SlideShare a Scribd company logo

CheapSCAte: Attacking IoT with less than $60

Riscure
Riscure

A presentation by Riscure's Rafael Boix Carpi on the topic of hardware attacks and why some of them are not high-end or improbable anymore.

Technology
1 of 48
Download to read offline
SESSION ID: #RSAC Rafael Boix Carpi CHEAPSCATE: ATTACKING IOT WITH LESS THAN $60 MBS-W02 Principal Trainer & Security Specialist Riscure
#RSAC A BRIEF STORY ABOUT A HARDWARE CTF AND IOT
# R S A C 2017: 8.4 BILLION “THINGS” CONNECTED TO INTERNET A brief story about a hardware CTF
# R S A C A brief story about a hardware CTF The typical IoT device is quite cheap but does a lot of stuff Heart of the device: general purpose microcontroller (MCU) TON of features for extremely low $$$ WiFi / Bluetooth / memory / USB / … Lots of interfaces & sensors Devkit packed with peripherals typically < 20$
# R S A C A brief story about a hardware CTF GENERAL PURPOSE MCUs ARE NOT SECURE AGAINST SCA AND FI ATTACKS
# R S A C
# R S A C A brief story about a hardware CTF GENERAL PURPOSE MCUs ARE NOT SECURE AGAINST SCA AND FI ATTACKS
# R S A C 8 A brief history
# R S A C A brief story about a hardware CTF Lots of people solved the software challenges But very few attempted the SCA and FI challenges  Typical reasons given: “The SCA equipment is very expensive” “SCA and FI are too difficult” “These attacks are only for evaluation labs” “I’m allergic to mathematics” “I will destroy my device”
# R S A C A brief story about a hardware CTF My goals today You will learn that SCA is affordable for everyone You will learn that FI is affordable for everyone If you are an IoT developer, and: you handle sensitive info you believe these attacks don’t apply to you you don’t try these attacks you don’t learn how to defend THEN you WILL get hacked: please do something!!
# R S A C Rules of the game In order to prove the point, I will use the following rules: Cheapest tooling I could find Generic for (almost any) target Using Open Source Software only Result reproducible by a script-kiddie profile
#RSAC SIDE-CHANNEL ANALYSIS: THEORY AND APPLICATION Let’s break an AES implementation!
# R S A C SCA: theory and application Challenge: Piece of SCAke (available on riscure.com/Github) Goal Get the AES key from the device Info The device performs AES encryption of a message Then replies the encrypted message Plain text Encrypted
# R S A C SCA: theory and application The attack works with any crypto implementation You just need to have the device at reach
# R S A C SCA in a nutshell 1 – Talk or listen to a device doing crypto (e.g. AES) 2 – Measure power consumption of device doing crypto 3 – SCA program computes math with collected data 4 – You get the crypto key
# R S A C SCA steps in practice(attacker) Trace acquisition Signal processing Leakage detection (optional) Attack key
# R S A C SCA steps in practice(attacker) Trace acquisition Signal processing Leakage detection (optional) Attack key: CPA How do I get traces?
# R S A C Measuring power from an embedded device Computer Resistor or Current Probe Power measurement Power trace: - Measured power - I/O data
# R S A C Measuring power in an embedded device This approach has some issues There are other “more efficient” ways to measure power (current probe, EM, …) but we will not see them today… Ri  Embedded chip Because a resistor is CHEAP!! (<$0.01) gnd line
# R S A C Cost of the SCA setup Resistor US$ 0.01 Scavenged USB cable Free USB soldering iron US$ 4.64, free shipping! Comes with tin! It actually works! AMAZING! Hantek 6022BE “oscilloscope” US$ 53.32, free shipping! Comes with probes and cables! USB to serial cable US$ 1.10, free shipping! Total new hardware cost: US$ 59.07
# R S A C DEMO TIME Demo time
# R S A C General steps for SCA Trace acquisition Signal processing Leakage detection (optional) Attack key Improve signal?
# R S A C Signal processing: alignment In order to do math, we need to compare “apples to apples” IoT things typically have LEDs that blink when busy The RHMe board has a blinky LED that is ON when busy Let’s align measurements with the LED activity align
# R S A C DEMO TIME Demo time
# R S A C General steps for SCA Trace acquisition Signal processing Leakage detection (optional) Attack key: CPA Does it leak?
# R S A C Does it leak? You can use any tool (e.g R, SciPy, Octave, …) to compute statistics Useful statistic to find info leakage: Welch T-test This test shows if I can tell apart random messages from a fixed one
# R S A C General steps for SCA Trace acquisition Signal processing Leakage detection (optional) Attack key Profit?
