The Hardware Hacking Handbook

The Hardware Hacking Handbook

by Colin O'Flynn
Released December 2021
Publisher(s): No Starch Press
ISBN: 9781593278748

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Embedded devices are chip-size microcomputers small enough to be included in the structure of the object they control, and they’re everywhere—in phones, cars, credit cards, laptops, medical equipment, even critical infrastructure. This means understanding their security is critical. The Hardware Hacking Handbook takes you deep inside different types of embedded systems, revealing the designs, components, security limits, and reverse-engineering challenges you need to know for executing effective hardware attacks.

Written with wit and infused with hands-on lab experiments, this handbook puts you in the role of an attacker interested in breaking security to do good. Starting with a crash course on the architecture of embedded devices, threat modeling, and attack trees, you’ll go on to explore hardware interfaces, ports and communication protocols, electrical signaling, tips for analyzing firmware images, and more. Along the way, you’ll use a home testing lab to perform fault-injection, side-channel (SCA), and simple and differential power analysis (SPA/DPA) attacks on a variety of real devices, such as a crypto wallet. The authors also share insights into real-life attacks on embedded systems, including Sony’s PlayStation 3, the Xbox 360, and Philips Hue lights, and provide an appendix of the equipment needed for your hardware hacking lab – like a multimeter and an oscilloscope – with options for every type of budget.

You’ll learn:

•How to model security threats, using attacker profiles, assets, objectives, and countermeasures
•Electrical basics that will help you understand communication interfaces, signaling, and measurement
•How to identify injection points for executing clock, voltage, electromagnetic, laser, and body-biasing fault attacks, as well as practical injection tips
•How to use timing and power analysis attacks to extract passwords and cryptographic keys
•Techniques for leveling up both simple and differential power analysis, from practical measurement tips to filtering, processing, and visualization

Whether you’re an industry engineer tasked with understanding these attacks, a student starting out in the field, or an electronics hobbyist curious about replicating existing work, The Hardware Hacking Handbook is an indispensable resource – one you’ll always want to have onhand.

