Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

562 lines
49 KiB

5 years ago
3 years ago
5 years ago
4 years ago
4 years ago
3 years ago
4 years ago
4 years ago
3 years ago
3 years ago
3 years ago
5 years ago
4 years ago
5 years ago
4 years ago
4 years ago
4 years ago
6 years ago
5 years ago
4 years ago
6 years ago
4 years ago
4 years ago
6 years ago
5 years ago
4 years ago
4 years ago
3 years ago
4 years ago
3 years ago
3 years ago
4 years ago
5 years ago
4 years ago
6 years ago
6 years ago
5 years ago
6 years ago
5 years ago
5 years ago
6 years ago
5 years ago
4 years ago
4 years ago
6 years ago
6 years ago
5 years ago
5 years ago
5 years ago
4 years ago
3 years ago
3 years ago
3 years ago
  1. # Embedded Device Security
  2. -----------------------------------
  3. ## Table of Contents
  4. - [General](#general)
  5. - [Attacking Routers and their Firmware)(#routers)
  6. - [Cable Modem Hacking](#modem)
  7. - [Credit Cards](#cc)
  8. - [esp2866 Related](#esp2866)
  9. - [Flash Memory](#flash)
  10. - [Firmware(nonspecific)](#firmware)
  11. - [IoT/IoS](#iot)
  12. - [JTAG](#jtag)
  13. - [Medical Devices](#medical)
  14. - [Miscellaneous Devices](#misc-devices)
  15. - [Lightning/Thunderbolt](#lightning)
  16. - [PCI](#pci)
  17. - [Printers](#printers)
  18. - [Smart TVs](#smart)
  19. - [Serial Peripheral Interface(SPI)](#spi)
  20. - [SD Cards](#sdcard)
  21. - [PCB Related](#pcb)
  22. - [Point-of-Sale](#pos)
  23. - [Secure Tokens](#tokens)
  24. - [USB](#usb)
  25. - [SIM Cards](#sim)
  26. - [SmartCards](#smartcard)
  27. - [Voting Machines](#voting)
  28. - [Specific Attacks](#specific)
  29. -----------------------------
  30. * **To-Do**
  31. * Fingeprint readers
  32. * [Breaking apple touchID cheaply](
  33. * SIMs
  34. * USB
  35. * Lightning
  36. * Voting machines
  37. * Tokens
  38. * SD Cards
  39. * TPM
  40. * [Attackin the TPM part 2](
  41. --------
  42. ### General
  43. * [ArduPilot](
  44. * [Knocking my neighbors kids cruddy drone offline - DefCon 23 Robinson and Mitchell](
  45. * [Game of Drones - Brown,Latimer - Defcon25](
  46. * We’ve taken a MythBusters-style approach to testing the effectiveness of a variety of drone defense solutions, pitting them against our DangerDrone. Videos demonstrating the results should be almost as fun for you to watch as they were for us to produce. Expect to witness epic aerial battles against an assortment of drone defense types
  47. * [DUMLRacer](
  48. * Root Exploit for DJI Drones and Controllers (up to and including v01.04.0100)
  49. ---------------------
  50. ### <a name="general"></a>General
  51. * **101**
  52. * [Embedded System - Wikipedia](
  53. * [Hardware Security and Trust/ECE 4451/5451: Introduction to Hardware Security and Trust](
  54. * [Hardware Hacking for Software People](
  55. * [I2C - Inter-Integrated Circuit](
  56. * [Display Data Channel](
  57. * [UART - Universal asynchronous receiver/transmitter](
  58. * **Articles/Papers/Talks/Writeups**
  59. * [Infecting the Embedded Supply Chain - somersetrecon](
  60. * [Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals](
  61. * [Using the Shikra to Attack Embedded Systems: Getting Started - xipiter](
  62. * **Circuit Boards**
  63. * [Deconstructing the Circuit Board Sandwich DEF CON 22 - Joe Grand aka Kingpin](
  64. * **Educational/Informative**
  65. * [OWASP Embedded Application Security](
  66. * [Live Copy](
  67. * [Hardware Hacking - Nicolas Collins](
  68. * [Reversing and Exploiting Embedded Devices: The Software Stack (Part 1)](
  69. * [Common methods of H/W hacking](
  70. * [Hardware Hacking Videos](
  71. * [Hardware Hacking the Easyware Way](
  72. * Interested in hardware hacking but not quite sure where to start? Does the thought of soldering thrill you (or scare you)? Come check out this talk to see just how easy it is to jump into this exciting field of research! Many people and companies use similar models of hardware. Unlike software, these devices rarely receive security updates. Sometimes, used devices are sold without clearing the configurations and important data is left behind. After this talk, you will know how to find hidden interfaces on these devices, start searching for vulnerabilities and sensitive information, and have irresistible urges to go home and tear apart all your old networking equipment. Did we demo?
