The Tao of Hardware, the Te of Implants

Presented at Black Hat USA 2016, Aug. 4, 2016, 11 a.m. (50 minutes)

Embedded, IOT, and ICS devices tend to be things we can pick up, see, and touch. They're designed for nontechnical users who think of them as immutable hardware devices. Even software security experts, at some point, consider hardware attacks out of scope. Thankfully, even though a handful of hardware manufacturers are making some basic efforts to harden devices, there's still plenty of cheap and easy ways to subvert hardware. The leaked ANT catalog validated that these cheap hardware attacks are worthwhile. The projects of the NSA Playset have explored what's possible in terms of cheap and easy DIY hardware implants, so I've continued to apply those same techniques to more embedded devices and industrial control systems. I'll show off a handful of simple hardware implants that can 1) Blindly escalate privilege using JTAG 2) Patch kernels via direct memory access on an embedded device without JTAG 3) Enable wireless control of the inputs and outputs of an off-the-shelf PLC 4) Hot-plug a malicious expansion module onto another PLC without even taking the system offline and 5) Subvert a system via a malicious display adapter. Some of these are new applications of previously published implants - others are brand new. I'll conclude with some potential design decisions that could reduce vulnerability to implants, as well as ways of protecting existing hardware systems from tampering.

Presenters:

• Joe FitzPatrick / @securelyfitz - SecuringHardware.com   as Joe FitzPatrick
  Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at https://SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spend the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks on x86 Systems, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Links:

• https://www.blackhat.com/us-16/briefings.html#the-tao-of-hardware-the-te-of-implants
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/The Tao of Hardware the Te of Implants.mp4
• https://www.youtube.com/watch?v=UpaX6_Z3joU
• https://www.blackhat.com/docs/us-16/materials/us-16-FitzPatrick-The-Tao-Of-Hardware-The-Te-Of-Implants.pdf
• https://www.blackhat.com/docs/us-16/materials/us-16-FitzPatrick-The-Tao-Of-Hardware-The-Te-Of-Implants-wp.pdf

Similar Presentations:

• DEF CON 23 (2015) / NSA Playset: JTAG Implants
• DEF CON 30 (2022) / Injectyll-HIDe: Pushing the Future of Hardware Implants to the Next Level Demo
• Black Hat Europe 2018 / A Measured Response to a Grain of Rice