know just because you can go and buy a bird feeder ready-made or just because there's someone else who's a professional bird feeder assembler doesn't mean that you shouldn't avoid the process of going through all those steps to build it what's great about this as you learn more than you'll expect right you'll learn all about the process of building a bird feeder you learn all about the process of finding wood and selecting wood and using the tools so it's really an education to go through this process and do it yourself

instead of just going off the shelf and getting tools to do it for you and then you win because you've learned something so this other story of a story of the duck these try the Mallard and the Woodcock and the Mallard is giving the Woodcock a hard time because the Woodcock is a very picky eater it only eats very certain types of food and the Woodcock is giving the mallet a hard time because the mallard eats everything like anything that is floating around in the water the Mallard will go up up and the way the fable goes is the malloreddus fishing around swimming around and and swallows a fishhook and chokes on it and dies and the Woodcock

is looking for food so it flies away to another pond and gets caught in a net and dies and again like I'm not really sure about all these fables and like what we're trying to the message is we're trying to send kids but like the the moral here is like criticizing others faults right I've encountered people who are like oh no no no USB HID attacks that doesn't count that's that's old news well why are would you criticize an attack that works reliably so often right how many of you have plugged in a USB device that you didn't fully trust how many of you know you're not supposed to do that how many of you

did it anyway right sometimes you got to get work done so you know you can't fault the user for plugging in a USB Drive you can't fault the user for opening someone else so so don't fault anyone for their there are quirks or idiosyncrasies or their strange eating habits that one's a little bit of a stretch so let's talk a little bit deeper what about fancy interfaces right we went from excuse me we went from all the wires and looking at circuit boards and soldering things on to USB where we didn't have to go and do anything we'd have to plug in a little socket that has scorp or pins already on the right spot for us what

about fancy interfaces PCI Express is card right I've been flying with PCI Express for a long time it's running at two point five to eight gigahertz right that's slightly faster than a serial port running at 50 seven kilobits per second it's locked up inside their PC you're not supposed to touch it you're supposed to turn off the computer you supposed to ground yourself you're supposed to plug the card in the slot screw it in close the case and like say your prayers before you go and power the system on right it's not like if you want to go and tinker with it you can't do like the olden days where you just get a parallel port and you hook up

wires and you can send bytes and bits to it it's not that easy so and here's just a photograph of a handful of the PCI Express Hardware that I've tinkered with we've got an fpga board we've got some cables and adapters to plug FP pci express in two different form of actors and cards that I can sit into we've got some tiny fpga boards as well as some Asics that are programmable and let you do interesting stuff with PCI Express so there's a lot to it PCI Express is hard it's also expensive sort of but here's the thing if it were too hard no one would use it right we have like little micro controllers that have PCI Express

so you can go and you can buy embedded devices using PCI Express that cost anywhere from like ten to a hundred dollars right if PCI Express were truly hard there'd be no way to develop nvm test or or sell a product that used it so it automatically connects and negotiates cool I don't have to worry about any of that stuff it has lots of layers of error checking and correction built into it right basically PCI Express was designed so that if a really bad designer built a board it might actually still work and it wouldn't be the done well I mean it would be the designers designers fault that it was low quality but you know there's high

likelihood of success FPGA is can do PCI Express out of the box one of those devices I showed before two of those devices the large one and the upper left and a very tiny one on the upper right there's both FPGA based boards and you can see there's a huge scale difference but both of them are able to do PCI Express out of the box you do have to download like 20 gigabytes or so of vendor tools and install them but the vendor supplies you with with demos that let you do memory attacks or sorry memory tests a tax test whatever same thing Thunderbolt is great Thunderball can do it too so consider the security implications

here right let's make a way of connecting everything inside of our PC and we want to connect our memory we want to connect our graphics cards we want to connect our network adapters we wanna connect our CPU we're gonna connect multiple CPUs even now we'll put it all on a single circuit board we'll put it inside a box we'll close up the box and we'll say that's our security boundary right and we have this security boundary and that's it we're done we're complete this is great awesome except for step 4 any ideas what step 4 is a decade later make it externally accessible right so we build an interface and even if we do think about

security we think about from the perspective of saying oh this is an interface this is a valuable interface but it's okay because it's constrained it has a barrier to access and then you say oh let's let's make it into Thunderbolt so this this Hemisphere has a great history of DMA attacks and other stuff going back to some awesome firewire attacks 10-15 years ago a long time thirty years ago and also some PCI Express attacks over Thunderbolt only like six years ago or eight years ago but what's really interesting to me and what I like to point out is that the pattern and friend right who here is familiar with 3d six-page mode memory accesses right this is the great new