  73. * [Methodologies for Hacking Embedded Security Appliances](
  74. * [Hardware Backdooring is Practical -Jonathan Brossard](
  75. * [Infecting the Embedded Supply Chain - Somerset Recon](
  76. * **Resources/Reference**
  77. * [FCC ID Lookup](
  78. * Lookup devices according to FCC ID
  79. * **Tools**
  80. * [Logic Pirate](
  81. * The Logic Pirate is an inexpensive, yet capable open source logic analyzer. It is designed to support the SUMP logic analyzer protocol. Costs $30. Recommended to me by those who use it.
  82. * [Blog Post about it](
  83. * [Debug Probes - J-Link and J-Trace](
  84. * [Hardware reverse engineering tools (Olivier Thomas) - REcon 2013](
  85. * [Gettting in with the Proxmark3 & ProxBrute](
  86. * [Metasploit Hardware Brdige](
  87. * [Hardware Bridge API](
  88. * [NSA Playset](
  89. * In the coming months and beyond, we will release a series of dead simple, easy to use tools to enable the next generation of security researchers. We, the security community have learned a lot in the past couple decades, yet the general public is still ill equipped to deal with real threats that face them every day, and ill informed as to what is possible. Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!
  90. * [Anti-Evil Maid](
  91. * **Miscellaneous**
  92. * NFC - See wireless section
  93. * [Project bdp](
  94. * This is a project to modify the Sony Blu-ray BDP firmware. It started out with only the BDP-S390, but has branched out to include other players and a variety of goals, including removing Cinavia and obtaining Region-Free.
  95. * [Learn how to send an SMS text message in Python by pushing a button on your Arduino!](
  96. * [U-Boot -- the Universal Boot Loader](
  97. * Very popular on embedded devices open source bootloader for linux
  98. * [Manual/Documentation](
  99. * [Probe comparison -](
  100. ---------------------------
  101. ### <a name="routers">Attacking Routers(Firmware)</a>
  102. * **101**
  103. * [Unpacking Firmware images from cable modems](
  104. * **Articles/Papers/Talks/Writeups**
  105. * [Hacking the D-Link DIR-890L](
  106. * [Multiple Vulnerabilities in BHU WiFi “uRouter”](
  107. * [From Zero to ZeroDay Journey: Router Hacking (WRT54GL Linksys Case)](
  108. * [Rooting the MikroTik routers (SHA2017)](
  109. * In this talk I describe my journey into reverse engineering parts of MikroTik system to gain access to hardware features and the shell behind the RouterOS that has no “ls”.
  110. * [From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)](
  111. * [Firmware Exploitation with JEB: Part 1](
  112. * **Tools**
  113. * [Router Post-Exploitation Framework](
  114. * Abstracts and expedites the process of backdooring stock firmware images for consumer/SOHO routers.
  115. ---------------------------
  116. ### <a name="modem">Cable Modem Hacking</a>
  117. * **101**
  118. * [Cable Modem - Wikipedia](
  119. * [Data Over Cable Service Interface Specification (DOCSIS) - Wikipedia](
  120. * **Articles/Papers/Talks/Writeups**
  121. * [Docsis hacking](
  122. * [Video](
  123. * [Hacking Docsis for fun and profit](
  124. * [Video](
  125. * [Hacking DOCSIS: Or how to get free internet - Chaosmaster - Easterhegg 2017](
  126. * In German
  127. * [Modem Cloning for Fun (but NOT for profit!) - Yifan Lu](
  128. * [Hacking cable modems the later years - Bernardo Rodrigues - NullByte 2016](
  129. * [ Beyond your cable modem: How not to do DOCSIS networks - Alexander Graf](
  130. * **Tools**
  131. * [Keykeriki v2.0](
  132. * Hardware to attack wireless keyboards and other such things
  133. * **Miscellaneous**
  134. -----------------------
  135. ### Credit Cards<a name="cc"></a>
  136. * **101**
  137. * **Articles/Papers/Talks/Writeups**
  138. * [Cloning Credit Cards: A combined pre-play and downgrade attack on EMV Contactless](
  139. * [How to Hack a Contactless Payment System](
  140. * **Tools**
  141. * [MagSpoof - credit card/magstripe spoofer](
  142. ---------------
  143. ### esp8266 H/W related
  144. * [esp8266 wiki](
  145. ---------------------------
  146. ### <a name="flash">Flash Memory</a>
  147. * **101**
  148. * [Flash Memory - Wikipedia](
  149. * **Articles/Papers/Talks/Writeups**
  150. * [Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014](
  151. * [Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques](
  152. * [Reverse Engineering: Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014](
  153. * **General**
  154. * **Tools**
  155. * **Miscellaneous**
  156. --------------------------
  157. ### <a name="firmware"></a> Firmware(Non-Specific)
  158. * **101**
  159. * Check the BIOS/UEFI page as well.
