Cover image for The Hardware Hacking Handbook

The Hardware Hacking Handbook

Author Colin O'Flynn
Release Date: 2021/12/01
ISBN: 9781098129835
Topic:
0%
26
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Embedded devices are chip-size microcomputers small enough to be included in the structure of the object they control, and they’re everywhere—in phones, cars, credit cards, laptops, medical equipment, even critical infrastructure. This means understanding their security is critical. The Hardware Hacking Handbook takes you deep inside different types of embedded systems, revealing the designs, components, security limits, and reverse-engineering challenges you need to know for executing effective hardware attacks.

Written with wit and infused with hands-on lab experiments, this handbook puts you in the role of an attacker interested in breaking security to do good. Starting with a crash course on the architecture of embedded devices, threat modeling, and attack trees, you’ll go on to explore hardware interfaces, ports and communication protocols, electrical signaling, tips for analyzing firmware images, and more. Along the way, you’ll use a home testing lab to perform fault-injection, side-channel (SCA), and simple and differential power analysis (SPA/DPA) attacks on a variety of real devices, such as a crypto wallet. The authors also share insights into real-life attacks on embedded systems, including Sony’s PlayStation 3, the Xbox 360, and Philips Hue lights, and provide an appendix of the equipment needed for your hardware hacking lab – like a multimeter and an oscilloscope – with options for every type of budget.

You’ll learn:

•How to model security threats, using attacker profiles, assets, objectives, and countermeasures
•Electrical basics that will help you understand communication interfaces, signaling, and measurement
•How to identify injection points for executing clock, voltage, electromagnetic, laser, and body-biasing fault attacks, as well as practical injection tips
•How to use timing and power analysis attacks to extract passwords and cryptographic keys
•Techniques for leveling up both simple and differential power analysis, from practical measurement tips to filtering, processing, and visualization

Whether you’re an industry engineer tasked with understanding these attacks, a student starting out in the field, or an electronics hobbyist curious about replicating existing work, The Hardware Hacking Handbook is an indispensable resource – one you’ll always want to have onhand.