thing 32-bit memory flat memory addressing every process has its own memory space this is great why because if we have a process that's doing bad things or miss making mistakes or error error written it's not gonna take down your whole operating system right 3d six-page memory was intended as a reliability feature to make your operating system more reliable at the time it was not intended as a security feature to protect your process from other processes right it's not designed from the beginning to be a protection against the malicious processes so am I on line am I getting text messages from someone let me let me get offline sorry so back to the topic at hand

so if redux six-page mou memory how about embedded graphics right how graphics always been embedded no we used to always need to have a discrete graphics card right and then we started having embedded graphics that these embedded graphics were actually just chips on the motherboard that were graphics cards and then they were chips in the chipset so we'd have a CPU and a Northbridge with graphics inside of it now we're at the point where our CPUs have graphics embedded right inside the core and the interconnect between the various cores in the processor so we take something that was outside of our security boundary and we move it inside our security boundary this is this is

where things get sticky because you're not going to build graphics for scratch when you move the location of it how about IP blocks on an SOC and it's funny because this is the second time this week someone said Saucon and not SOC and it's funny because when people say soccer I think SOC and when I say SOC people think soccer not a systems Operations Center about a system on chip so when you build a system on chip these days you don't build it all from scratch you don't build it all yourself you go and get third-party IP blocks that do the jobs you want them to do and you glue them together and you send this off

to a third party manufacturer that ships you back a bunch of chips that may or may not work right well how do these things communicate with each other there's an interconnect right this interconnect is designed for all your valuable i/o but when you have a situation where your third party audio driver audio controller is sitting on the same bus as your security engine is sitting on the same bus as your Hardware crypto accelerator you might encounter some very interesting kinks in your hardware's in your security model and your security boundary that you're dealing with and of course people say like oh this Thunderbolt stuff is fixed right and for the most part it well know for

lots of parts it is right on various certain models of Max they've actually done a really good job of protecting against all of the great Thunderbolt attacks and PCI Express attacks and DMA attacks that people have fought off but here's the cool thing hot swap predates thunderbolt a cool thing here's a sad thing bad thing whatever it's all perspective right hot swap creates thunderbolt you used to have hot swap on servers where you could like push a button and turn a key remove a card put a new card in it's made for servers but even systems that don't support hot swap fundamentally support the protocol and state machine that enables hot swap you're not gonna go and make a separate

PCI Express controller for your hot swap systems you're gonna cut and paste a PCI Express controller in all of your systems so if your system doesn't support hot swap what can we do this is the MDOT to EA peed or sorry AET Wi-Fi adapter in a slot inside of a Chromebook right and so this is a little card it's an essentially a piece of Express slot but when I put the system to sleep so does the network card go to sleep right and when that F card goes to sleep it stops communicating to the host system and when it's asleep I can pull that card out I can put my malicious card back in and turn the system back on

and it retains this device and as long as we don't have too much traffic going to that device the operating system assumes that that's still the network card at the other end which is great if you want to do your own stuff and you want to start doing DMA attacks against the system oops I was looking at another system where we were trying to get some memory acquisition going and we pull out these big you know you four servers and they've got a whole bunch of processors and lots of memory and all this stuff and they have a whole bunch of PCI Express thoughts and we're trying to figure out which one to do or whether we

can whether we can actually reliably put the server to sleep and wake it up usually you can't and we found I was looking through and I saw this chip this is a plx technologies PE x86 24 and I'm actually familiar with this chip this is a PCI Express switch so if you have a system that only has one piece of Express port but you want to put five cards in it you use a switch and it kind of like it's like a USB hub what's really cool about this this switch though is this switch has its configurable right it's got some firmware that it uses and it's got a debug header and the debug header is

only three pins what's also really cool as this chip is designed for people who are building devices and so they have to give you the ability and the support to make your system work so instead of opening up this server and trying to find a PCI Express slot to stick my card in and coax the system into believing it should be allowed to talk all I have to do is hook up to the three pin debug header and I can inject transparent packets into all the PCI Express busses on the system so you know sometimes you need the hardware sometimes you don't actually need the hardware I mean we got a little story it's the the fable of the