  160. * Check out the RE page too.
  161. * [Reverse Engineering Firmware Primer - SecurityWeekly](
  162. * **Articles/Papers/Talks/Writeups**
  163. * [Lost your "secure" HDD PIN? We can help!](
  164. * [Analyzing and Running binaries from Firmware Images - Part 1](
  165. * **General**
  166. * [Damn Vulnerable Router Firmware (DVRF) v0.5](
  167. * The goal of this project is to simulate a real world environment to help people learn about other CPU architectures outside of the x86_64 space. This project is also for those who are curious about embedded research, but don't want to invest a lot of money.
  168. * **Tools**
  169. * [Firmware Analysis Toolkit](
  170. * FAT is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware.
  171. * [dfu-programmer](
  172. * dfu-programmer is an implementation of the Device Firmware Upgrade class USB driver that enables firmware upgrades for various USB enabled (with the correct bootloader) Atmel chips. This program was created because the Atmel "FLIP" program for flashing devices does not support flashing via USB on Linux, and because standard DFU loaders do not work for Atmel's chips.
  173. * **Miscellaneous**
  174. * [Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](
  175. * [Firmwalker](
  176. * A simple bash script for searching the extracted or mounted firmware file system. It will search through the extracted or mounted firmware file system for things of interest
  177. * [Disk Genie - SpritesMods](
  178. ---------------------------
  179. ### <a name="iot">Internet of Things</a> IoT
  180. * **101**
  181. * [A Primer on IoT Security Research](
  182. * **Articles, Blogposts & Writeups**
  183. * [Smart Parking Meters](
  184. * Security through obscurity is unfortunately much more common than people think: many interfaces are built on the premise that since they are a "closed system" they can ignore standard security practices. This paper will demonstrate how parking meter smart cards implement their protocol and will point out some weaknesses in their design that open the doors to the system. It will also present schematics and code that you can use to perform these basic techniques for auditing almost any type of blackblox secure memory card.
  185. * [Smart Nest Thermostat A Smart Spy in Your Home](
  186. * [A Survey of Various Methods for Analyzing the Amazon Echo](
  187. * Hacking the Dropcam series
  188. * [Part 1 - Dropcam Comms](
  189. * [Part 2 - Rooting the Dropcam](
  190. * [Part 3 - Dropcam Lua Bytecode](
  191. * [When IoT Attacks: Hacking A Linux-Powered Rifle ](
  192. * **Talks & Presentations**
  193. * [When IoT Research Matters - Mark Loveless - Derbycon2017](
  194. * Most IoT research involves low hanging fruit and kitchen appliances. But what happens when the tech you are researching is changing a niche industry, or creating one? This involves a little deeper dive. This talk illustrates some basic concepts and includes some tips on how to make that dive slightly deeper, with examples of hacking tool usage, going above and beyond with a vendor during disclosure, and creating realistic attack scenarios without coming across as mere stunt hacking.
  195. * [IoT Security: Executing an Effective Security Testing Process - Deral Heiland - Derbycon2017](
  196. * With IoT expected to top 20 billion connected devices by the end of the decade. A focused effort is critical if we plan to be successfully securing our new IoT driven world. One of the primary necessities to meet this goal is to develop sound methods for identification, and mitigation of security vulnerabilities within IoT products. As an IoT security researcher and consultant, I regularly conduct IoT security testing. Within my testing methodologies I leverage a holistic approach that focuses on the entire ecosystem of an IoT solution, including: hardware, mobile, and cloud environments allowing for a more through evaluation of a solutions security issues. During this presentation attendees will learn about the ecosystem structure of IoT and security implication of the interconnected components as I guide the audience through several research projects focused on security testing of an IoT technology. Using live demonstration I will show real-world security vulnerability examples identified within each segment of an IoT ecosystem
  197. * [Backdooring the Frontdoor - Jmaxxz - DEF CON 24](
  198. * As our homes become smarter and more connected we come up with new ways of reasoning about our privacy and security. Vendors promise security, but provide little technical information to back up their claims. Further complicating the matter, many of these devices are closed systems which can be difficult to assess. This talk will explore the validity of claims made by one smart lock manufacturer about the security of their product. The entire solution will be deconstructed and examined all the way from web services to the lock itself. By exploiting multiple vulnerabilities Jmaxxz will demonstrate not only how to backdoor a front door, but also how to utilize these same techniques to protect your privacy.