Table of contents

  1. Title Page
  2. Copyright
  3. Dedication
  4. About the Authors
  5. Foreword
  6. Acknowledgments
  7. Introduction
    1. What Embedded Devices Look Like
    2. Ways of Hacking Embedded Devices
    3. What Does Hardware Attack Mean?
    4. Who Should Read This Book?
    5. About This Book
  8. Chapter 1: Dental Hygiene: Introduction to Embedded Security
    1. Hardware Components
    2. Software Components
      1. Initial Boot Code
      2. Bootloader
      3. Trusted Execution Environment OS and Trusted Applications
      4. Firmware Images
      5. Main Operating System Kernel and Applications
    3. Hardware Threat Modeling
      1. What Is Security?
      2. The Attack Tree
    4. Profiling the Attackers
    5. Types of Attacks
      1. Software Attacks on Hardware
      2. PCB-Level Attacks
      3. Logical Attacks
      4. Noninvasive Attacks
      5. Chip-Invasive Attacks
    6. Assets and Security Objectives
      1. Confidentiality and Integrity of Binary Code
      2. Confidentiality and Integrity of Keys
      3. Remote Boot Attestation
      4. Confidentiality and Integrity of Personally Identifiable Information
      5. Sensor Data Integrity and Confidentiality
      6. Content Confidentiality Protection
      7. Safety and Resilience
    7. Countermeasures
      1. Protect
      2. Detect
      3. Respond
    8. An Attack Tree Example
      1. Identification vs. Exploitation
      2. Scalability
      3. Analyzing the Attack Tree
      4. Scoring Hardware Attack Paths
    9. Disclosing Security Issues
    10. Summary
  9. Chapter 2: Reaching Out, Touching Me, Touching You: Hardware Peripheral Interfaces
    1. Electricity Basics
      1. Voltage
      2. Current
      3. Resistance
      4. Ohm’s Law
      5. AC/DC
      6. Picking Apart Resistance
      7. Power
    2. Interface with Electricity
      1. Logic Levels
      2. High Impedance, Pullups, and Pulldowns
      3. Push-Pull vs. Tristate vs. Open Collector or Open Drain
      4. Asynchronous vs. Synchronous vs. Embedded Clock
      5. Differential Signaling
    3. Low-Speed Serial Interfaces
      1. Universal Asynchronous Receiver/Transmitter Serial
      2. Serial Peripheral Interface
      3. Inter-IC Interface
      4. Secure Digital Input/Output and Embedded Multimedia Cards
      5. CAN Bus
      6. JTAG and Other Debugging Interfaces
    4. Parallel Interfaces
      1. Memory Interfaces
    5. High-Speed Serial Interfaces
      1. Universal Serial Bus
      2. PCI Express
      3. Ethernet
    6. Measurement
      1. Multimeter: Volt
      2. Multimeter: Continuity
      3. Digital Oscilloscope
      4. Logic Analyzer
    7. Summary
  10. Chapter 3: Casing the Joint: Identifying Components and Gathering Information
    1. Information Gathering
      1. Federal Communications Commission Filings
      2. Patents
      3. Datasheets and Schematics
      4. Information Search Example: The USB Armory Device
    2. Opening the Case
      1. Identifying ICs on the Board
      2. Small Leaded Packages: SOIC, SOP, and QFP
      3. No-Lead Packages: SO and QFN
      4. Ball Grid Array
      5. Chip Scale Packaging
      6. DIP, Through-Hole, and Others
    3. Sample IC Packages on PCBs
      1. Identifying Other Components on the Board
    4. Mapping the PCB
      1. Using the JTAG Boundary Scan for Mapping
    5. Information Extraction from the Firmware
      1. Obtaining the Firmware Image
      2. Analyzing the Firmware Image
    6. Summary
  11. Chapter 4: Bull in a Porcelain Shop: Introducing Fault Injection
    1. Faulting Security Mechanisms
      1. Circumventing Firmware Signature Verification
      2. Gaining Access to Locked Functionality
      3. Recovering Cryptographic Keys
    2. An Exercise in OpenSSH Fault Injection
      1. Injecting Faults into C Code
      2. Injecting Faults into Machine Code
    3. Fault Injection Bull
      1. Target Device and Fault Goal
      2. Fault Injector Tools
      3. Target Preparation and Control
    4. Fault Searching Methods
      1. Discovering Fault Primitives
      2. Searching for Effective Faults
      3. Search Strategies
      4. Analyzing Results
    5. Summary
  12. Chapter 5: Don’t Lick the Probe: How to Inject Faults
    1. Clock Fault Injection
      1. Metastability
      2. Fault Sensitivity Analysis
      3. Limitations
      4. Required Hardware
      5. Clock Fault Injection Parameters
    2. Voltage Fault Injection
      1. Generating Voltage Glitches
      2. Building a Switching-Based Injector
      3. Crowbar Injected Faults
      4. Raspberry Pi Fault Attack with a Crowbar
      5. Voltage Fault Injection Search Parameters
    3. Electromagnetic Fault Injection
      1. Generating Electromagnetic Faults
      2. Architectures for Electromagnetic Fault Injection
      3. EMFI Pulse Shapes and Widths
      4. Search Parameters for Electromagnetic Fault Injection
    4. Optical Fault Injection
      1. Chip Preparation
      2. Front-Side and Back-Side Attacks
      3. Light Sources
      4. Optical Fault Injection Setup
      5. Optical Fault Injection Configurable Parameters
    5. Body Biasing Injection
      1. Parameters for Body Biasing Injection
    6. Triggering Hardware Faults
      1. Working with Unpredictable Target Timing
    7. Summary
  13. Chapter 6: Bench Time: Fault Injection Lab
    1. Act 1: A Simple Loop
      1. A BBQ Lighter of Pain
    2. Act 2: Inserting Useful Glitches
      1. Crowbar Glitching to Fault a Configuration Word
      2. Mux Fault Injection
    3. Act 3: Differential Fault Analysis
      1. A Bit of RSA Math
      2. Getting a Correct Signature from the Target
    4. Summary
  14. Chapter 7: X Marks the Spot: Trezor One Wallet Memory Dump
    1. Trezor One Wallet Internals
    2. USB Read Request Faulting
    3. Disassembling Code