# R S A C Warning: math ahead! I will explain the attack a bit in depth If you don’t get it now, don’t worry: • SCA programs have everything implemented • run the scripts and check results • check later the presentation until it becomes clear
# R S A C S-box S-box S-box Input 128bit AES key S-box S-box S-box 128 bits 128 bits 8 bits8 bits8 bits8 bits8 bits8 bits Next operations… ………………. (16 boxes) + CPA attack: divide and conquer! Sub-keys in AES • are used independently • can be attacked separately Bruteforce key: 2128 tries Divide and conquer 16*28 = 212 = 4096 tries We reduce from 2128 to 4096!!!
# R S A C CPA attack: divide and conquer! Modern ciphers are fully public If we guess part of the key, we can rebuild part of the internals Can we check if the values we rebuild match device behavior?
# R S A C The CPA attack
# R S A C Demo time
# R S A C Side-Channel Analysis takeaways SCA Takeaway 1: homebrew SCA is dirt-cheap and allows scalable attacks Total cost for presented setup: <US$60 Q: What about time? 2 full days for first attack * 1.8 days fighting the “scope” & drivers & OSS 0.1 days to build the physical setup (removing caps) 0.1 days to build an OSS SCA setup & measure *Note: if you spend US$150 in a decent scope, time is ~2 hours. With professional tools: <2 minutes Q: What about repeating the attack with same setup? 2 minutes!! Result: full key retrieval & scalable attack SCA Takeaway 2: Open-Source Software SCA setup complexity for IoT-like devices is minimal
#RSAC FAULT INJECTION: THEORY AND APPLICATION Let’s break a security check implementation!
# R S A C Challenge: FIesta Goal Unlock the device Info The device boots And then keeps saying “Lock” forever Lock Lock Lock Lock …
# R S A C Hypothesis Guess is that the code in the board is similar to this: boolean unlocked=false; boot_CPU_and_IO(); while(1){ unlocked=do_some_check(); if(unlocked){ print(secret); } else{ print(“Lock”); } }
# R S A C Hypothesis What would you glitch here? boolean unlocked=false; boot_CPU_and_IO(); while(1){ unlocked=do_some_check(); if(unlocked){ print(secret); } else{ print(“Lock”); } }
# R S A C Attack plan What did I glitch: boolean unlocked=false; boot_CPU_and_IO(); while(1){ unlocked=do_some_check(); if(unlocked){ print(secret); } else{ print(“Lock”); } }
# R S A C How to generate a glitch 101 Simplest FI attack I can think of: VCC glitching Clock of the MCU in the RHMe2 board is 16MHz 1clk = 62.5ns Hopefully timing won’t be an issue Brainstorm for FI setup MCU, a transistor and two PSUs MCU with DAC attached a buffer MCU with multiplexer chip and a buffer ….
# R S A C CheapoGlitcher Free development board I got with ARM MCU@ 180MHz If you want to buy a similar board, it is ~US$ 15 GPIO pins can be driven @ 90MHz max 11ns glitch  fast enough GPIO supplies enough current to power up the IoT board I’m just going to toggle the GPIO at different instants Will it even work?
# R S A C CheapoGlitcher: will it work? 5 hours of high-caffeine drinks in the SHA2017 Amsterdam conference: 100% success rate
# R S A C CheapoGlitcher unexpected result
# R S A C Fault Injection (FI) takeaways FI Takeaway 1:you can glitch general purpose MCUs with almost anything RHMe2: 100% reproducibility, uber-cheap stuff and 5 hours of effort FI Takeaway 2: countermeasures for FI is a must Attack was possible due to the infinite loop: free unlimited retries Think about your implementation: do you have such a structure?
#RSAC CONCLUSION & TAKEAWAYS
# R S A C Conclusion My goals today SCA is affordable for everyone  FI is affordable for everyone 
# R S A C Conclusion My goals today Developer: should you do something? Do you know the answer for these questions? Is my security going to be somehow bypassed with FI? Are any of my secrets going to leak with SCA?
# R S A C Apply: what you should do after this talk 1. Understand threat Learn how SCA/FI attacks work (read papers or take a training) Try the attacks yourself! 2. Develop a solution Remember: current attacks can be way more advanced than what was presented here Effective countermeasures include multiple levels — Software — Hardware — Protocols Try design patterns as described in documents here: https://www.riscure.com/gocheap/ 3. Verify Design != Implementation  vulnerabilities are more persistent than you think Independent testing avoids blind spots  security evaluation labs can help
# R S A C Questions? Rafael Boix Carpi Principal Trainer & Security Specialist boixcarpi@riscure.com http://www.riscure.com

