Embedded Device Security

Table of Contents


General


Attacking Routers(Firmware)


Cable Modem Hacking


Credit Cards


esp8266 H/W related


Flash Memory


Firmware(Non-Specific)


Internet of Things IoT

  • 101
  • Articles, Blogposts & Writeups
  • Talks & Presentations
    • When IoT Research Matters - Mark Loveless - Derbycon2017
      • Most IoT research involves low hanging fruit and kitchen appliances. But what happens when the tech you are researching is changing a niche industry, or creating one? This involves a little deeper dive. This talk illustrates some basic concepts and includes some tips on how to make that dive slightly deeper, with examples of hacking tool usage, going above and beyond with a vendor during disclosure, and creating realistic attack scenarios without coming across as mere stunt hacking.
    • IoT Security: Executing an Effective Security Testing Process - Deral Heiland - Derbycon2017
      • With IoT expected to top 20 billion connected devices by the end of the decade. A focused effort is critical if we plan to be successfully securing our new IoT driven world. One of the primary necessities to meet this goal is to develop sound methods for identification, and mitigation of security vulnerabilities within IoT products. As an IoT security researcher and consultant, I regularly conduct IoT security testing. Within my testing methodologies I leverage a holistic approach that focuses on the entire ecosystem of an IoT solution, including: hardware, mobile, and cloud environments allowing for a more through evaluation of a solutions security issues. During this presentation attendees will learn about the ecosystem structure of IoT and security implication of the interconnected components as I guide the audience through several research projects focused on security testing of an IoT technology. Using live demonstration I will show real-world security vulnerability examples identified within each segment of an IoT ecosystem
    • Backdooring the Frontdoor - Jmaxxz - DEF CON 24
      • As our homes become smarter and more connected we come up with new ways of reasoning about our privacy and security. Vendors promise security, but provide little technical information to back up their claims. Further complicating the matter, many of these devices are closed systems which can be difficult to assess. This talk will explore the validity of claims made by one smart lock manufacturer about the security of their product. The entire solution will be deconstructed and examined all the way from web services to the lock itself. By exploiting multiple vulnerabilities Jmaxxz will demonstrate not only how to backdoor a front door, but also how to utilize these same techniques to protect your privacy.
  • Educational/Informative
  • Tools
  • Papers

JTAG


Medical Devices


Miscellaneous Devices

  • dustcloud
    • Xiaomi Vacuum Robot Reverse Engineering and Hacking
  • Xiaomi Dafang hacks
    • This repository is a collection of information & software for the Xiaomi Dafang Camera
  • xiaomi-sensors-hacks
    • collection of xiaomi/aqara sensors hacks/modifications

Lightning/Thunderbolt

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • ThunderGate
      • ThunderGate is a collection of tools for the manipulation of Tigon3 Gigabit Ethernet controllers, with special emphasis on the Broadcom NetLink 57762, such as is found in Apple Thunderbolt Gigabit Ethernet adapters.
  • Miscellaneous

PCI

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • Inception
      • Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
    • PCILeech
      • The PCILeech use the USB3380 chip in order to read from and write to the memory of a target system. This is achieved by using DMA over PCI Express. No drivers are needed on the target system. The USB3380 is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. Reading 8GB of memory from the target system take around one (1) minute. The PCILeech hardware is connected with USB3 to a controlling computer running the PCILeech program. PCILeech is also capable of inserting a wide range of kernel modules into the targeted kernels - allowing for pulling and pushing files, remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. The software is written in visual studio and runs on Windows 7/Windows 10. Supported target systems are currently the x64 versions of: Linux, FreeBSD, macOS and Windows.
  • Miscellaneous

Printers

See 'Printers' Section in Network Attacks & Scanning


Smart TVs/Monitors

  • 101
  • Articles/Papers/Talks/Writeups
    • Smart TV Security - #1984 in 21 st century
      • This talk is more about security bugs and rootkits than about firmware for TVs. This talk more covers rootkits than security bugs and exploitation thereof, as they’re not different to traditional techniques. This talk is about general security issues of all Smart TV vendors.
    • MonitorDarkly
      • This repo contains the exploit for the Dell 2410U monitor. It contains utilities for communicating with and executing code on the device. The research presented here was done in order to highlight the lack of security in "modern" on-screen-display controllers. Please check out our Recon 0xA presentation (included) for a detailed description of our research findings and process.
  • General
  • Tools
  • Miscellaneous

SPI(Serial Peripheral Interface Bus)


SD Cards


PCB Related


Point-of-Sale


Secure Tokens


USB


SIM Cards


Smartcards


Voting Machines


Specific Attacks

  • Introduction to Trusted Execution Environments - Steven J. Murdoch
  • Fault Attacks
    • The Sorcerer’s Apprentice Guide to Fault Attacks
      • The effect of faults on electronic systems has been studied since the 1970s when it was noticed that radioactive particles caused errors in chips. This led to further research on the effect of charged particles on silicon, motivated by the aerospace industry who was becoming concerned about the effect of faults in airborne electronic systems. Since then various mechanisms for fault creation and propagation have been discovered and researched. This paper covers the various methods that can be used to induce faults in semiconductors and exploit such errors maliciously. Several examples of attacks stemming from the exploiting of faults are explained. Finally a series of countermeasures to thwart these attacks are described.
  • Glitch Attacks
    • Introduction to Glitch Attacks
      • This advanced tutorial will demonstrate clock glitch attacks using the ChipWhisperer system. This will introduce you to many required features of the ChipWhisperer system when it comes to glitching. This will be built on in later tutorials to generate voltage glitching attacks, or when you wish to attack other targets.
    • Glitching for n00bs - A journey to coax out chips' inner seccrets
      • Despite claims of its obsolescence, electrical glitching can be a viable attack vector against some ICs. This presentation chronicles a quest to learn what types of electrical transients can be introduced into an integrated circuit to cause a variety of circuit faults advantageous to an reverser. Several hardware platforms were constructed during the quest to aid in research, including old-skool & solderless breadboards, photo-etched & professional PCBs, FPGAs, and cheap & dirty homemade logic analyzers. The strengths and weaknesses of the various approaches will be discussed.
  • Traffic Injection
    • Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems
      • Abstract: This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that effective and effcient injection of traffc into the buses is real and easily a ordable. Further, it presents a simple and inexpensive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.