    4. Building Firmware and Validating the Glitch
    5. USB Triggering and Timing
    6. Glitching Through the Case
      1. Setting Up
      2. Reviewing the Code for Fault Injection
      3. Running the Code
      4. Confirming a Dump
      5. Fine-Tuning the EM Pulse
      6. Tuning Timing Based on USB Messages
    7. Summary
  15. Chapter 8: I’ve Got the Power: Introduction to Power Analysis
    1. Timing Attacks
      1. Hard Drive Timing Attack
      2. Power Measurements for Timing Attacks
    2. Simple Power Analysis
      1. Applying SPA to RSA
      2. Applying SPA to RSA, Redux
      3. SPA on ECDSA
    3. Summary
  16. Chapter 9: Bench Time: Simple Power Analysis
    1. The Home Lab
      1. Building a Basic Hardware Setup
      2. Buying a Setup
      3. Preparing the Target Code
      4. Building the Setup
    2. Pulling It Together: An SPA Attack
      1. Preparing the Target
      2. Preparing the Oscilloscope
      3. Analysis of the Signal
      4. Scripting the Communication and Analysis
      5. Scripting the Attack
    3. ChipWhisperer-Nano Example
      1. Building and Loading Firmware
      2. A First Glance at the Communication
      3. Capturing a Trace
      4. From Trace to Attack
    4. Summary
  17. Chapter 10: Splitting the Difference: Differential Power Analysis
    1. Inside the Microcontroller
      1. Changing the Voltage on a Capacitor
      2. From Power to Data and Back
    2. Sexy XORy Example
    3. Differential Power Analysis Attack
      1. Predicting Power Consumption Using a Leakage Assumption
      2. A DPA Attack in Python
    4. Know Thy Enemy: An Advanced Encryption Standard Crash Course
      1. Attacking AES-128 Using DPA
    5. Correlation Power Analysis Attack
      1. Correlation Coefficient
      2. Attacking AES-128 Using CPA
      3. Communicating with a Target Device
      4. Oscilloscope Capture Speed
    6. Summary
  18. Chapter 11: Gettin’ Nerdy with It: Advanced Power Analysis
    1. The Main Obstacles
      1. More Powerful Attacks
    2. Measuring Success
      1. Success Rate–Based Metrics
      2. Entropy-Based Metrics
      3. Correlation Peak Progression
      4. Correlation Peak Height
    3. Measurements on Real Devices
      1. Device Operation
      2. The Measurement Probe
      3. Determining Sensitive Nets
      4. Automated Probe Scanning
      5. Oscilloscope Setup
    4. Trace Set Analysis and Processing
      1. Analysis Techniques
      2. Processing Techniques
      3. Deep Learning Using Convolutional Neural Networks
    5. Summary
  19. Chapter 12: Bench Time: Differential Power Analysis
    1. Bootloader Background
      1. Bootloader Communications Protocol
      2. Details of AES-256 CBC
      3. Attacking AES-256
    2. Obtaining and Building the Bootloader Code
    3. Running the Target and Capturing Traces
      1. Calculating the CRC
      2. Communicating with the Bootloader
      3. Capturing Overview Traces
      4. Capturing Detailed Traces
    4. Analysis
      1. Round 14 Key
      2. Round 13 Key
    5. Recovering the IV
      1. What to Capture
      2. Getting the First Trace
      3. Getting the Rest of the Traces
      4. Analysis
    6. Attacking the Signature
      1. Attack Theory
      2. Power Traces
      3. Analysis
      4. All Four Bytes
    7. Peeping at the Bootloader Source Code
      1. Timing of Signature Check
    8. Summary
  20. Chapter 13: No Kiddin’: Real-Life Examples
    1. Fault Injection Attacks
      1. PlayStation 3 Hypervisor
      2. Xbox 360
    2. Power Analysis Attacks
      1. Philips Hue Attack
    3. Summary
  21. Chapter 14: Think of the Children: Countermeasures, Certifications, and Goodbytes
    1. Countermeasures
      1. Implementing Countermeasures
      2. Verifying Countermeasures
    2. Industry Certifications
    3. Getting Better
    4. Summary
  22. Appendix A: Maxing Out Your Credit Card: Setting Up a Test Lab
    1. Checking Connectivity and Voltages: $50 to $500
    2. Fine-Pitch Soldering: $50 to $1,500
    3. Desoldering Through-Hole: $30 to $500
    4. Soldering and Desoldering Surface Mount Devices: $100 to $500
    5. Modifying PCBs: $5 to $700
    6. Optical Microscopes: $200 to $2,000
    7. Photographing Boards: $50 to $2,000
    8. Powering Targets: $10 to $1,000
    9. Viewing Analog Waveforms (Oscilloscopes): $300 to $25,000
      1. Memory Depth
      2. Sample Rate
      3. Bandwidth
      4. Other Features
    10. Viewing Logic Waveforms: $300 to $8,000
    11. Triggering on Serial Buses: $300 to $8,000
    12. Decoding Serial Protocols: $50 to $8,000
    13. CAN Bus Sniffing and Triggering: $50 to $5,000
    14. Ethernet Sniffing: $50
    15. Interacting Through JTAG: $20 to $10,000
      1. General JTAG and Boundary Scan
      2. JTAG Debug
    16. PCIe Communication: $100 to $1,000
    17. USB Sniffing: $100 to $6,000
    18. USB Triggering: $250 to $6,000
    19. USB Emulation: $100
    20. SPI Flash Connections: $25 to $1,000
    21. Power Analysis Measurements: $300 to $50,000
    22. Triggering on Analog Waveforms: $3,800+
    23. Measuring Magnetic Fields: $25 to $10,000
    24. Clock Fault Injection: $100 to $30,000
    25. Voltage Fault Injection: $25 to $30,000
    26. Electromagnetic Fault Injection: $100 to $50,000
    27. Optical Fault Injection: $1,000 to $250,000
    28. Positioning Probes: $100 to $50,000
    29. Target Devices: $10 to $10,000
  23. Appendix B: All Your Base Are Belong to Us: Popular Pinouts
    1. SPI Flash Pinout
    2. 0.1-Inch Headers
      1. 20-Pin Arm JTAG
      2. 14-Pin PowerPC JTAG
    3. 0.05-Inch Headers
      1. Arm Cortex JTAG/SWD
      2. Ember Packet Trace Port Connector
  24. Index

Product information

  • Title: The Hardware Hacking Handbook
  • Author(s): Colin O'Flynn
  • Release date: December 2021
  • Publisher(s): No Starch Press
  • ISBN: 9781593278748