  199. * **Educational/Informative**
  200. * [Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond - NCC Group](
  201. * [Ian Douglas - Creating an Internet of Private Things](
  202. * The next big market push is to have the cool IoT device that’s connected to the internet. As we’ve seen from the Mirai and Switcher hacks, it’s important to embed the appropriate safeguards so that devices are not open to attack. When selecting device components there are things that should be checked for, and when you’re doing the coding and workflows, there are other things that need to be taken in to account. Although security and privacy are close cousins, they’re also different. This talk will be centered around some best security and privacy practices as well as some common errors that should be avoided.
  203. * **Tools**
  204. * **Papers**
  205. ---------------
  206. ### <a name="jtag"></a> JTAG
  207. * **101**
  208. * [JTAG - Wikipedia](
  209. * [What is JTAG and how can I make use of it? -](
  210. * [What is JTAG? -](
  211. * **Articles/Papers/Talks/Writeups**
  212. * **Tools**
  213. * [JTAGulator](
  214. * JTAGulator is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device.
  215. * **Miscellaneous**
  216. -------------------
  217. ### <a name="medical"></a> Medical Devices
  218. * **101**
  219. * **Articles/Papers/Talks/Writeups**
  220. * [Insulin Pumps, Decapped chips and Software Defined Radios - Pete Schwamb](
  221. * **General**
  222. * [ Medical Devices Page](
  223. * **Talks & Presentations**
  224. * [Anatomy of a Medical Device Hack- Doctors vs. Hackers in a Clinical Simulation Cage Match - Joshua Corman & Christian Dameff MD MS & Jeff Tully MD & Beau Woods(Derbycon2017)](
  225. * In the near future, a crisis unfolds at a hospital: patients on automated drug infusion machines overdose, hacked insulin pumps lead to car crashes, and internal defibrillators flatline weakened hearts. Clinical staff are unprepared and ill equipped to treat these complications, as they are all unaware of the true culprits behind the crisis. A state of emergency is declared, the public demands answers, and policymakers scramble to preserve national trust. This was the scenario that played out in first-of-their-kind clinical simulations carried out in June, and the results were scary yet unsurprising: health care cybersecurity is in critical condition. It’s been a long four years since the guiding ideals and message of The Cavalry was tempered from the forge that was the first Hacker Constitutional Congress (hosted in these very halls at DerbyCon 3). The battle continues to ensure that technologies capable of impacting public safety and human life remain worthy of our trust, and no battlefield looms larger than the healthcare space. Despite important steps toward change- from the Hippocratic Oath for Connected Medical Devices to the just-published Health Care Industry Cybersecurity Task Force Report- recent events remind us that the dual pillars of healthcare technology- patient facing medical devices and the infrastructure that supports clinical practice- remain as vulnerable and exposed as ever. Join Josh Corman and Beau Woods of I am The Cavalry as they team up with Christian Dameff, MD, and Jeff Tully, MD- two “white coat hackers” working to save patient lives at the bedside- to share lessons learned from the world’s first ever clinical simulations of patients threatened by hacked medical devices. By bringing the technical work done by security researchers you know and love to life and demonstrating the profound impact to patient physiology from compromised devices, these life-like simulations provide a powerful avenue to engage with stakeholder groups including clinicians and policymakers, and may represent the new standard for hackers looking to demonstrate the true impact and importance of their biomedical work.
  226. * **Tools**
  227. * **Miscellaneous**
  228. ------------------------
  229. ### <a name="misc-devices"></a> Miscellaneous Devices
  230. * [dustcloud](
  231. * Xiaomi Vacuum Robot Reverse Engineering and Hacking
  232. * [Xiaomi Dafang hacks](
  233. * This repository is a collection of information & software for the Xiaomi Dafang Camera
  234. * [xiaomi-sensors-hacks](
  235. * collection of xiaomi/aqara sensors hacks/modifications
  236. ---------------------------
  237. ### <a name="lightning"></a> Lightning/Thunderbolt
  238. * **101**
  239. * **Articles/Papers/Talks/Writeups**
  240. * [Apple Lightning Reverse Engineered](
  241. * **General**
  242. * **Tools**
  243. * [ThunderGate](
  244. * ThunderGate is a collection of tools for the manipulation of Tigon3 Gigabit Ethernet controllers, with special emphasis on the Broadcom NetLink 57762, such as is found in Apple Thunderbolt Gigabit Ethernet adapters.