Table of Contents

  1. Title Page
  2. Copyright
  3. Dedication
  4. About the Authors
  5. Foreword
  6. Acknowledgments
  7. Introduction
    1. What Embedded Devices Look Like
    2. Ways of Hacking Embedded Devices
    3. What Does Hardware Attack Mean?
    4. Who Should Read This Book?
    5. About This Book
  8. Chapter 1: Dental Hygiene: Introduction to Embedded Security
    1. Hardware Components
    2. Software Components
    3. Initial Boot Code
    4. Bootloader
    5. Trusted Execution Environment OS and Trusted Applications
    6. Firmware Images
    7. Main Operating System Kernel and Applications
    8. Hardware Threat Modeling
    9. What Is Security?
    10. The Attack Tree
    11. Profiling the Attackers
    12. Types of Attacks
    13. Software Attacks on Hardware
    14. PCB-Level Attacks
    15. Logical Attacks
    16. Noninvasive Attacks
    17. Chip-Invasive Attacks
    18. Assets and Security Objectives
    19. Confidentiality and Integrity of Binary Code
    20. Confidentiality and Integrity of Keys
    21. Remote Boot Attestation
    22. Confidentiality and Integrity of Personally Identifiable Information
    23. Sensor Data Integrity and Confidentiality
    24. Content Confidentiality Protection
    25. Safety and Resilience
    26. Countermeasures
    27. Protect
    28. Detect
    29. Respond
    30. An Attack Tree Example
    31. Identification vs. Exploitation
    32. Scalability
    33. Analyzing the Attack Tree
    34. Scoring Hardware Attack Paths
    35. Disclosing Security Issues
    36. Summary
  9. Chapter 2: Reaching Out, Touching Me, Touching You: Hardware Peripheral Interfaces
    1. Electricity Basics
    2. Voltage
    3. Current
    4. Resistance
    5. Ohm’s Law
    6. AC/DC
    7. Picking Apart Resistance
    8. Power
    9. Interface with Electricity
    10. Logic Levels
    11. High Impedance, Pullups, and Pulldowns
    12. Push-Pull vs. Tristate vs. Open Collector or Open Drain
    13. Asynchronous vs. Synchronous vs. Embedded Clock
    14. Differential Signaling
    15. Low-Speed Serial Interfaces
    16. Universal Asynchronous Receiver/Transmitter Serial
    17. Serial Peripheral Interface
    18. Inter-IC Interface
    19. Secure Digital Input/Output and Embedded Multimedia Cards
    20. CAN Bus
    21. JTAG and Other Debugging Interfaces
    22. Parallel Interfaces
    23. Memory Interfaces
    24. High-Speed Serial Interfaces
    25. Universal Serial Bus
    26. PCI Express
    27. Ethernet
    28. Measurement
    29. Multimeter: Volt
    30. Multimeter: Continuity
    31. Digital Oscilloscope
    32. Logic Analyzer
    33. Summary
  10. Chapter 3: Casing the Joint: Identifying Components and Gathering Information
    1. Information Gathering
    2. Federal Communications Commission Filings
    3. Patents
    4. Datasheets and Schematics
    5. Information Search Example: The USB Armory Device
    6. Opening the Case
    7. Identifying ICs on the Board
    8. Small Leaded Packages: SOIC, SOP, and QFP
    9. No-Lead Packages: SO and QFN
    10. Ball Grid Array
    11. Chip Scale Packaging
    12. DIP, Through-Hole, and Others
    13. Sample IC Packages on PCBs
    14. Identifying Other Components on the Board
    15. Mapping the PCB
    16. Using the JTAG Boundary Scan for Mapping
    17. Information Extraction from the Firmware
    18. Obtaining the Firmware Image
    19. Analyzing the Firmware Image
    20. Summary
  11. Chapter 4: Bull in a Porcelain Shop: Introducing Fault Injection
    1. Faulting Security Mechanisms
    2. Circumventing Firmware Signature Verification
    3. Gaining Access to Locked Functionality
    4. Recovering Cryptographic Keys
    5. An Exercise in OpenSSH Fault Injection
    6. Injecting Faults into C Code
    7. Injecting Faults into Machine Code
    8. Fault Injection Bull
    9. Target Device and Fault Goal
    10. Fault Injector Tools
    11. Target Preparation and Control
    12. Fault Searching Methods
    13. Discovering Fault Primitives
    14. Searching for Effective Faults
    15. Search Strategies
    16. Analyzing Results
    17. Summary
  12. Chapter 5: Don’t Lick the Probe: How to Inject Faults
    1. Clock Fault Injection
    2. Metastability
    3. Fault Sensitivity Analysis
    4. Limitations
    5. Required Hardware
    6. Clock Fault Injection Parameters
    7. Voltage Fault Injection
    8. Generating Voltage Glitches
    9. Building a Switching-Based Injector
    10. Crowbar Injected Faults
    11. Raspberry Pi Fault Attack with a Crowbar
    12. Voltage Fault Injection Search Parameters
    13. Electromagnetic Fault Injection
    14. Generating Electromagnetic Faults
    15. Architectures for Electromagnetic Fault Injection
    16. EMFI Pulse Shapes and Widths
    17. Search Parameters for Electromagnetic Fault Injection
    18. Optical Fault Injection
    19. Chip Preparation
    20. Front-Side and Back-Side Attacks
    21. Light Sources
    22. Optical Fault Injection Setup
    23. Optical Fault Injection Configurable Parameters
    24. Body Biasing Injection
    25. Parameters for Body Biasing Injection
    26. Triggering Hardware Faults
    27. Working with Unpredictable Target Timing
    28. Summary
  13. Chapter 6: Bench Time: Fault Injection Lab
    1. Act 1: A Simple Loop
    2. A BBQ Lighter of Pain
    3. Act 2: Inserting Useful Glitches
    4. Crowbar Glitching to Fault a Configuration Word
    5. Mux Fault Injection
    6. Act 3: Differential Fault Analysis
    7. A Bit of RSA Math
    8. Getting a Correct Signature from the Target
    9. Summary
  14. Chapter 7: X Marks the Spot: Trezor One Wallet Memory Dump
    1. Trezor One Wallet Internals
