image image

Pedro Ribeiro & Radek Domanski

Hunting Zero-Days in Embedded Devices: from electrical pins to root shells


Trainer: Pedro Ribeiro & Radek Domanski

Date: 6th - 8th June 2022

Time: 9:00am to 5:30pm PDT

Venue: Delta Hotels by Marriott

Training Level: Intermediate to Advanced


Note: Regarding COVID-19 safety, Hardwear.io will seek to ensure a safe event, as the health and safety of our exhibitors, delegates, speakers, and staff will always be our number one priority. Hardwear.io will follow all applicable health regulations required by the local (Santa Clara) and government (State of California) authorities.


Training Objectives:

Hunting Zero-Days in Embedded Devices is a unique, hands-on training course that teaches students how to find and exploit vulnerabilities in embedded devices such as routers, cameras, industrial devices, televisions, microcontrollers, etc.

As a student, you will be taught the essential tips and tricks on how to debug an embedded device and extract firmware, and you will also be taught some exploitation techniques for ARM and MIPS. But the main aim of this course is to provide students with the necessary knowledge to find a zero day vulnerability in a device and exploit it.

The course will go in depth into several classes of vulnerabilities, with practical exercises on real and emulated devices of different CPU architectures. Each vulnerability class will be described, studied and then exploited in a variety of different ways.

Students will be given unique and publicly unknown tips from the trainers, which have a proven and public track record of finding and exploiting hundreds of zero days in embedded devices and other commercial products, as well as winning several prizes in Pwn2Own competitions.

Have you ever wondered how real hackers are finding and exploiting vulnerabilities in embedded devices? Would you like to include those methodologies into your own product security testing? Are you an enthusiast that loves taking things apart, understanding and breaking them? Or are you a security specialist in another area that wants to dip your toes into embedded device hacking?

If you answered yes to any of the above, this is the right course for you.

There are many hardware hacking and exploit development courses on the market. But none of them provide a full top down view of how to find, understand and exploit vulnerabilities in embedded devices.

This course aims to bridge the gap between hardware hacking and exploitation, giving students the necessary knowledge they need to become product security experts, embedded device reverse engineers and / or vulnerability researchers.


Detailed Description:

Day 1: Hardware Hacking and Firmware Extraction

On the first day of the course, students will be introduced to embedded devices, which are omnipresent these days, and how to open, access and understand the hardware that they run on. Students will have an opportunity to experiment with different techniques for hardware analysis, firmware extraction and control.

  • Course Introduction
  • Embedded Device Landscape
  • Intro to Hardware Hacking, Hardware / Software Tools and Storage Media
  • Identifying and making use of debug interfaces (UART, JTAG, etc)
  • Analysing Analog and Digital Signals
  • NOR Flash firmware extraction and handling
  • NAND firmware extraction
  • eMMC firmware extraction
Day 2: Firmware Analysis and Emulation;Intro to Vulnerabilities

The second day of the course focuses on understanding how embedded devices work with regards to their firmware. Common and advanced techniques for analysing firmware will be shown, as well as approaches to identifying suitable targets for exploitation. The day will finalise with an introduction to vulnerability discovery and exploitation, which is the main focus of the third day.

  • Introduction to MIPS
  • RTOS: Loading and Analysing
  • Embedded devices file systems and formats
  • Emulating and Debugging Firmware
  • Knowing Your Target (Reconnaissance)
  • Embedded Device Fuzzing
  • Vulnerabilities Part 1: Information Leaks and Logic Flow Bypasses
Day 3: Finding and Exploiting Vulnerabilities

On the third and final day, we go full on into how we discover and find vulnerabilities. We will explain a generic approach and techniques that can be applied to any target, but focusing our efforts on how to find and exploit the most common vulnerability classes on embedded devices leading to remote code execution. The vulnerabilities will be demonstrated on actual physical devices, with emulation being used where acquiring the device is hard / impossible for all students.

  • Vulnerabilities Part 2: Buffer and Integer Over / Underflows
  • Vulnerabilities Part 3: Owning Parsers
  • Vulnerabilities Part 4: Command Injection
  • Vulnerabilities Part 5: Directory Traversal
  • Vulnerabilities Part 6: Insecure Configuration, Hardcoded Accounts and Backdoors
  • Final lab: Capture-The-Flag competition on MIPS and/or ARM devices (time permitting!)

What to Expect? | Key Learning Objectives:

  • Evaluate and understand IoT device security, both hardware and software
  • Learn "old-school" techniques to facilitate security research on IoT devices
  • Break into devices using hardware and software tricks learned from years of hacking experience
  • Find and exploit vulnerabilities in IoT devices!

Who Should Attend? | Target Audience:

  • Security Researchers and Engineers
  • Embedded Device Developers
  • Product Securtiy Managers

What to Bring? | Software and Hardware Requirements:

  • Laptop with a minimum of 8GB of RAM, with KVM or VMWare installed.

What to Bring? | Prerequisite Knowledge and Skills:

  • Linux command line
  • Python and / or Ruby scripting
  • Basic assembly (any architecture)
  • Basic reverse engineering skills will be very helpful

Resources Provided at the Training | Deliverables:

  • Lab manual
  • Access to cloud based exercises
  • A selection of devices and tools to facilitate hardware hacking

ABOUT THE TRAINERS

Pedro Ribeiro is a vulnerability researcher and reverse engineer with over 10 years of commercial experience. Pedro has found and exploited hundreds of vulnerabilities in software and hardware products. He has over 150 CVE ID’s attributed to his name (most of which related to remote code execution vulnerabilities) and has authored over 60 Metasploit modules that have been released publicly.

Besides his vulnerability research activities, he is the founder and director of a penetration testing and reverse engineering consultancy based in London (Agile Information Security), with a variety of clients worldwide. More information about Pedro’s publicly disclosed vulnerabilities can be found at https://github.com/pedrib/PoC

Radek Domanski started his professional career 12 years ago securing large networks and systems and transitioned afterwards into offensive security. He worked on a high profile projects within the largest Internet Service Provider in Europe and in the research center of one of the world's largest telecommunications equipment companies.

Radek found a number of critical vulnerabilities in real products and systems that are used by millions of users worldwide. Throughout the years of working on offensive product security Radek developed a unique methodology and honed his skills of vulnerability hunting.

At the moment Radek is focusing on hardware, automotive hacking, exploitation and reverse engineering of embedded systems.

Twitter: @RabbitPro