Holly Williams is the Technical Director of cybersecurity firm Secarma and an ex-military security specialist. As a professional ethical hacker and all-round cybersecurity expert, Holly has incredible knowledge of the security threat landscape and helps businesses to mitigate cyber-threats.
In this blog, Holly shares some of her in-depth knowledge and gives us an introduction to hardware hacking.
Why is effective hardware security so important? In what ways can your hardware be hacked? Let’s find out.
As an ethical hacker, when I’m testing a physical device or hardware, the attack surface can be very large. With attack vectors including network services, radio frequency input and output, on-chip debugging, exposed serial ports, memory extraction and more.
In addition, once I’ve broken into the device I have physical access to discovered vulnerabilities (or extracted access keys) which I may be able to use to compromise other devices. And in the real world, this is exactly why an actual cybercriminal would want to hack your hardware. Pulling apart each device to gain root access is not really a viable plan. But compromising one device and using the information gained to compromise all the devices, is a lot better for the attacker.
But before I get too deep into the topic of hardware hacking let’s go back to the basics. Here’s a quick look at attack-surface terminology you need to know to really understand this topic.
Exposed services on the device can be compromised. This could be something as simple as outdated software, or as complicated as blind command injection.
However it’s worth pointing out that hardware hacking can inform web app hacking. For example, if I wanted to carry out a command injection vulnerability (a form of web app hacking) in the administrative interface of a device, having access to the source code of an application can make it much easier. And certain hardware hacking techniques can achieve the extraction of this source code.
Devices don’t only communicate over cables, or common communication protocols like Wi-Fi – there are other ways! And this means more ways for hackers to take advantage of your poor security. In the context of hardware hacking, you may come across BLE (Bluetooth low energy), ZigBee and FM RDS.
Attacking RF communications can be achieved with an SDR (a software-defined radio), a type of transceiver. You might also see the term USRP™ (Universal Software Radio Peripheral) used, which is a just another SDR. These transceivers aren’t necessarily as large as you might expect; for example pictured below is an Ettus B200mini USRP (70 MHz – 6 GHz), minus its antennas.
A USRP B200mini-i by Ettus Research.
Many devices have on-board, or ‘on-chip’, methods of testing them. If you’re a manufacturer, they enable you to test whether the product was made correctly or if you’ve made a batch of duds. Plus, if a customer returns some devices to you saying they’re broken, on-board methods allow you to test if and how they are broken.
However, although on-board or on-chip interfaces are useful, they can make infiltrating the device’s security a lot easier.
In this context we’re talking about things like JTAGing. JTAG (Joint Test Action Group) refers to a standard for verifying and testing devices. Usually when it’s used in the context of hardware hacking you’ll hear things like “JTAG port”, which can be a little misleading.
The JTAG standard (IEEE 1149.x) doesn’t define any kind of connector. It’s simply a standard that defines a serial protocol for interacting with chips. It can often be found internally as a group of pins set off to one side. Alternatively, it could be exposed only by clipping into pins on the controller. Below is an example of a JTAG, neatly exposed on a board as a set of connectors.
An example device showing a neat collection of pins for JTAG in red, and also a neat collection of pins for UART in yellow.
Serial connections or UART (Universal Asynchronous Receiver/Transmitter) are connections on-board which can allow you to see what the device is up to and sometimes supply input to it. The term is generic for serial input-output, but often refers to a connection on a device which supplies text-based output.
You can often hook into the device with a USB-to-UART and use a terminal emulator like PuTTY to interact with the running operating system or receive debugging output.
Many devices have storage chips on-board which you may be able to extract the contents from. That doesn’t necessarily mean those contents will be deciphered. So there may be additional work to do, such as extracting the encryption key.
However sometimes you can access the storage chip, interact with it to dump its contents and then look at the software the system runs. You might even be able to modify it directly, allowing you to change access keys, expose services such as telnet/ssh, or disable firewalls such as iptables on embedded Linux systems.
Worried about your hardware security?
Our team of in-house experts are here to help you get your cybersecurity up to scratch. Call our security specialist now on 0800 093 3901 or explore our range of secure solutions.