ducks and the pox so these Ducks are going going to the pond they're going from home to the pond I don't know why they just live next to the pond but they go to the pond to go swimming around and they see a fox like a fox let's just walk by it and the next day they're about to go to the pond and says Oh remember the Fox was there you shouldn't go the same way oh my god don't worry you know and they walk again and sure enough the Fox is still there just just watching them and sees nothing nothing happened the following day like oh yeah see with Fox was there nothing happened we'll just go to the same way

again of course that time the Fox is sitting there waiting with a bag to capture them and unlike other fables they didn't get captured and killed they ran around and turn turn around and ran back home so what's the moral of the story right if you encounter a path that isn't working for you if you encounter some difficulties right if you have trouble dealing with the fact that you can't find the right slot to plug your card in to take a step back look for an alternate route right there's there's almost always an alternate route that's gonna take you to the same end point that you want especially if you're new to hardware this is gonna be really

difficult because you're trying to reproduce one thing you know how and you're not taking the time you you don't have the knowledge of background experience to see all the other opportunities that are there so it's difficult but it's it's something that always keep in mind right when an issue gets fixed is it actually fixed or is it just remediated is it just patched over or is just one way of accessing this issue or exploiting this issue fixed if something again let me try it appears too hard try a different approach right your time is valuable and there's no sense spending all your time banging your head against the wall on the hard things when there's all the easy ways in

just around the corner I'm really good at doing that the hard yeah banging my head on the wall so we got four four scenarios different ways that we can go and tinker with hardware and maybe get some privilege and let's think about the techniques that we used right hardware is hard so let's try and make it easier right so let's come up with a sequence we use physical access to do a hardware attack okay if we didn't need to do that why would we even talking about hardware step two we use that hardware to escalate software privilege right okay now we're done like we use software privilege to do all the dirty work the joke I say over and over again and I

probably stop saying because little-used I'm a hardware person right I deal with hardware problems as soon as I make it a software problem it's someone else's problem right and there's lots of people who are really good at software stuff and I'm not so that's the opportunity to give that work someone else to turn the hardware issue into a software issue so don't assume it's too hard right look for the shortcuts is there an existing tool that will let you do what you want to do right you want to attack via USB you don't have to build it from scratch it's useful too but you don't have to be the one to build up from scratch use a

tool that already exists is there a dev board that I can work off right even if there's not a tool that already exists you don't have to go and spin a PCB and solder parts onto a board there are a million in one development boards for every single chip under the Sun that let you go and test all these features out all this functionality out without actually having to build any hardware yourself can observing the hardware tell me more about the software right we talked about the flashing lights we talked about network and data access right when you just sit there and look at assists that you you learned so much about what it's doing why it's doing it and when it

doesn't right when you can characterize a system in steady state you can go and start poking out at punching it turning switches on and off shorting wires out and you'll actually see what's different when you do those things physical access is great because we take a scenario that would be a black box scenario and turn it into a light box scenario right if you're contracted to a pen test on an IOT device and they say oh we only want to do a software pen test we all wanna do a network pen test we don't want to do Hardware stuff we're not worried about that well do you really believe them when they say that because if you

take five minutes of physical access and you get root shells on it you know a lot more about the system you take five minutes of access and get passwords off of it you know a lot more about it if you can take five minutes about physical access and get binaries off that you can reverse engineer you know a whole lot more about that right if they want a software attack using the hardware might be the easiest way to get the information you need to deliver that software attack and perhaps you can point out to them that yes we could do this the black box approach or we could do it in half the time or a quarter of

the time and you know just look at the system so with all these things it's really useful to get help you've seen in the background lots of little videos of little soldering things going on I'm okay at soldering I can get the the solder to stick and not look too disgusting but there's a lot of times when I really just want to make sure something works reliably and if I'm soldering more than two or three wires like when I decide to hook up you know sixteen wires in parallel I pretty frequently get someone else to do that soldering for me because I know a lot of people who are excellent at soldering and reliable and know and have all the

tools right so is there someone who can help you with the hardware components that you're not familiar with it's really useful on the other hand if your skill is software stuff is there someone that you can help with software with right I'm always coming up with these hardware things and I get so far that comes to software spot and I usually just them so if you've got the software skill that's actually a really valuable skill skill set someone who who has the hardware skills but doesn't know where to go once they've got the firmware off once they've got the passwords out you don't really need to do at all and there is a another table I couldn't find an

