Cover image for Practical Hardware Pentesting

Practical Hardware Pentesting

Release Date: 2021/04/01
ISBN: 9781789619133
Topic:
0%
23
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Explore embedded systems pentesting by applying the most common attack techniques and patterns

Key Features

  • Learn various pentesting tools and techniques to attack and secure your hardware infrastructure
  • Find the glitches in your hardware that can be a possible entry point for attacks
  • Discover best practices for securely designing products

Book Description

Hardware pentesting involves leveraging hardware interfaces and communication channels to find vulnerabilities in a device. Practical Hardware Pentesting will help you to plan attacks, hack your embedded devices, and secure the hardware infrastructure.

Throughout the book, you will see how a specific device works, explore the functional and security aspects, and learn how a system senses and communicates with the outside world. You will start by setting up your lab from scratch and then gradually work with an advanced hardware lab. The book will help you get to grips with the global architecture of an embedded system and sniff on-board traffic. You will also learn how to identify and formalize threats to the embedded system and understand its relationship with its ecosystem. Later, you will discover how to analyze your hardware and locate its possible system vulnerabilities before going on to explore firmware dumping, analysis, and exploitation. Finally, focusing on the reverse engineering process from an attacker point of view will allow you to understand how devices are attacked, how they are compromised, and how you can harden a device against the most common hardware attack vectors.

By the end of this book, you will be well-versed with security best practices and understand how they can be implemented to secure your hardware.

What you will learn

  • Perform an embedded system test and identify security critical functionalities
  • Locate critical security components and buses and learn how to attack them Discover how to dump and modify stored information
  • Understand and exploit the relationship between the firmware and hardware
  • Identify and attack the security functions supported by the functional blocks of the device
  • Develop an attack lab to support advanced device analysis and attacks

Who this book is for

This book is for security professionals and researchers who want to get started with hardware security assessment but don't know where to start. Electrical engineers who want to understand how their devices can be attacked and how to protect against these attacks will also find this book useful.

