- Practical Hardware Pentesting
- Contributors
- About the author
- About the reviewers
- Preface
- Section 1: Getting to Know the Hardware
- Chapter 1: Setting Up Your Pentesting Lab and Ensuring Lab Safety
- Prerequisites – the basics you will need
- Languages
- Hardware-related skills
- System configuration
- Setting up a general lab
- Safety
- Approach to buying test equipment
- Home lab versus company lab
- Approaching instrument selection
- What to buy, what it does, and when to buy it
- Small tools and equipment
- Renting versus buying
- The component pantry
- The pantry itself
- The stock
- Sample labs
- Beginner
- Amateur
- Pro
- Summary
- Questions
- Chapter 2: Understanding Your Target
- The CPU block
- CPU roles
- Common embedded systems architectures
- The storage block
- RAM
- Program storage
- Storing data
- The power block
- The power block from a pentesting point of view
- The networking blocks
- Common networking protocols in embedded systems
- The sensor blocks
- Analog sensors
- Digital sensors
- The actuator blocks
- The interface blocks
- Summary
- Questions
- Further reading
- Chapter 3: Identifying the Components of Your Target
- Technical requirements
- Harvesting information – reading the manual
- Taking a system analysis approach
- For our Furby manual
- Harvesting information — researching on the internet
- For the Furby
- Starting the system diagram
- For our Furby
- Continuing system exploration – identifying and putting components in the diagram
- Opening the Furby
- Manipulating the system
- Dismantling the Furby
- Identifying chips
- Chips in the Furby
- Identifying unmarked/mysterious chips
- Furby — the mystery meat
- The borders of functional blocks
- Summary
- Questions
- Chapter 4: Approaching and Planning the Test
- The STRIDE methodology
- Finding the crown jewels in the assessed system
- Security properties – what do we expect?
- Communication
- Maintenance
- System integrity and self-testing
- Protection of secrets or security elements
- Reaching the crown jewels – how do we create impacts?
- STRIDE through the components to compromise properties
- For the example system – the Furby
- Planning the test
- Balancing your scenarios
- Summary
- Questions
- Further reading
- Section 2: Attacking the Hardware
- Chapter 5: Our Main Attack Platform
- Technical requirements
- Introduction to the bluepill board
- A board to do what?
- What is it?
- Why C and not Arduino?
- The documentation
- Memory-projected registers
- The toolchain
- The compilation process
- Driving the compilation
- Flashing the chip
- Putting it into practice for the bluepill
- Introduction to C
- Operators
- Types
- The dreaded pointer
- Preprocessor directives
- Functions
- Summary
- Questions
- Further reading
- Chapter 6: Sniffing and Attacking the Most Common Protocols
- Technical requirements
- Hardware
- Understanding I2C
- Mode of operation
- Sniffing I2C
- Injecting I2C
- I2C man in the middle
- Understanding SPI
- Mode of operation
- Sniffing SPI
- Injecting SPI
- SPI – man in the middle
- Understanding UART
- Mode of operation
- Sniffing UART
- Injecting UART
- UART – man in the middle
- Understanding D1W
- Mode of operation
- Sniffing D1W
- Injecting D1W
- D1W – man in the middle
- Summary
- Questions
- Chapter 7: Extracting and Manipulating Onboard Storage
- Technical requirements
- Finding the data
- EEPROMs
- EMMC and NAND/NOR Flash
- Hard drives, SSDs, and other storage mediums
- Extracting the data
- On-chip firmware
- Onboard storage – specific interfaces
- Onboard storage – common interfaces
- Understanding unknown storage structures
- Unknown storage formats
- Well-known storage formats
- Let's look for storage in our Furby
- Mounting filesystems
- Repacking
- Summary
- Questions
- Further reading
- Chapter 8: Attacking Wi-Fi, Bluetooth, and BLE
- Technical requirements
- Basics of networking
- Networking in embedded systems using Wi-Fi
- Selecting Wi-Fi hardware
- Creating our access point
- Creating the access point and the basic network services
- Networking in embedded systems using Bluetooth
- Bluetooth basics
- Discovering Bluetooth
- Native Linux Bluetooth tools – looking into the joystick crash
- Sniffing the BT activity on your host
- Sniffing raw BT
- BLE
- Summary
- Questions
- Chapter 9: Software-Defined Radio Attacks
- Technical requirements
- Introduction to arbitrary radio/SDR
- Understanding and selecting the hardware
- Looking into a radio device
- Receiving the signal – a look at antennas
- Looking into the radio spectrum
- Finding back the data
- Identifying modulations – a didactic example
- AM/ASK
- FM/FSK
- PM/PSK
- MSK
- Getting back to our signal
- Demodulating the signal
- Clock Recovery MM
- WPCR
- Sending it back
- Summary
- Questions
- Section 3: Attacking the Software
- Chapter 10: Accessing the Debug Interfaces
- Technical requirements
- Debugging/programming protocols – What are they and what are they used for?
- Legitimate usage
- Using JTAG to attack a system
- Finding the pins
- The PCB "plays nicely"
- A bit harder
- Very hard – JTAGulating
- Using OpenOCD
- Installing OpenOCD
- The adapter file
- The target file
- Practical case
- Summary
- Questions
- Chapter 11: Static Reverse Engineering and Analysis
- Technical requirements
- Executable formats
- Understanding operating system formats
- Dump formats and memory images
- Dump structure – the bluepill as an example
- Analyzing firmware – introduction to Ghidra
- Getting to know Ghidra with a very simple ARM Linux executable
- Going into second gear – Ghidra on raw binaries for the STM32
- First identification pass
- Reversing our target function
- Summary
- Questions
- Chapter 12: Dynamic Reverse Engineering
- Technical requirements
- What is dynamic reverse engineering and why do it?
- Leveraging OpenOCD and GDB
- GDB? But... I know nothing about it!
- Understanding ARM assembly – a primer
- General information and syntax
- Exploring the most useful ARM instructions
- Using dynamic reverse engineering – an example
- First Ghidra inspection
- Reversing the expected password
- Of course, I aced the test
- Summary
- Questions
- Chapter 13: Scoring and Reporting Your Vulnerabilities
- Chapter 14: Wrapping It Up – Mitigations and Good Practices
- Industry good practices – what are they and where to find them
- OWASP IoT top 10
- The CIS benchmarks
- NIST hardware security guidelines
- Common problems and their mitigations
- Establishing a trust relationship between the backend and a device
- Storing secrets and confidential data
- Cryptographic applications in sensitive applications
- JTAG, bootloaders, and serial/UART interfaces
- What about now? Self-teaching and your first project
- Closing words
- Assessments
- Other Books You May Enjoy
Section 1: Getting to Know the Hardware
After reading this section, you will know how to set up an assessment lab, understand the global architecture of an embedded system, know how to identify the different components, and understand how they act together in order to make the system run. Once you are able to understand all aspects of how a system works, you will be able to follow a risk modeling methodology to plan your tests according to the threats against the target system.
This section comprises the following chapters:
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.