accurate picture at the duck and the serpent right and the story of the duck and the serpent is that the duck is bragging he's saying oh I can swim I can fly I can waddle around on the ground and the serpent just kind of slithers around and says yeah but can you swim as good as a fish can you can you soar like an eagle can you run like a cheetah you know the point of them the moral of the story is you can't do it all don't try to do it all but there is great benefit in having the precise skills there is great benefit in having a little bit of the other skills just to give you the

the information you need to know about what's going on so how can we apply this if let's say we have a hardware product you can harden your hardware right whether you like it or not the software you have runs on hardware if you're an app developer your software runs on hardware if you're a web developer your software runs on hardware if you're a anybody else yeah your software runs on hardware even if it runs on virtualization the virtualization runs on hardware if you've got a hardware product how much would someone spend to attack it right if you're worried about someone's spending you know ten thousand dollars on you know CPU time to crack some hashes right maybe you should be worried

about someone spending a hundred dollars on hardware to break your hardware and then if you are down to the level of dealing with some hardware don't mark your test points right disable your debug output I'm going through round through very quickly these these couple things and assume your firmware is dumped all of these are about expectations right don't expect that no one's gonna poke at this stuff don't expect that it's too expensive for someone to put effort into poking at these things just assume that someone's going to look at these things also a lot of people talk about like exotic hardware defenses but we're gonna make chips that have mesh's on top that make it obvious if

someone tries to tamper with our chips and that's really great that sounds awesome but when you get down to it you'll have these chips in systems that have active mesh protection active mesh basically a layer of metal on top of a chip that prevents you from if that let's the chip know when it's been tampered with and can kill stuff white firmware and stuff like that and they'll go and they'll leave open debug headers right and they'll go and they'll have firmware unsecured on a flash chip that's easily accessible so it's the moral of the story of the redux and the tortoise right tortoise does have shells right shells are cool we all like shells

but the tortoise was kind of sad because he only gets to walk around very slowly on the ground so he says so the Ducks hey would you like take me up on the air one time I think it'd be really cool and so the Ducks are like yeah sure we could do that like we'll hold on to the stick you just hold on in the middle with your mouth and we'll fly up in the air just don't say anything so of course but they start flapping their wings they get up in the air and the duct is there sorry the turtle it is very excited to see everything you can see and a crow flies by and says whoa

you must be the greatest turtle in the world you're up here flying and of course the turtle is excited so of course I am and of course he opens his mouth and he falls and the shell cracks and he dies lots of death in these stories I really I didn't recall this when I was a kid but apparently it's stuck with me the point is like you know how am i relating this don't don't be too cocky about your the things that you get done right don't think oh yeah I just dump that firmware I'm awesome I can do anything you'll realize that when you get too bold you're gonna start frying more hardware when you get too bold you're gonna start

breaking more stuff you're gonna start missing all the little things that you should be paying attention to so that's sort of that one I kind of missed it so hardware isn't as hard as it seems right a little bit goes a long way for now that may change as time progresses and keep your expectations realistic right don't expect to open up hardware and have it all makes sense the first time you look at a circuit board right don't expect to grab for a more often device and have it work perfectly the first time right if you come in with these expectations then you know you're really just setting yourself up for a failure most importantly get help and

share what you find right there are people with skills that you don't have there are people with the without the skills that you have so if you can put those connections together you'll actually have a lot more luck making progress on hacking around with all sorts of different things whether or not it's just hardware so to close I'm gonna just revisit this Jemima Puddleduck and there's actually another Beatrix Potter story that features the puddle box and it's the story of tom kitten and tom kitten is kind of this Tom Sawyer II character that goes off and has adventures and at some point in time he like goes swimming and leaves all his clothes on the side of the shore and

like comes home and there's lost his clothes and gets in trouble but the puddle ducks come up and they see these clothes and they try on these clothes and I'm like oh this is pretty cool and they walk around in kittens clothes for a little while I don't know what kittens clothes look like but but then in the end they just get tired so they go go back to swimming in the pool and they lose the clothes and they sink to the bottom and Tom kitten never gets his clothes back the point is I have a point for this one try things out right try on someone else's clothes not literally I mean like try the hardware roll try the

software roll try the web app stuff having an understanding of what's possible and all of the aspects of information security is really beneficial to actually understanding how you can use your expertise in the most possible best possible way and with that that is how I think you can make the most of your hard work [Applause]