Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

49 KiB

Embedded Device Security

Table of Contents



Attacking Routers(Firmware)

Cable Modem Hacking

Credit Cards

Flash Memory


Internet of Things IoT

  • 101
  • Articles, Blogposts & Writeups
  • Talks & Presentations
    • When IoT Research Matters - Mark Loveless - Derbycon2017
      • Most IoT research involves low hanging fruit and kitchen appliances. But what happens when the tech you are researching is changing a niche industry, or creating one? This involves a little deeper dive. This talk illustrates some basic concepts and includes some tips on how to make that dive slightly deeper, with examples of hacking tool usage, going above and beyond with a vendor during disclosure, and creating realistic attack scenarios without coming across as mere stunt hacking.
    • IoT Security: Executing an Effective Security Testing Process - Deral Heiland - Derbycon2017
      • With IoT expected to top 20 billion connected devices by the end of the decade. A focused effort is critical if we plan to be successfully securing our new IoT driven world. One of the primary necessities to meet this goal is to develop sound methods for identification, and mitigation of security vulnerabilities within IoT products. As an IoT security researcher and consultant, I regularly conduct IoT security testing. Within my testing methodologies I leverage a holistic approach that focuses on the entire ecosystem of an IoT solution, including: hardware, mobile, and cloud environments allowing for a more through evaluation of a solutions security issues. During this presentation attendees will learn about the ecosystem structure of IoT and security implication of the interconnected components as I guide the audience through several research projects focused on security testing of an IoT technology. Using live demonstration I will show real-world security vulnerability examples identified within each segment of an IoT ecosystem
    • Backdooring the Frontdoor - Jmaxxz - DEF CON 24
      • As our homes become smarter and more connected we come up with new ways of reasoning about our privacy and security. Vendors promise security, but provide little technical information to back up their claims. Further complicating the matter, many of these devices are closed systems which can be difficult to assess. This talk will explore the validity of claims made by one smart lock manufacturer about the security of their product. The entire solution will be deconstructed and examined all the way from web services to the lock itself. By exploiting multiple vulnerabilities Jmaxxz will demonstrate not only how to backdoor a front door, but also how to utilize these same techniques to protect your privacy.
  • Educational/Informative
  • Tools
  • Papers


Medical Devices

  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Talks & Presentations
    • Anatomy of a Medical Device Hack- Doctors vs. Hackers in a Clinical Simulation Cage Match - Joshua Corman & Christian Dameff MD MS & Jeff Tully MD & Beau Woods(Derbycon2017)
      • In the near future, a crisis unfolds at a hospital: patients on automated drug infusion machines overdose, hacked insulin pumps lead to car crashes, and internal defibrillators flatline weakened hearts. Clinical staff are unprepared and ill equipped to treat these complications, as they are all unaware of the true culprits behind the crisis. A state of emergency is declared, the public demands answers, and policymakers scramble to preserve national trust. This was the scenario that played out in first-of-their-kind clinical simulations carried out in June, and the results were scary yet unsurprising: health care cybersecurity is in critical condition. It’s been a long four years since the guiding ideals and message of The Cavalry was tempered from the forge that was the first Hacker Constitutional Congress (hosted in these very halls at DerbyCon 3). The battle continues to ensure that technologies capable of impacting public safety and human life remain worthy of our trust, and no battlefield looms larger than the healthcare space. Despite important steps toward change- from the Hippocratic Oath for Connected Medical Devices to the just-published Health Care Industry Cybersecurity Task Force Report- recent events remind us that the dual pillars of healthcare technology- patient facing medical devices and the infrastructure that supports clinical practice- remain as vulnerable and exposed as ever. Join Josh Corman and Beau Woods of I am The Cavalry as they team up with Christian Dameff, MD, and Jeff Tully, MD- two “white coat hackers” working to save patient lives at the bedside- to share lessons learned from the world’s first ever clinical simulations of patients threatened by hacked medical devices. By bringing the technical work done by security researchers you know and love to life and demonstrating the profound impact to patient physiology from compromised devices, these life-like simulations provide a powerful avenue to engage with stakeholder groups including clinicians and policymakers, and may represent the new standard for hackers looking to demonstrate the true impact and importance of their biomedical work.
  • Tools
  • Miscellaneous

