A Fundamental Guide to Hardware Hacking
Introduction: Hardware Hacking
In a gist, hardware hacking generally means the alteration of a piece of existing hardware to utilize it in a way that was not proposed. The aim is to extract information, hack network functions, take over control of the concerned hardware, or cause it to misbehave or malfunction.
With an increase in the number of IoT products, hardware hacking has become more prominent than ever. This paves the way for ethical hardware security assessments to come into the fray to increase data and network security.
In this blog, we will be going through a brief introduction of hardware hacking, its growing importance, the must-know terminologies, different tools, as well as attack surfaces. We will also show you what you’ll need to set up your own lab.
Importance of Hardware Hacking:
The applications and benefits of Hardware Hacking are numerous. However, its main application in ethical hacking is to uncover the loopholes in order to harden access points. A few important applications of hardware hacking are:
- Ability to perform digital forensics to recover partially lost data
- Test out system security
- Recuperation of private information that is lost data, particularly In certain circumstances where you lost your accreditations like username or secret phrase.
- Performing inclined testing to empower your network security or PC credential security.
- To ensure that on-board components like debug ports, inter-chip communication, and side-channel leakages by the SoCs do not give away any critical information.
- To make sure that certain standard practices, policies, and security frameworks are taken into consideration during the development of the product by the dev teams.
Common Methods of Hardware Hacking:
There are 3 basic methods(source) of attacking a hardware target. Depending upon the type of hardware, one can choose any approach. Each particular hack requires a distinct angle of attack.
Method 1: Part/Component replacement
This type of hacking is usually experimental. Results are achieved via trial and error, and it is often used in Circuit Bending.
Method 2: Analysing inter-component communication
One of the simplest methods of hardware hacking, you connect the logic analyzer to any test point on the circuit board. The logic analyzer will then proceed to record and translate any signals to be interpreted into something useful.
Method 3: Closed or unassessable debug ports
In this method, the hacker tries to physically access the debug ports which are supposed to be inaccessible or closed. These ports include JTAG, SWD, and UART and can be accessed through disassembly of the hardware enclosure. It would help the hacker gain access to the low-level heart of a board or chip, giving visibility to things that network access typically can’t provide. One can also get complete low-level control of the system. Oftentimes, the attackers replace the original firmware with a rogue version. This attack can’t be conducted remotely.
Our bandit, Asmita, has comprehensively covered Hardware Attack surfaces in our E-book, “Hands-on Internet of Things Hacking”.
Here is a gist of the same:
SPI- SPI is a synchronous serial communication interface. It was designed primarily to communicate (transfer data) between the components located on the same PCB (Printed Circuit Board).
I2C- I2C is a synchronous serial communication interface. It is primarily used for short-distance intra-board communication.
UART- UART interface is a hardware device (physical circuit in the controller or a standalone IC) used for asynchronous serial communication. It enables the translation of data between the serial and parallel interfaces using a shift register.
JTAG- JTAG boundary scan is a perfect solution to perform the testing and debugging of chips’ physical interconnection by limiting physical access to just a few signals. Today, JTAG is used for many other applications, including in-circuit debugging, giving access to directly communicate with the memory/registers within the chip without direct external access to the system address or the data bus, and for programming devices.
SWD- SWD (Serial Wire Debug) provides the debug port by reducing the pin count to just two, the bidirectional data signal (SWDIO), and a clock signal (SWCLK) sent by the host. It provides all the normal JTAG debug and test functionality (it does not provide the boundary scan feature as in JTAG).
SCA- Side-channel attacks (SCA) exploit the information leakages in the system. The leakages can be related to timing, power, electromagnetic signals, sound, light, etc. SCA is a non-invasive and passive attack, i.e., to perform this attack, we don’t need to remove the chips to get direct access to the device’s internal components or actively tamper any of its operations.
FI- Fault injection (FI) attack is a physical attack on the device to inject the fault in the system deliberately to change its intended behavior. It can bypass system security features, change system behavior to accomplish malicious intents, or extract the secret information, key, or even firmware by analyzing the erroneous outputs.