    2. USB Read Request Faulting
    3. Disassembling Code
    4. Building Firmware and Validating the Glitch
    5. USB Triggering and Timing
    6. Glitching Through the Case
    7. Setting Up
    8. Reviewing the Code for Fault Injection
    9. Running the Code
    10. Confirming a Dump
    11. Fine-Tuning the EM Pulse
    12. Tuning Timing Based on USB Messages
    13. Summary
  15. Chapter 8: I’ve Got the Power: Introduction to Power Analysis
    1. Timing Attacks
    2. Hard Drive Timing Attack
    3. Power Measurements for Timing Attacks
    4. Simple Power Analysis
    5. Applying SPA to RSA
    6. Applying SPA to RSA, Redux
    7. SPA on ECDSA
    8. Summary
  16. Chapter 9: Bench Time: Simple Power Analysis
    1. The Home Lab
    2. Building a Basic Hardware Setup
    3. Buying a Setup
    4. Preparing the Target Code
    5. Building the Setup
    6. Pulling It Together: An SPA Attack
    7. Preparing the Target
    8. Preparing the Oscilloscope
    9. Analysis of the Signal
    10. Scripting the Communication and Analysis
    11. Scripting the Attack
    12. ChipWhisperer-Nano Example
    13. Building and Loading Firmware
    14. A First Glance at the Communication
    15. Capturing a Trace
    16. From Trace to Attack
    17. Summary
  17. Chapter 10: Splitting the Difference: Differential Power Analysis
    1. Inside the Microcontroller
    2. Changing the Voltage on a Capacitor
    3. From Power to Data and Back
    4. Sexy XORy Example
    5. Differential Power Analysis Attack
    6. Predicting Power Consumption Using a Leakage Assumption
    7. A DPA Attack in Python
    8. Know Thy Enemy: An Advanced Encryption Standard Crash Course
    9. Attacking AES-128 Using DPA
    10. Correlation Power Analysis Attack
    11. Correlation Coefficient
    12. Attacking AES-128 Using CPA
    13. Communicating with a Target Device
    14. Oscilloscope Capture Speed
    15. Summary
  18. Chapter 11: Gettin’ Nerdy with It: Advanced Power Analysis
    1. The Main Obstacles
    2. More Powerful Attacks
    3. Measuring Success
    4. Success Rate–Based Metrics
    5. Entropy-Based Metrics
    6. Correlation Peak Progression
    7. Correlation Peak Height
    8. Measurements on Real Devices
    9. Device Operation
    10. The Measurement Probe
    11. Determining Sensitive Nets
    12. Automated Probe Scanning
    13. Oscilloscope Setup
    14. Trace Set Analysis and Processing
    15. Analysis Techniques
    16. Processing Techniques
    17. Deep Learning Using Convolutional Neural Networks
    18. Summary
  19. Chapter 12: Bench Time: Differential Power Analysis
    1. Bootloader Background
    2. Bootloader Communications Protocol
    3. Details of AES-256 CBC
    4. Attacking AES-256
    5. Obtaining and Building the Bootloader Code
    6. Running the Target and Capturing Traces
    7. Calculating the CRC
    8. Communicating with the Bootloader
    9. Capturing Overview Traces
    10. Capturing Detailed Traces
    11. Analysis
    12. Round 14 Key
    13. Round 13 Key
    14. Recovering the IV
    15. What to Capture
    16. Getting the First Trace
    17. Getting the Rest of the Traces
    18. Analysis
    19. Attacking the Signature
    20. Attack Theory
    21. Power Traces
    22. Analysis
    23. All Four Bytes
    24. Peeping at the Bootloader Source Code
    25. Timing of Signature Check
    26. Summary
  20. Chapter 13: No Kiddin’: Real-Life Examples
    1. Fault Injection Attacks
    2. PlayStation 3 Hypervisor
    3. Xbox 360
    4. Power Analysis Attacks
    5. Philips Hue Attack
    6. Summary
  21. Chapter 14: Think of the Children: Countermeasures, Certifications, and Goodbytes
    1. Countermeasures
    2. Implementing Countermeasures
    3. Verifying Countermeasures
    4. Industry Certifications
    5. Getting Better
    6. Summary
  22. Appendix A: Maxing Out Your Credit Card: Setting Up a Test Lab
    1. Checking Connectivity and Voltages: $50 to $500
    2. Fine-Pitch Soldering: $50 to $1,500
    3. Desoldering Through-Hole: $30 to $500
    4. Soldering and Desoldering Surface Mount Devices: $100 to $500
    5. Modifying PCBs: $5 to $700
    6. Optical Microscopes: $200 to $2,000
    7. Photographing Boards: $50 to $2,000
    8. Powering Targets: $10 to $1,000
    9. Viewing Analog Waveforms (Oscilloscopes): $300 to $25,000
    10. Memory Depth
    11. Sample Rate
    12. Bandwidth
    13. Other Features
    14. Viewing Logic Waveforms: $300 to $8,000
    15. Triggering on Serial Buses: $300 to $8,000
    16. Decoding Serial Protocols: $50 to $8,000
    17. CAN Bus Sniffing and Triggering: $50 to $5,000
    18. Ethernet Sniffing: $50
    19. Interacting Through JTAG: $20 to $10,000
    20. General JTAG and Boundary Scan
    21. JTAG Debug
    22. PCIe Communication: $100 to $1,000
    23. USB Sniffing: $100 to $6,000
    24. USB Triggering: $250 to $6,000
    25. USB Emulation: $100
    26. SPI Flash Connections: $25 to $1,000
    27. Power Analysis Measurements: $300 to $50,000
    28. Triggering on Analog Waveforms: $3,800+
    29. Measuring Magnetic Fields: $25 to $10,000
    30. Clock Fault Injection: $100 to $30,000
    31. Voltage Fault Injection: $25 to $30,000
    32. Electromagnetic Fault Injection: $100 to $50,000
    33. Optical Fault Injection: $1,000 to $250,000
    34. Positioning Probes: $100 to $50,000
    35. Target Devices: $10 to $10,000
  23. Appendix B: All Your Base Are Belong to Us: Popular Pinouts
    1. SPI Flash Pinout
    2. 0.1-Inch Headers
    3. 20-Pin Arm JTAG
    4. 14-Pin PowerPC JTAG
    5. 0.05-Inch Headers
    6. Arm Cortex JTAG/SWD
    7. Ember Packet Trace Port Connector
  24. Index
3.145.47.253