Recommended

PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsRiscure
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat Security Conference
 

Recommended

PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsRiscure
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat Security Conference
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionRiscure
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureAdaCore
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
L27
L27L27
L27NathannyabvureMapisa
 
Gone in a flash pdf
Gone in a flash pdfGone in a flash pdf
Gone in a flash pdfAndrewRJamieson
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration EnergySec
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation Cysinfo Cyber Security Community
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecuritySynopsys Software Integrity Group
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 

More Related Content

What's hot

BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionRiscure
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureAdaCore
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesIan Kluft
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in PerlIan Kluft
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Sherif Koussa
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration EnergySec
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 

What's hot (20)

BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
 
Securing a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devicesSecuring a Raspberry Pi and other DIY IoT devices
Securing a Raspberry Pi and other DIY IoT devices
 
Secure Coding in Perl
Secure Coding in PerlSecure Coding in Perl
Secure Coding in Perl
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
Security Code Review: Magic or Art?
Security Code Review: Magic or Art?Security Code Review: Magic or Art?
Security Code Review: Magic or Art?
 
L27
L27L27
L27
 
Gone in a flash pdf
Gone in a flash pdfGone in a flash pdf
Gone in a flash pdf
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 

Similar to CheapSCAte: Attacking IoT with less than $60

Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbSeunghun han
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerForAllSecure
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllersardiri
 
NSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and ArduinoNSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and ArduinoBrian Huang
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matterDESMOND YUEN
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
Bitcoin hardware wallets security
Bitcoin hardware wallets securityBitcoin hardware wallets security
Bitcoin hardware wallets securityEric Larcheveque
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Seungjoo Kim
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 

Similar to CheapSCAte: Attacking IoT with less than $60 (20)

Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad Usb
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a Hacker
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllers
 
NSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and ArduinoNSTA 2013 Denver - ArduBlock and Arduino
NSTA 2013 Denver - ArduBlock and Arduino
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
Bitcoin hardware wallets security
Bitcoin hardware wallets securityBitcoin hardware wallets security
Bitcoin hardware wallets security
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 

More from Riscure

PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyRiscure
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisRiscure
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsRiscure
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure IntroductionRiscure
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AESRiscure
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passportsRiscure
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsRiscure
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCERiscure
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Riscure
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresDefeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresRiscure
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Riscure
 

More from Riscure (12)

PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis Protocols
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AES
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cards
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCE
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresDefeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding Countermeasures
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