  245. * **Miscellaneous**
  246. ---------------------------
  247. ### <a name="pci">PCI</a>
  248. * **101**
  249. * **Articles/Papers/Talks/Writeups**
  250. * [Stupid PCIe Tricks featuring NSA Playset: PCIe](
  251. * **General**
  252. * **Tools**
  253. * [Inception](
  254. * Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
  255. * [PCILeech](
  256. * The PCILeech use the USB3380 chip in order to read from and write to the memory of a target system. This is achieved by using DMA over PCI Express. No drivers are needed on the target system. The USB3380 is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. Reading 8GB of memory from the target system take around one (1) minute. The PCILeech hardware is connected with USB3 to a controlling computer running the PCILeech program. PCILeech is also capable of inserting a wide range of kernel modules into the targeted kernels - allowing for pulling and pushing files, remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. The software is written in visual studio and runs on Windows 7/Windows 10. Supported target systems are currently the x64 versions of: Linux, FreeBSD, macOS and Windows.
  257. * **Miscellaneous**
  258. ----------------------
  259. ### Printers<a name="printers"></a>
  260. See 'Printers' Section in Network Attacks & Scanning
  261. ------------------
  262. ### Smart TVs/Monitors <a name="smart"></a>
  263. * **101**
  264. * **Articles/Papers/Talks/Writeups**
  265. * [Smart TV Security - #1984 in 21 st century](
  266. * This talk is more about security bugs and rootkits than about firmware for TVs. This talk more covers rootkits than security bugs and exploitation thereof, as they’re not different to traditional techniques. This talk is about general security issues of all Smart TV vendors.
  267. * [MonitorDarkly](
  268. * This repo contains the exploit for the Dell 2410U monitor. It contains utilities for communicating with and executing code on the device. The research presented here was done in order to highlight the lack of security in "modern" on-screen-display controllers. Please check out our Recon 0xA presentation (included) for a detailed description of our research findings and process.
  269. * **General**
  270. * **Tools**
  271. * **Miscellaneous**
  272. ---------------
  273. ### SPI(Serial Peripheral Interface Bus)<a name="spi"></a>
  274. * **101**
  275. * [Serial Peripheral Interface Bus - Wikipedia](
  276. * [SPI](
  277. * **Articles/Papers/Talks/Writeups**
  278. * **General**
  279. * **Tools**
  280. * **Miscellaneous**
  281. ---------------------------
  282. ### <a name="sdcard">SD Cards</a>
  283. * **101**
  284. * **Articles/Papers/Talks/Writeups**
  285. * [The Exploration and Exploitation of an SD Memory Card](
  286. * This talk demonstrates a method for reverse engineering and loading code into the microcontroller within a SD memory card.
  287. * **General**
  288. * **Tools**
  289. * **Miscellaneous**
  290. -------------
  291. ### PCB Related <a name="pcb"></a>
  292. * [PCB-RE: Tools & Techniques](
  293. ------------------------------
  294. ### Point-of-Sale <a name="pos"></a>
  295. * **101**
  296. * **Articles & Writeups**
  297. * **Talks & Presentations**
  298. * [Chip & PIN is Definitely Broken - Defcon 19](
  299. * [Jackson Thuraisamy & Jason Tran - Hacking POS PoS Systems](
  300. * [Pwning the POS! - Nick Douglas - Notacon11](
  301. * Everybody’s talking about the Target breach. However, there’s lots wrong with the retail space… and it’s been this way for quite some time! Focusing on Point of Sale (POS) systems this talk will show you how to exploit friendly the POS ecosystem really is, and how you can help fix things.
  302. * [Pandora's Cash Box - The Ghost under your POS - RECON2015](
  303. * [Retail Store/POS Penetration Testing - Daniel Brown - Derbycon2017](
  304. * Penetration Testing a retail/POS environment. The methods companies are using to try and protect them, methods of bypassing security implementations, and how they tie into a companies overall security.
  305. * **Papers**
  306. * **Tools**
  307. * **Miscellaneous**
  308. ------------------
  309. ### Secure Tokens<a name="tokens"></a>
  310. * **101**
  311. * **Articles/Papers/Talks/Writeups**
  312. * [Secure Tokin’ & Doobiekeys: How to roll your own counterfeit hardware security devices - @securelyfitz, @r00tkillah](
  313. * **General**
  314. * **Tools**
  315. * **Miscellaneous**
  316. ---------------------------
  317. ### <a name="usb">USB</a>
  318. * **101**
  319. * [USB in a Nutshell](
  320. * Great explanation of the USB standard in depth
  321. * **Articles/Papers/Talks/Writeups**
  322. * **Attacking**
  323. * [USB Attacks Need Physical Access Right? Not Any More… by Andy Davis](
  324. * This project's goal is to turn PS2303-based USB flash drive into a cheap USB 3.0 development platform (i.e. fast USB 3.0 to FPGA bridge).