Table of Contents

  1. Practical Hardware Pentesting
  2. Contributors
  3. About the author
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Code in Action
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Reviews
  6. Section 1: Getting to Know the Hardware
  7. Chapter 1: Setting Up Your Pentesting Lab and Ensuring Lab Safety
    1. Prerequisites – the basics you will need
    2. Languages
    3. Hardware-related skills
    4. System configuration
    5. Setting up a general lab
    6. Safety
    7. Approach to buying test equipment
    8. Home lab versus company lab
    9. Approaching instrument selection
    10. What to buy, what it does, and when to buy it
    11. Small tools and equipment
    12. Renting versus buying
    13. The component pantry
    14. The pantry itself
    15. The stock
    16. Sample labs
    17. Beginner
    18. Amateur
    19. Pro
    20. Summary
    21. Questions
  8. Chapter 2: Understanding Your Target
    1. The CPU block
    2. CPU roles
    3. Common embedded systems architectures
    4. The storage block
    5. RAM
    6. Program storage
    7. Storing data
    8. The power block
    9. The power block from a pentesting point of view
    10. The networking blocks
    11. Common networking protocols in embedded systems
    12. The sensor blocks
    13. Analog sensors
    14. Digital sensors
    15. The actuator blocks
    16. The interface blocks
    17. Summary
    18. Questions
    19. Further reading
  9. Chapter 3: Identifying the Components of Your Target
    1. Technical requirements
    2. Harvesting information – reading the manual
    3. Taking a system analysis approach
    4. For our Furby manual
    5. Harvesting information — researching on the internet
    6. For the Furby
    7. Starting the system diagram
    8. For our Furby
    9. Continuing system exploration – identifying and putting components in the diagram
    10. Opening the Furby
    11. Manipulating the system
    12. Dismantling the Furby
    13. Identifying chips
    14. Chips in the Furby
    15. Identifying unmarked/mysterious chips
    16. Furby — the mystery meat
    17. The borders of functional blocks
    18. Summary
    19. Questions
  10. Chapter 4: Approaching and Planning the Test
    1. The STRIDE methodology
    2. Finding the crown jewels in the assessed system
    3. Security properties – what do we expect?
    4. Communication
    5. Maintenance
    6. System integrity and self-testing
    7. Protection of secrets or security elements
    8. Reaching the crown jewels – how do we create impacts?
    9. STRIDE through the components to compromise properties
    10. For the example system – the Furby
    11. Planning the test
    12. Balancing your scenarios
    13. Summary
    14. Questions
    15. Further reading
  11. Section 2: Attacking the Hardware
  12. Chapter 5: Our Main Attack Platform
    1. Technical requirements
    2. Introduction to the bluepill board
    3. A board to do what?
    4. What is it?
    5. Why C and not Arduino?
    6. The documentation
    7. Memory-projected registers
    8. The toolchain
    9. The compilation process
    10. Driving the compilation
    11. Flashing the chip
    12. Putting it into practice for the bluepill
    13. Introduction to C
    14. Operators
    15. Types
    16. The dreaded pointer
    17. Preprocessor directives
    18. Functions
    19. Summary
    20. Questions
    21. Further reading
  13. Chapter 6: Sniffing and Attacking the Most Common Protocols
    1. Technical requirements
    2. Hardware
    3. Understanding I2C
    4. Mode of operation
    5. Sniffing I2C
    6. Injecting I2C
    7. I2C man in the middle
    8. Understanding SPI
    9. Mode of operation
    10. Sniffing SPI
    11. Injecting SPI
    12. SPI – man in the middle
    13. Understanding UART
    14. Mode of operation
    15. Sniffing UART
    16. Injecting UART
    17. UART – man in the middle
    18. Understanding D1W
    19. Mode of operation
    20. Sniffing D1W
    21. Injecting D1W
    22. D1W – man in the middle
    23. Summary
    24. Questions
  14. Chapter 7: Extracting and Manipulating Onboard Storage
    1. Technical requirements
    2. Finding the data
    3. EEPROMs
    4. EMMC and NAND/NOR Flash
    5. Hard drives, SSDs, and other storage mediums
    6. Extracting the data
    7. On-chip firmware
    8. Onboard storage – specific interfaces
    9. Onboard storage – common interfaces
    10. Understanding unknown storage structures
    11. Unknown storage formats
    12. Well-known storage formats
    13. Let's look for storage in our Furby
    14. Mounting filesystems
    15. Repacking
    16. Summary
    17. Questions
    18. Further reading
  15. Chapter 8: Attacking Wi-Fi, Bluetooth, and BLE
    1. Technical requirements
    2. Basics of networking
    3. Networking in embedded systems using Wi-Fi
    4. Selecting Wi-Fi hardware
    5. Creating our access point
    6. Creating the access point and the basic network services
    7. Networking in embedded systems using Bluetooth
    8. Bluetooth basics
    9. Discovering Bluetooth
    10. Native Linux Bluetooth tools – looking into the joystick crash
    11. Sniffing the BT activity on your host
    12. Sniffing raw BT
    13. BLE
    14. Summary
    15. Questions
  16. Chapter 9: Software-Defined Radio Attacks
    1. Technical requirements
    2. Introduction to arbitrary radio/SDR
    3. Understanding and selecting the hardware
    4. Looking into a radio device
    5. Receiving the signal – a look at antennas
    6. Looking into the radio spectrum
    7. Finding back the data
    8. Identifying modulations – a didactic example
    9. AM/ASK
    10. FM/FSK
    11. PM/PSK
    12. MSK
    13. Getting back to our signal
    14. Demodulating the signal
    15. Clock Recovery MM
    16. WPCR
    17. Sending it back
    18. Summary
    19. Questions
  17. Section 3: Attacking the Software
  18. Chapter 10: Accessing the Debug Interfaces
    1. Technical requirements
    2. Debugging/programming protocols – What are they and what are they used for?
    3. Legitimate usage
    4. Using JTAG to attack a system
    5. Finding the pins
    6. The PCB "plays nicely"
    7. A bit harder
    8. Very hard – JTAGulating
    9. Using OpenOCD
    10. Installing OpenOCD
    11. The adapter file
    12. The target file
    13. Practical case
    14. Summary
    15. Questions
  19. Chapter 11: Static Reverse Engineering and Analysis
    1. Technical requirements
    2. Executable formats
    3. Understanding operating system formats
    4. Dump formats and memory images
    5. Dump structure – the bluepill as an example
    6. Analyzing firmware – introduction to Ghidra
    7. Getting to know Ghidra with a very simple ARM Linux executable
    8. Going into second gear – Ghidra on raw binaries for the STM32
    9. First identification pass
    10. Reversing our target function
    11. Summary
    12. Questions
  20. Chapter 12: Dynamic Reverse Engineering
    1. Technical requirements
    2. What is dynamic reverse engineering and why do it?
    3. Leveraging OpenOCD and GDB
    4. GDB? But... I know nothing about it!
    5. Understanding ARM assembly – a primer
    6. General information and syntax
    7. Exploring the most useful ARM instructions
    8. Using dynamic reverse engineering – an example
    9. First Ghidra inspection
    10. Reversing the expected password
    11. Of course, I aced the test
    12. Summary
    13. Questions
  21. Chapter 13: Scoring and Reporting Your Vulnerabilities
    1. Scoring your vulnerabilities
    2. Being understandable to everyone
    3. Building your report template
    4. Usage of language in a report
    5. Report quality
    6. When engineers do not want to re-engineer
    7. Summary
    8. Questions
  22. Chapter 14: Wrapping It Up – Mitigations and Good Practices
    1. Industry good practices – what are they and where to find them
    2. OWASP IoT top 10
    3. The CIS benchmarks
    4. NIST hardware security guidelines
    5. Common problems and their mitigations
    6. Establishing a trust relationship between the backend and a device
    7. Storing secrets and confidential data
    8. Cryptographic applications in sensitive applications
    9. JTAG, bootloaders, and serial/UART interfaces
    10. What about now? Self-teaching and your first project
    11. Closing words
  23. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Why subscribe?
  24. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Leave a review - let other readers know what you think
18.117.188.64