A Measured Response to a Grain of Rice

Presented at Black Hat Europe 2018, Dec. 5, 2018, 3:15 p.m. (50 minutes).

Over time, our hardware has become smaller, faster, cheaper - and also incredibly more complicated. Just like with software, this complexity brings with it both increased attack surfaces and a more difficult detection problem.

Unfortunately right now, when it comes to hardware attacks, the discourse is focused on sensationalism. We've got reports of devices few people have heard of, doing things few people realize is possible, perhaps happening on a scale fewer people understand. When it comes to hardware details, they're incomprehensible to laypeople, as well as to most software security experts.

I'll start with a background on real examples of what we'd call 'hardware implants' to set the context and understand the scenarios where hardware implants make sense. We'll examine a few recent cases of claimed hardware implants to understand how we can classify them in terms of complexity and risk. With that information, we can then make rational decisions on where these and other hardware threats fit in your threat model.

With these examples in hand, you will better understand when it make sense to respond to hardware threats, as well as how to prioritize your response to best reduce your overall risk.


Presenters:

  • Joe FitzPatrick / @securelyfitz - Trainer and Researcher, SecuringHardware.com   as Joe FitzPatrick
    <span style="font-size: 10pt;">Joe (@securelyfitz) is a Trainer and Researcher at https://SecuringHardware.com (@securinghw). Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.</span>

Links:

Similar Presentations: