HARDSPLOITFrameworkforHardwareSecurityAudit

abridgebetween hardware&asoftwarepentester

Who we are?• JulienMoinard

- Electronic engineer@opale-security (Frenchcompany)- Securityconsultant,Hardware&Softwarepentester- Teamproject leaderofHardsploit- DIYenthusiast

• YannALLAIN- CEO- Blackhat,HackInThebox,HIP,speaker&trainer- Cybersecurity veteran (+20years)/(old)electronic

engineer- FormerCSOofACCOR(softwaredomain)

2

OpaleSecurityin1slide

3

InternetofThings &Privacy concern ?• Any IoT object could reveal informationaboutindividuals

• Wearable Technology: clothes,watches,contactlenseswith sensors,microphoneswith camerasembeddedandsoon• Quantified Self: pedometers,sleep monitors,andsoon• HomeAutomation: connected households using smartfridges,smartlighting andsmartsecurity systems,andso on• …

4

InternetofThings &Privacy concern ?

• Lastnews:(you can updatethis slideevery weekL)

Firmware can be read withoutany problem (SPImemory)

VTech was hacked inNovember,exposingmillionsofaccounts.

Inresponse, thefirm took some essentialservicesoffline, meaning products couldnotbe registered onChristmasDay.

5

Iot Eco-system(20000feet view)

• Privacy Risk level :Where? HFcommunication (ISMBand)+Wifi+3G-5G,Bluetooth,Sigfox, Loraetc..

Classical wired connectionsCentralservers,UserInterface,API,Backofficeetc.

IoT devices

6

SOFTWARETosecure it:• Securityproducts (Firewall,Antivirus,IDS,…)• Securityservices(Pentest,Audit,…)• Tools(Uncountable number ofthem)

HARDWARETosecure it:• Feworunimplemented solutions(Encryptionwith keyinasecure area,anti-replaymechanisms,readout protection,…)

Securityspeaking,hardwareis thenewsoftware?

7

• 1/Openit• 2/Fingerprint allthecomponentifyou can else automatic bruteforcing• 3/Usethose that may containdata(Online/Offlineanalysis ?)• 4/Perform read |write operation onthem• 5/Reverseengineering,find vulnerabilitiesandexploitthem

Hardsploit &hardwarehackingbasicprocedure

8

GlobalPurpose

9

Why ?

• Because chipscontain interesting /private data• Passwords• Filesystems• Firmware• …

10

How?

• Ahardwarepentester need toknowelectronic busesandhe need tobeabletointeract with them

1-Wire

JTAG/SWDUART

PARALLEL

Custom11

Hardsploit framework

Same hardwarebutasoftwareupdate is needed toadd anewprotocols

Hardsploit

IoT target

Input/Output

database Module (SWD,SMBus,I2C,SPI,etc..)

12

Hardsploit busindentification&scanner(inprogress,notpublished yet)

Hardsploit

IoT target

Input/Output

Database ofpatterns

Database ofcomponents Module (I2C,SPI,etc..)

IOhardwaremixer

Scanner

13

Tool oftrade

FUNCTIONALITIES BUSPIRATE JTAGULATOR GOODFET HARDSPLOIT

UART Busidentification

SPI

PARALLEL

I2C

JTAG/SWD Busidentification

MODULARITY Microcontroller Microcontroller Microcontroller uC /FPGA

EASEOFUSE Cmd line+datasheet Commandline Commandline OfficialGUI/API/DB

I/ONUMBER < 10 24 <14 64(pluspower)

WIRING TEXT(butMOSI=SDAJ) TEXT/AUTOMATICidentification

TEXT LED/TEXT/AUTOMATICidentification

14

Hardsploit:Communication

15

Prototypemaking

• Applying soldering paste (low budgetstyle)

16

Prototypemaking

• Manual reflow oven (DIYstyle)

17

Prototypemaking (with abudget)

• Therebirth

16/03/2016 18

Theboard – Finalversion

• 64I/Ochannels• ESDProtection• Targetvoltage:3.3&5V• UseaCycloneIIFPGA• USB2.0• 20cmx9cm

16/03/2016 19

Hardsploit organization

20

Chipmanagement

• Search• Create• Modify• Interact

21

Wiring helper

Datasheetrepresentation

HardsploitWiring modulerepresentation

GUI<–>Board interaction

22

Settings

23

Commandeditor

24

What areavailable ongithub (Open)?

• Microcontroller (c)• API(ruby)• GUI(ruby)• Create your own Hardsploit module:VHDL&API(ruby)

25

Already available (github)Parallel nonmultiplexed memory dump• 32bitsforaddress• 8/16bitsfordata

Helping wiringI2C100Khz400Khzand1Mhz• Addresses scan• Read,write, automatic fullandpartialdump

SPImode0,1,2,3upto25Mhz• Read,write,automatic fullandpartialdump

SWDinterface(like JTAGbutforARMcore)• Dumpandwrite firmware ofmost ARMCPU

GPIOinteract /bitbanging (APIonly forthemoment)• Low speed<500Hz read &write operations on64bits

26

Moretocome(see onlineroadmap)…• Automatic busindentification&Scanner(@30%)• Component&commands sharingplatform (@90%)• TTLUARTModulewith automatic detection speed(@80%)• Parallel communicationwith multiplexed memory• I2Csniffing (shot of4000bytesupto1Mhz)• SPIsniffing (shot of8000/4000bytehalf /fullupto 25Mhz)• RFWirelesstransmissiontrainingplateform (Nordic NRF24,433Mhz,868Mhztranscievers)

• Metasploitintegration (module)??• JTAG• 1Wire• CanBUS (with hardwarelevel adapter)• …

27

Concrete case

• Anelectronic lock system• 4characters pincodeA– B– C– D• Goodcombinaison– Door opens,greenL.E.Dturn on• Wrong combinaison– Door closes,red L.E.Dturn on

28

Concrete case:Openit

29

Concrete case:Fingerprint

I2CMEMORIES24LC64

STM32F103RBT6

SPIMEMORY25LC08

30

Concrete case:Online/Offlineanalysis ?

31

Concrete case:hardsploit scenario

1. OpenHardsploittocreate thecomponent(ifnotexist)2. Connect thecomponenttoHardsploit (wiring helping)3. Enterandsave thecomponentsettings(ifnotexist)4. Dumpthecontentofthememories (1click)5. Changethedoor password byusing commands (fewclicks)6. Try thenewpassword onthelocksystem(enjoy)

32

Concrete case:Read|Writeoperation,I2C,SPI,SWD…

• Timeforalivedemo ?

33

Parallel busmemory

34

Concrete case:Fingerprint

35

Concrete case:Offlineanalysis

36

Concrete case:Ready todumpthecontent

37

Conclusion

• IoT Device are(also)prone tovulnerabilities helpyou tofind them• Securitypolicy need tobe adpated,nowadays,it is notso difficult to

extract dataonIoT• Designersneed todesignwith security inmind• Skills related topentest ahardwaredevice is mandatory forSecurity

Experts(buttrainingexist)• Industry need totake careaboutdevice security

38

Thank you !Hardsploit board is available atshop-hardsploit.com (250€ /277USD/370CADexcluding VAT)

Tolearn moreaboutHardsploitandfollow thedevelopment

Hardsploit.io &Opale-Security.com• YannALLAIN(CEO)• yann.allain@opale-security.com• +33645453381

Hardware&Software,Pentest,Audit,Training

• JulienMOINARD(ProjectleaderofHardsploit)• julien.moinard@opale-security.com• +33972438707

39