  325. * [Multiplexed Wired Attack Surfaces - Michael Ossmann & Kos - Toorcon15](
  326. * Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We'll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.
  328. * Reversing USB and writing USB Drivers for an RC car.
  329. * [Introduction to USB and Fuzzing - Matt DuHarte - Defcon23](
  330. * [Lowering the USB Fuzzing Barrier by Transparent Two-Way Emulation](
  331. * Abstract: Increased focus on the Universal Serial Bus (USB) attack surface of devices has recently resulted in a number of new vulnerabilities. Much of this advance has been aided by the advent of hardware-based USB emulation techniques. However, existing tools and methods are far from ideal, requiring a significant investment of time, money, and effort. In this work, we present a USB testing framework that improves significantly over existing methods in providing a cost-effective and flexible way to read and modify USB communication. Amongst other benefits, the framework enables man-in-the-middle fuzz testing between a host and peripheral. We achieve this by performing two-way emulation using inexpensive bespoke USB testing hardware, thereby delivering capa-bilities of a USB analyzer at a tenth of the cost. Mutational fuzzing is applied during live communication between a host and peripheral, yielding new security-relevant bugs. Lastly, we comment on the potential of the framework to improve current exploitation techniques on the USB channel.
  332. * [USB For All - Defcon 22 - Jesse Michael and Mickey Shkatov](
  333. * USB is used in almost every computing device produced in recent years. In addition to well-known usages like keyboard, mouse, and mass storage, a much wider range of capabilities exist such as Device Firmware Update, USB On-The-Go, debug over USB, and more. What actually happens on the wire? Is there interesting data we can observe or inject into these operations that we can take advantage of? In this talk, we will present an overview of USB and its corresponding attack surface. We will demonstrate different tools and methods that can be used to monitor and abuse USB for malicious purposes.
  334. * [Implementing an USB Host Driver Fuzzer - Daniel Mende - Troopers14](
  335. * [Attacking secure USB keys, behind the scene](
  336. * [Attacking encrypted USB keys the hard(ware) way - Jean-Michel Picod, Rémi Audebert, Elie Bursztein -BHUSA 17](
  337. * In this talk, we will present our methodology to assess "secure" USB devices both from the software and the hardware perspectives. We will demonstrate how this methodology works in practice via a set of case-studies. We will demonstrate some of the practical attacks we found during our audit so you will learn what type of vulnerability to look for and how to exploit them. Armed with this knowledge and our tools, you will be able to evaluate the security of the USB device of your choice.
  338. * [Here's a List of 29 Different Types of USB Attacks - BleepingComputer](
  339. * [5 Things to Do Now: the USB/JTAG/IME Exploit -](
  340. * **Understanding**
  341. * [USB Device Drivers: A Stepping Stone into your Kernel](
  342. * [Slides])(
  343. * **Educational/Informative**
  344. * [USBProxy](
  345. * A USB man in the middle device using USB On-The-Go, libUSB and gadgetFS
  346. * [Attacks via physical access to USB (DMA…?)](
  347. * [Can a connected USB device read all data from the USB bus?](
  348. * [Defending Against Malicious USB Firmware with GoodUSB - Dave Tian, Adam Bates, Kevin Butler](
  349. * [Defending Against Malicious USB Firmware with GoodUSB -](
  350. * **Tools**
  351. * [WHID Injector: an USB-Rubberducky/BadUSB on Steroids](
  352. * [umap](
  353. * The USB host security assessment tool
  354. * [NSA USB Playset - ShmooCon201](
  355. * [Phison PS2303 (PS2251-03) framework](
  356. * **Miscellaneous**
  357. * [Vendors, Disclosure, and a bit of WebUSB Madness - Markus Vervier](
  358. * **BadUSB**
  359. * [Slides](
  360. * [Video](
  361. * [Code - Psychson](
  362. * [Media Transfer Protocol and USB device Research](
  363. * **USB Device/Class Info**
  364. * [USB Device Class Specifications - Official Site](
  365. * These specifications recommend design targets for classes of devices. For HID related information, please go to the [HID web page.](
  366. * [Universal Serial Bus Device Class Specification for Device Firmware Upgrade Version 1.1 Aug 5, 2004](
  367. * [Identifiers for USB Devices -](
  368. ---------------------------
  369. ### SIM Cards <a name="sim"></a>
  370. * **101**
  371. * **Articles/Papers/Talks/Writeups**
  372. * [Rooting SIM cards](
  373. * [The Secret Life of SIM Cards - Karl Koscher/Eric Butler](
  374. * [Hacking a USB Modem & SIM](
  375. * **Tools**
  376. * **Miscellaneous**
  377. ---------------------------
  378. ### <a name="smartcard">Smartcards</a>
  379. * **101**
  380. * [ISO/IEC 7816](
  381. * [ISO/IEC 15693](
  382. * [ISO/IEC 14443](
  383. * [Introduction to Smart Card Security](
  384. * **Articles/Papers/Talks/Writeups**
  385. * [How can I do that? Intro to hardware hacking with an RFID badge reader - Kevin Bong](
  386. * [An analysis of the vulnerabilities introduced with Java Card 3 Connected Edition](
  387. * [Outsmarting smartcards](
  388. * [Deconstructing a secure processor - Christopher Tarnovsky](
  389. * From start to finish, we will walk through how a current generation smartcard was successfully compromised. The talk will discuss everything that was required in the order the events took place. We will cram several months into an hour! PS- The talk will be very technical mixed hardware and software (60% hardware, 40% software).
