Embedded Device Security

Table of Contents

To Sort

http://www.sp3ctr3.me/hardware-security-resources/ http://greatscottgadgets.com/infiltrate2013/

  • Pwn2Win 2017 - Shift Register
  • Reverse Engineering Intels Management Engine
    • On every intel chip core2duo and newer
  • Adapting Software Fault Isolation to Contemporary CPU Architectures
    • Software Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for work- loads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.
  • nexmon
    • Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.
  • dfu-programmer
    • dfu-programmer is an implementation of the Device Firmware Upgrade class USB driver that enables firmware upgrades for various USB enabled (with the correct bootloader) Atmel chips. This program was created because the Atmel "FLIP" program for flashing devices does not support flashing via USB on Linux, and because standard DFU loaders do not work for Atmel's chips.
  • Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
  • CPU security bugs caused by speculative execution
    • This repo is an attempt to collect information on the class of information disclosure vulnerabilities caused by CPU speculative execution that were disclosed on January 3rd, 2018.

end sort


General


Attacking Router('s Firmware)


Cable Modem Hacking


Credit Cards


esp8266 H/W related


Flash Memory


Firmware(Non-Specific)


Internet of Things IoT

JTAG

  • JTAGulator
    • JTAGulator is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device.

Medical Devices

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
  • Miscellaneous

Miscellaneous Devices

  • dustcloud
    • Xiaomi Vacuum Robot Reverse Engineering and Hacking
  • Xiaomi Dafang hacks
    • This repository is a collection of information & software for the Xiaomi Dafang Camera
  • xiaomi-sensors-hacks
    • collection of xiaomi/aqara sensors hacks/modifications

Lightning/Thunderbolt

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • ThunderGate
      • ThunderGate is a collection of tools for the manipulation of Tigon3 Gigabit Ethernet controllers, with special emphasis on the Broadcom NetLink 57762, such as is found in Apple Thunderbolt Gigabit Ethernet adapters.
  • Miscellaneous

PCI

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • Inception
      • Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
    • PCILeech
      • The PCILeech use the USB3380 chip in order to read from and write to the memory of a target system. This is achieved by using DMA over PCI Express. No drivers are needed on the target system. The USB3380 is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. Reading 8GB of memory from the target system take around one (1) minute. The PCILeech hardware is connected with USB3 to a controlling computer running the PCILeech program. PCILeech is also capable of inserting a wide range of kernel modules into the targeted kernels - allowing for pulling and pushing files, remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. The software is written in visual studio and runs on Windows 7/Windows 10. Supported target systems are currently the x64 versions of: Linux, FreeBSD, macOS and Windows.
  • Miscellaneous

Printers

See 'Printers' Section in Network Attacks & Scanning


Smart TVs/Monitors

  • 101
  • Articles/Papers/Talks/Writeups
    • Smart TV Security - #1984 in 21 st century
      • This talk is more about security bugs and rootkits than about firmware for TVs. This talk more covers rootkits than security bugs and exploitation thereof, as they’re not different to traditional techniques. This talk is about general security issues of all Smart TV vendors.
    • MonitorDarkly
      • This repo contains the exploit for the Dell 2410U monitor. It contains utilities for communicating with and executing code on the device. The research presented here was done in order to highlight the lack of security in "modern" on-screen-display controllers. Please check out our Recon 0xA presentation (included) for a detailed description of our research findings and process.
  • General
  • Tools
  • Miscellaneous

SPI(Serial Peripheral Interface Bus)


SD Cards


PCB Related


Point-of-Sale


Secure Tokens


USB


SIM Cards


Smartcards

Voting Machines


Specific Attacks

  • Introduction to Trusted Execution Environments - Steven J. Murdoch
  • Fault Attacks
    • The Sorcerer’s Apprentice Guide to Fault Attacks
      • The effect of faults on electronic systems has been studied since the 1970s when it was noticed that radioactive particles caused errors in chips. This led to further research on the effect of charged particles on silicon, motivated by the aerospace industry who was becoming concerned about the effect of faults in airborne electronic systems. Since then various mechanisms for fault creation and propagation have been discovered and researched. This paper covers the various methods that can be used to induce faults in semiconductors and exploit such errors maliciously. Several examples of attacks stemming from the exploiting of faults are explained. Finally a series of countermeasures to thwart these attacks are described.
  • Glitch Attacks
    • Introduction to Glitch Attacks
      • This advanced tutorial will demonstrate clock glitch attacks using the ChipWhisperer system. This will introduce you to many required features of the ChipWhisperer system when it comes to glitching. This will be built on in later tutorials to generate voltage glitching attacks, or when you wish to attack other targets.
    • Glitching for n00bs - A journey to coax out chips' inner seccrets
      • Despite claims of its obsolescence, electrical glitching can be a viable attack vector against some ICs. This presentation chronicles a quest to learn what types of electrical transients can be introduced into an integrated circuit to cause a variety of circuit faults advantageous to an reverser. Several hardware platforms were constructed during the quest to aid in research, including old-skool & solderless breadboards, photo-etched & professional PCBs, FPGAs, and cheap & dirty homemade logic analyzers. The strengths and weaknesses of the various approaches will be discussed.
  • Traffic Injection
    • Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems
      • Abstract: This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that effective and effcient injection of traffc into the buses is real and easily a ordable. Further, it presents a simple and inexpensive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.