CheapSCAte: Attacking IoT with less than $60

  • 1. SESSION ID: #RSAC Rafael Boix Carpi CHEAPSCATE: ATTACKING IOT WITH LESS THAN $60 MBS-W02 Principal Trainer & Security Specialist Riscure
  • 2. #RSAC A BRIEF STORY ABOUT A HARDWARE CTF AND IOT
  • 3. # R S A C 2017: 8.4 BILLION “THINGS” CONNECTED TO INTERNET A brief story about a hardware CTF
  • 4. # R S A C A brief story about a hardware CTF The typical IoT device is quite cheap but does a lot of stuff Heart of the device: general purpose microcontroller (MCU) TON of features for extremely low $$$ WiFi / Bluetooth / memory / USB / … Lots of interfaces & sensors Devkit packed with peripherals typically < 20$
  • 5. # R S A C A brief story about a hardware CTF GENERAL PURPOSE MCUs ARE NOT SECURE AGAINST SCA AND FI ATTACKS
  • 6. # R S A C
  • 7. # R S A C A brief story about a hardware CTF GENERAL PURPOSE MCUs ARE NOT SECURE AGAINST SCA AND FI ATTACKS
  • 8. # R S A C 8 A brief history
  • 9. # R S A C A brief story about a hardware CTF Lots of people solved the software challenges But very few attempted the SCA and FI challenges  Typical reasons given: “The SCA equipment is very expensive” “SCA and FI are too difficult” “These attacks are only for evaluation labs” “I’m allergic to mathematics” “I will destroy my device”
  • 10. # R S A C A brief story about a hardware CTF My goals today You will learn that SCA is affordable for everyone You will learn that FI is affordable for everyone If you are an IoT developer, and: you handle sensitive info you believe these attacks don’t apply to you you don’t try these attacks you don’t learn how to defend THEN you WILL get hacked: please do something!!
  • 11. # R S A C Rules of the game In order to prove the point, I will use the following rules: Cheapest tooling I could find Generic for (almost any) target Using Open Source Software only Result reproducible by a script-kiddie profile
  • 12. #RSAC SIDE-CHANNEL ANALYSIS: THEORY AND APPLICATION Let’s break an AES implementation!
  • 13. # R S A C SCA: theory and application Challenge: Piece of SCAke (available on riscure.com/Github) Goal Get the AES key from the device Info The device performs AES encryption of a message Then replies the encrypted message Plain text Encrypted
  • 14. # R S A C SCA: theory and application The attack works with any crypto implementation You just need to have the device at reach
  • 15. # R S A C SCA in a nutshell 1 – Talk or listen to a device doing crypto (e.g. AES) 2 – Measure power consumption of device doing crypto 3 – SCA program computes math with collected data 4 – You get the crypto key
  • 16. # R S A C SCA steps in practice(attacker) Trace acquisition Signal processing Leakage detection (optional) Attack key
  • 17. # R S A C SCA steps in practice(attacker) Trace acquisition Signal processing Leakage detection (optional) Attack key: CPA How do I get traces?
  • 18. # R S A C Measuring power from an embedded device Computer Resistor or Current Probe Power measurement Power trace: - Measured power - I/O data
  • 19. # R S A C Measuring power in an embedded device This approach has some issues There are other “more efficient” ways to measure power (current probe, EM, …) but we will not see them today… Ri  Embedded chip Because a resistor is CHEAP!! (<$0.01) gnd line
  • 20. # R S A C Cost of the SCA setup Resistor US$ 0.01 Scavenged USB cable Free USB soldering iron US$ 4.64, free shipping! Comes with tin! It actually works! AMAZING! Hantek 6022BE “oscilloscope” US$ 53.32, free shipping! Comes with probes and cables! USB to serial cable US$ 1.10, free shipping! Total new hardware cost: US$ 59.07
  • 21. # R S A C DEMO TIME Demo time
  • 22. # R S A C General steps for SCA Trace acquisition Signal processing Leakage detection (optional) Attack key Improve signal?
  • 23. # R S A C Signal processing: alignment In order to do math, we need to compare “apples to apples” IoT things typically have LEDs that blink when busy The RHMe board has a blinky LED that is ON when busy Let’s align measurements with the LED activity align
  • 24. # R S A C DEMO TIME Demo time
  • 25. # R S A C General steps for SCA Trace acquisition Signal processing Leakage detection (optional) Attack key: CPA Does it leak?
  • 26. # R S A C Does it leak? You can use any tool (e.g R, SciPy, Octave, …) to compute statistics Useful statistic to find info leakage: Welch T-test This test shows if I can tell apart random messages from a fixed one
  • 27. # R S A C General steps for SCA Trace acquisition Signal processing Leakage detection (optional) Attack key Profit?