  390. * **Tools**
  391. * **Miscellaneous**
  392. * **Chameleon Mini**
  393. * [Chameleon: A Versatile Emulator for Contactless Smartcards - Paper](
  394. * [Milking the Digital Cash Cow [29c3] Video Presentation](
  395. * [ChameleonMini Hardware](
  396. -----------------
  397. ### <a name="voting"></a> Voting Machines
  398. * [Hacking Voting Machines at DEF CON 25](
  399. * [dc25-votingvillage-report - notes from participants](
  400. * [dc25-votingvillage-report](
  401. * A report to synthesize findings from the Defcon 25 Voting Machine Hacking Village
  402. --------------------------------
  403. ### Specific Attacks
  404. * [Introduction to Trusted Execution Environments - Steven J. Murdoch](
  405. * **Fault Attacks**
  406. * [The Sorcerer’s Apprentice Guide to Fault Attacks](
  407. * The effect of faults on electronic systems has been studied since the 1970s when it was noticed that radioactive particles caused errors in chips. This led to further research on the effect of charged particles on silicon, motivated by the aerospace industry who was becoming concerned about the effect of faults in airborne electronic systems. Since then various mechanisms for fault creation and propagation have been discovered and researched. This paper covers the various methods that can be used to induce faults in semiconductors and exploit such errors maliciously. Several examples of attacks stemming from the exploiting of faults are explained. Finally a series of countermeasures to thwart these attacks are described.
  408. * **Glitch Attacks**
  409. * [Introduction to Glitch Attacks](
  410. * This advanced tutorial will demonstrate clock glitch attacks using the ChipWhisperer system. This will introduce you to many required features of the ChipWhisperer system when it comes to glitching. This will be built on in later tutorials to generate voltage glitching attacks, or when you wish to attack other targets.
  411. * [Glitching for n00bs - A journey to coax out chips' inner seccrets](
  412. * Despite claims of its obsolescence, electrical glitching can be a viable attack vector against some ICs. This presentation chronicles a quest to learn what types of electrical transients can be introduced into an integrated circuit to cause a variety of circuit faults advantageous to an reverser. Several hardware platforms were constructed during the quest to aid in research, including old-skool & solderless breadboards, photo-etched & professional PCBs, FPGAs, and cheap & dirty homemade logic analyzers. The strengths and weaknesses of the various approaches will be discussed.
  413. * **Traffic Injection**
  414. * [Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems](
  415. * Abstract: This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that effective and effcient injection of traffc into the buses is real and easily a ordable. Further, it presents a simple and inexpensive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.
  416. ---------------------------------
  417. #### Sort
  420. * [nRF24L01+ sniffer - part 1 - Yveaux](
  421. * [Code used in the Great Drone Duel of 2016](
  422. * At ToorCamp 2016, an unknown Chinese benefactor provided all participants with Cheerson CX-10A quadcopters. Coincidentally, Michael Ossmann and Dominic Spill gave a talk about hacking those very same quadcopters, and as part of their talk, they released a protocol specification which formalized the packet format used by the drones. Following the only logical path that made sense at the time, we challenged them to a duel at high noon. Using Python, nRF24LU1+ dongles (running Marc's nRF24LU1+ firmware), and an IntimidationAntenna(tm), we hacked together some code to either fly their drones far, far away, or bring them crashing to the ground. The code has been alpha tested against giant fishing nets with mixed results.