If you’re looking for a product that can help you learn embedded Security and covers the mentioned attack surfaces from a DIY perspective, check out our IoT Security Learning Kit. This kit includes everything that you need to learn UART, I2C, SPI, JTAG, ZigBee, BLE analysis. The Lab Manual, included in the Kit, provides guidance and step by step process of performing each lab.
Setting up your own hardware lab:
One needs the necessary tools to become a proficient hardware hacker. Hence, setting up your own lab is a crucial step towards achieving the same. We will go through everything you need to know and possess to become a skillful hardware hacker.
To perform efficient hardware hacking, you first must gain a comprehensive understanding of the target. The first step before you get to attacking the target hardware is hardware recon. Recon helps in the identification of critical access points, susceptible endpoints, and loopholes.
Our Bandit, Shakir, has provided great insight in our E-book, Hands-on IoT Hacking. Here is an excerpt from the e-book talking about the basic hardware tools required for initial hardware reconnaissance
We will need some key pieces of physical equipment to perform hardware reconnaissance.
A multimeter is a very important tool for circuit probing. It will help us to test all the components and to measure resistance, voltage, and current level, and electric continuity between two points.
- A soldering iron, Solder, Flux, Tweezer, Soldering wick, Cutter, Wire stripper:
These are soldering tools, useful to add and remove the components from the PCB.
- Screwdriver set:
Necessary for disassembling the device. Nowadays, device disassembly is quite a tough job sometimes, manufacturers use tamper protection to prevent people from gaining access to internal components of the device.
- Jumper wires:
Useful to connect two devices electrically.
- Desoldering Pump/Hot Air Rework:
The Desoldering pump requires removing SMD components without destroying the PCB at a suitable temperature.
- Magnifying Glass:
Useful to see the components clearly and helps in recognizing the components model, make, and part numbers. Usually, they are written in very small sizes that are difficult to read with the naked eye.
- Vise Stand:
Useful to hold PCB while soldering or desoldering components. or while inspecting PCB.
It is critical to know about the basics of electrical components. Here is a summary of the same
- Resistor: It adds resistance between two components. It is measured in ohms.
- Capacitor: It charges and discharges in specific intervals of time and is used to stabilize the power supply in Circuit. It is measured in farad.
- Inductors: They are used for filtering and smoothing high-frequency noise in the circuit using electromagnetic discharge. It is measured in Henry.
- IC: Integrated Circuits are electronic circuits formed on a small piece of semiconducting material(usually silicon), which performs the same function as a larger circuit made from discrete components.
- LED: Light Emitting Diode.
- EEPROM (Electrically Erasable Programmable Read-Only Memory): Embedded devices use these as a means of storage.
- Crystals: These oscillate at a given frequency, similar to a timer.
- Transformers: They are used to convert voltage levels. Mostly used for converting AC mains to DC supply with some extra circuitry.
- Diodes: Used to restrict current flow in one direction.
- Relay: It is a switch that controls (open and close) circuits electromechanically.
- Microcontroller/Microprocessor: It is a tiny little computer on a single metal-oxide-semiconductor (MOS) integrated circuit (IC) chip.
- SoC (System on Chip): They can be just a Processor or Processor + memory + peripherals.
- Transister: It is used to amplify and switch the signals and electrical power.
- Battery: It converts chemical energy into electrical energy.
- Motor: It converts electrical energy into mechanical energy.
- Switch: It interrupts the current.
- PCB: Printed circuit board (PCB) is a non-conductive material with conductive lines printed or etched.
This concludes the end of this blog. If you want further insight into Hardware Hacking, we would recommend checking out our newest product, the “Hands-on IoT Hacking E-book.” It compiles everything you need to know about hardware hacking in just over 20 chapters. (link)
If you want to get your hands on the necessary tools, check out the EXPLIoT Store, where you can find everything you need to take the first step towards becoming an expert at Hardware hacking.