Hardware Hacking for Software People

Posted on August 25, 2011 by

7


IMG_5842

For most of my career as a software developer/security researcher I’ve romanticized ‘hardware hacking’. In my late teens and early twenties as I was learning about software development and software security I would occasionally buy Nuts and Volts from Microcenter and read Karl Lunt‘s Amateur Robotics column. Having devoured William Gibson‘s oeuvre in my late teens, I fantasized about cutting my teeth on PIC Assembly and amateur robotics until I eventually ascended to a mage-like proficiency: effortlessly whipping up software AND hardware exploits for any technology that dared stand in my way…like a real-life Shadowrun Decker

Then I grew up.

None of that ever happened …the closest I’ve come to any of this fantasy is attending/speaking at  “hacker” conferences, finding a bunch of bugs, and writing mostly lame software and exploits. I did all of that amidst the hyper-focused software quality assurance that ostentatiously calls itself “computer security research”.

But still, the dream lingered like a dusty raisin swept underneath the refrigerator in some derelict apartment. I would occasionally read about stuff like elaborate custom atm skimmer hardware, Nintendo DSi hacking, iPhonehardware jailbreaks, automobile computer hacks, smart-meter fiascos or see presentations by Barnaby Jack or Travis Goodspeed and my chin would quiver with envy as I fought back tears of regret…”Man, I’d always wanted to do *that* kind of stuff…”…ok not really.

Over the years as I focused on software security professionally, I flirted with “hardware stuff” by periodically buying PICs, solderless breadboards, jumpers, and BASIC Stamp development kits. All of this stuff ultimately sat unused on my desks and bookshelves…

That is until the last few years…

On a pentest project a few years ago, I was tasked with attacking a network infrastructure that supported a series of wireless sensors. The project was overwhelming because I’d never done any professional “results-oriented” hardware reversing or penetration testing. However, in a few short weeks, armed with Python (pyserial), a dilettante’s google-knowledge of serial taps, two days of soldering parts from Fry’s, and some basic protocol reversing/replication we had some great findings with code injection through a blackbox telemetry sensor into to the infrastructure’s backend…..All from a serial cable.

This success taught me a lot: mostly that a little bit of knowledge of hardware can go a long way for a software reverse engineer and vulnerability researcher especially now that many of the most interesting targets are implemented on embedded systems.

Over the last few years I’d collected a number of Arduino development boards from SparkFun. These (like so much other crap I’ve accumulated over the years) were destined to become re-gifted stocking stuffers…that is until I started reading one day about the simple serial protocol common in embedded controllers and integrated circuits. Most of these protocols were so simple that they only required two wires (some only requiring one!).

Enter i2c/SPI/2-Wire:

I was surprised to discover not only that there were simple serial data protocols down in those little ICs on circuit boards, but also that they were so ubiquitous. As I began reading more about them, I began finding out that ICs using SPI and i2C were virtually everywhere like:

Of all the above, the ones that piqued my interest most were how EEPROM, HDMI/VGA, and Microcontrollers used this serial protocol. To start, very first thing I wanted to learn was how to tap these busses to begin observing them in “the wild”. I needed to perfect my methods for blindly approaching a piece of hardware. I needed to know how to go from knowing nothing about a hardware target to determining of any tappable busses were exposed. The resulting techniques and notes (along with hardware used) turned into a presentation given at SummerCon (in New York) in the summer of 2011 and ReCon Reverse Engineering Conference 2011 (in Montreal, Canada).

During this talk I walk you from knowing nothing about exposed pins to investigating them, tapping them and injecting data onto them.  The presentation concludes with a demonstration of how these techniques were applied to finding and later exploiting a bug in a popular cable modem. Along the way I discuss the types of hardware (Beagle i2c, BusPirate, Arduinos, cheap oscilloscopes, etc) used (to do all the above) and I demonstrate how to use them (with diagrams/photos and video demontrations). There are also some extras thrown in like:

  • building passive ethernet taps from Home Depot parts,
  • assembling/soldering hardware 9/25 pin serial taps with Radio Shack parts
  • building VGA “taps”

Additionally, while developing and practicing these techniques I briefly assisted Charlie Miller on a project he was privately researching that resulted in his talk at BlackHat 2011 on reverse engineering MacBook batteries. My assistance with his project is noted in his talk and whitepaper.

If you want a more detailed walkthrough please check out the video of the recon talk available here and embedded below. Slides are also available here.