Miscellaneous Devices

  • dustcloud
    • Xiaomi Vacuum Robot Reverse Engineering and Hacking
  • Xiaomi Dafang hacks
    • This repository is a collection of information & software for the Xiaomi Dafang Camera
  • xiaomi-sensors-hacks
    • collection of xiaomi/aqara sensors hacks/modifications


  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • ThunderGate
      • ThunderGate is a collection of tools for the manipulation of Tigon3 Gigabit Ethernet controllers, with special emphasis on the Broadcom NetLink 57762, such as is found in Apple Thunderbolt Gigabit Ethernet adapters.
  • Miscellaneous


  • 101
  • Articles/Papers/Talks/Writeups
  • General
  • Tools
    • Inception
      • Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
    • PCILeech
      • The PCILeech use the USB3380 chip in order to read from and write to the memory of a target system. This is achieved by using DMA over PCI Express. No drivers are needed on the target system. The USB3380 is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. Reading 8GB of memory from the target system take around one (1) minute. The PCILeech hardware is connected with USB3 to a controlling computer running the PCILeech program. PCILeech is also capable of inserting a wide range of kernel modules into the targeted kernels - allowing for pulling and pushing files, remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. The software is written in visual studio and runs on Windows 7/Windows 10. Supported target systems are currently the x64 versions of: Linux, FreeBSD, macOS and Windows.
  • Miscellaneous


See 'Printers' Section in Network Attacks & Scanning

Smart TVs/Monitors

  • 101
  • Articles/Papers/Talks/Writeups
    • Smart TV Security - #1984 in 21 st century
      • This talk is more about security bugs and rootkits than about firmware for TVs. This talk more covers rootkits than security bugs and exploitation thereof, as they’re not different to traditional techniques. This talk is about general security issues of all Smart TV vendors.
    • MonitorDarkly
      • This repo contains the exploit for the Dell 2410U monitor. It contains utilities for communicating with and executing code on the device. The research presented here was done in order to highlight the lack of security in "modern" on-screen-display controllers. Please check out our Recon 0xA presentation (included) for a detailed description of our research findings and process.
  • General
  • Tools
  • Miscellaneous

SPI(Serial Peripheral Interface Bus)

SD Cards


Secure Tokens


SIM Cards


Voting Machines

Specific Attacks

  • Introduction to Trusted Execution Environments - Steven J. Murdoch
  • Fault Attacks
    • The Sorcerer’s Apprentice Guide to Fault Attacks
      • The effect of faults on electronic systems has been studied since the 1970s when it was noticed that radioactive particles caused errors in chips. This led to further research on the effect of charged particles on silicon, motivated by the aerospace industry who was becoming concerned about the effect of faults in airborne electronic systems. Since then various mechanisms for fault creation and propagation have been discovered and researched. This paper covers the various methods that can be used to induce faults in semiconductors and exploit such errors maliciously. Several examples of attacks stemming from the exploiting of faults are explained. Finally a series of countermeasures to thwart these attacks are described.
  • Glitch Attacks
    • Introduction to Glitch Attacks
      • This advanced tutorial will demonstrate clock glitch attacks using the ChipWhisperer system. This will introduce you to many required features of the ChipWhisperer system when it comes to glitching. This will be built on in later tutorials to generate voltage glitching attacks, or when you wish to attack other targets.
    • Glitching for n00bs - A journey to coax out chips' inner seccrets
      • Despite claims of its obsolescence, electrical glitching can be a viable attack vector against some ICs. This presentation chronicles a quest to learn what types of electrical transients can be introduced into an integrated circuit to cause a variety of circuit faults advantageous to an reverser. Several hardware platforms were constructed during the quest to aid in research, including old-skool & solderless breadboards, photo-etched & professional PCBs, FPGAs, and cheap & dirty homemade logic analyzers. The strengths and weaknesses of the various approaches will be discussed.
  • Traffic Injection
    • Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems
      • Abstract: This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that effective and effcient injection of traffc into the buses is real and easily a ordable. Further, it presents a simple and inexpensive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.


Drone hacking