  423. * [How To Set Up A Drone Vulnerability Testing Lab - Sanders Walters](
  424. * [JTAG Explained (finally!): Why "IoT", Software Security Engineers, and Manufacturers Should Car -]
  426. * [Hardware Stuff for Software People By Stephen Ridley(REcon2011)](
  427. * This talk will be an introduction to doing "hardware stuff" stuff, for people accustomed to plying their trade against software. I will discuss how to build tools (and use existing tools) to sniff/spy on a variety of hardware communications channels from UART Serial (the kind in your computer) to the very ubiquitous SPI/I2C serial busses used in virtual everything (from EEPROM in your portable DVD player to the HDMI/VGA cables between your computer and monitor). I will demonstrate how these simple hardware taps can be used to begin reverse engineering, spoofing, and fuzzing in places where (as a software person) you might not have previously felt comfortable. I will be bringing along a number of custom hardware and software tools (used specifically for these purposes) as well as a mock lab environment for demonstrations. Other than these practical skills, I am new to this "hardware stuff" so please don't expect a "embedded-JTag-SCADA-mobile" buzzword soliloquy. I'll just be sharing some stories and showing some neat hardware and software I've recently found useful.
  428. * [PentestHardware](
  429. * "Kinda useful notes collated together publicly"
  430. * [Embedded Devices Security and Firmware Reverse Engineering - Jonas Zaddach, Andrei Costin(BH13USA)](
  431. * This workshop aims at presenting a quick-start at how to inspect firmwares and a hands-on presentation with exercises on real firmwares from a security analysis standpoint.
  432. * [Hardware and Firmware Security Guidance](
  433. * This repository provides content for aiding DoD administrators in verifying systems have applied and enabled mitigations for hardware and firmware vulnerabilities such as side-channel and UEFI vulnerabilities. The repository is a companion to NSA Cybersecurity Advisories such as Vulnerabilities Affecting Modern Processors. This repository is updated as new information, research, strategies, and guidance are developed.
  434. * [Inception: System-wide Security Testing of Real-World Embedded Systems Software](
  436. * [ESP32/ESP8266 Wi-Fi Attacks](
  437. * [UBoot to Root - Deral Heiland(OISF19)](
  438. * [Are We Really Safe? - Bypassing Access Control Systems - Dennis Maldonado(Defcon23)](
  439. * The world relies on access control systems to ensure that secured areas are only accessible to authorized users. Usually, a keypad is the only thing stopping an unauthorized person from accessing the private space behind it. There are many types of access control systems from stand-alone keypads to telephony access control. In this talk, Dennis will be going over how and where access control systems are used. Dennis will walk through and demonstrate the tips and tricks used in bypassing common access control systems. This presentation will include attack methods of all nature including physical attacks, RFID, wireless, telephony, network, and more.
  440. * [Firmware analysis Basic Approach - Veerababu Penugonda](
  441. * [The Ninja Recon Technique for IoT Pentesting - attify](
  442. * [Extracting Firmware from Microcontrollers' Onboard Flash Memory, Part 1: Atmel Microcontrollers - Deral Heiland](
  443. * [Extracting Firmware from Microcontrollers' Onboard Flash Memory, Part 2: Nordic RF Microcontrollers - Deral Heiland](
  444. * [Extracting Firmware from Microcontrollers' Onboard Flash Memory, Part 3: Microchip PIC Microcontrollers - Deral Heiland](
  445. * [Building your own JTAG, ISP, & Chip Off Lab - Jack Farley](
  446. * [Reverse-engineering Broadcom wireless chipsets - Hugues Anguelkov](
  447. * [From 0 to Infinity - Guy](
  448. Drone hacking
  449. * [DeviationTX with NRF24L01 module, the universal drone remote control - dronegarageblog.wordpress](
  450. * [How To Set Up A Drone Vulnerability Testing Lab - Sander Walters](
  451. * [How to hack IP camera in toy drone - u/pj530i](
  452. * [ PHD VI: How They Stole Our Drone ](
  453. * [Code used in the Great Drone Duel of 2016](
  454. * "At ToorCamp 2016, an unknown Chinese benefactor provided all participants with Cheerson CX-10A quadcopters. Coincidentally, Michael Ossmann and Dominic Spill gave a talk about hacking those very same quadcopters, and as part of their talk, they released a protocol specification which formalized the packet format used by the drones. Following the only logical path that made sense at the time, [we challenged them]( to a duel at high noon.""
  455. * [nRF24L01+ sniffer - part 1 - Yveaux](
  456. * [GPS Spoofing Of UAV - YUAN Jian](
  460. * [Hardware Hacking for the Masses (and you!) - BusesCanFly(LevelUp 0x05)](
  461. * Custom summary: Intro(ish)-level talk for getting started/introduced to HardwareHacking. Good stuff.
  462. * [Slides](