  • 28. # R S A C Warning: math ahead! I will explain the attack a bit in depth If you don’t get it now, don’t worry: • SCA programs have everything implemented • run the scripts and check results • check later the presentation until it becomes clear
  • 29. # R S A C S-box S-box S-box Input 128bit AES key S-box S-box S-box 128 bits 128 bits 8 bits8 bits8 bits8 bits8 bits8 bits Next operations… ………………. (16 boxes) + CPA attack: divide and conquer! Sub-keys in AES • are used independently • can be attacked separately Bruteforce key: 2128 tries Divide and conquer 16*28 = 212 = 4096 tries We reduce from 2128 to 4096!!!
  • 30. # R S A C CPA attack: divide and conquer! Modern ciphers are fully public If we guess part of the key, we can rebuild part of the internals Can we check if the values we rebuild match device behavior?
  • 31. # R S A C The CPA attack
  • 32. # R S A C Demo time
  • 33. # R S A C Side-Channel Analysis takeaways SCA Takeaway 1: homebrew SCA is dirt-cheap and allows scalable attacks Total cost for presented setup: <US$60 Q: What about time? 2 full days for first attack * 1.8 days fighting the “scope” & drivers & OSS 0.1 days to build the physical setup (removing caps) 0.1 days to build an OSS SCA setup & measure *Note: if you spend US$150 in a decent scope, time is ~2 hours. With professional tools: <2 minutes Q: What about repeating the attack with same setup? 2 minutes!! Result: full key retrieval & scalable attack SCA Takeaway 2: Open-Source Software SCA setup complexity for IoT-like devices is minimal
  • 34. #RSAC FAULT INJECTION: THEORY AND APPLICATION Let’s break a security check implementation!
  • 35. # R S A C Challenge: FIesta Goal Unlock the device Info The device boots And then keeps saying “Lock” forever Lock Lock Lock Lock …
  • 36. # R S A C Hypothesis Guess is that the code in the board is similar to this: boolean unlocked=false; boot_CPU_and_IO(); while(1){ unlocked=do_some_check(); if(unlocked){ print(secret); } else{ print(“Lock”); } }
  • 37. # R S A C Hypothesis What would you glitch here? boolean unlocked=false; boot_CPU_and_IO(); while(1){ unlocked=do_some_check(); if(unlocked){ print(secret); } else{ print(“Lock”); } }
  • 38. # R S A C Attack plan What did I glitch: boolean unlocked=false; boot_CPU_and_IO(); while(1){ unlocked=do_some_check(); if(unlocked){ print(secret); } else{ print(“Lock”); } }
  • 39. # R S A C How to generate a glitch 101 Simplest FI attack I can think of: VCC glitching Clock of the MCU in the RHMe2 board is 16MHz 1clk = 62.5ns Hopefully timing won’t be an issue Brainstorm for FI setup MCU, a transistor and two PSUs MCU with DAC attached a buffer MCU with multiplexer chip and a buffer ….
  • 40. # R S A C CheapoGlitcher Free development board I got with ARM MCU@ 180MHz If you want to buy a similar board, it is ~US$ 15 GPIO pins can be driven @ 90MHz max 11ns glitch  fast enough GPIO supplies enough current to power up the IoT board I’m just going to toggle the GPIO at different instants Will it even work?
  • 41. # R S A C CheapoGlitcher: will it work? 5 hours of high-caffeine drinks in the SHA2017 Amsterdam conference: 100% success rate
  • 42. # R S A C CheapoGlitcher unexpected result
  • 43. # R S A C Fault Injection (FI) takeaways FI Takeaway 1:you can glitch general purpose MCUs with almost anything RHMe2: 100% reproducibility, uber-cheap stuff and 5 hours of effort FI Takeaway 2: countermeasures for FI is a must Attack was possible due to the infinite loop: free unlimited retries Think about your implementation: do you have such a structure?
  • 45. # R S A C Conclusion My goals today SCA is affordable for everyone  FI is affordable for everyone 
  • 46. # R S A C Conclusion My goals today Developer: should you do something? Do you know the answer for these questions? Is my security going to be somehow bypassed with FI? Are any of my secrets going to leak with SCA?
  • 47. # R S A C Apply: what you should do after this talk 1. Understand threat Learn how SCA/FI attacks work (read papers or take a training) Try the attacks yourself! 2. Develop a solution Remember: current attacks can be way more advanced than what was presented here Effective countermeasures include multiple levels — Software — Hardware — Protocols Try design patterns as described in documents here: https://www.riscure.com/gocheap/ 3. Verify Design != Implementation  vulnerabilities are more persistent than you think Independent testing avoids blind spots  security evaluation labs can help
  • 48. # R S A C Questions? Rafael Boix Carpi Principal Trainer & Security Specialist boixcarpi@riscure.com http://www.riscure.com