Talk Title:

Hands-on IoT firmware extraction and flash forensics

Abstract:

Did you ever wanted to hack an IoT device but did not know how to start? Having UART is nice, but does not help in many cases.

For a complete analysis of an IoT device, it is required to look at the firmware itself. In most cases this means that the firmware, data or encryption keys need to be extracted from the device memory. Many researchers are hesitant to do that as there is a high risk of destroying the device or leaving it in an inoperable state. In this workshop we will look at different flash memory types (EEPROM, SPI flash, NAND flash, eMMC flash) and how to extract the information from them.

We will show that you do not need very expensive hardware to archive your goal and that it is not as complicated as everyone believes. See which tools might be useful for your own lab!

Participants will have the opportunity to work in groups and being provided different kinds of IoT devices (smart locks, smart speaker, IP cameras). After a tear-down, you can use different chip-off methods (e.g. Hot air, IR soldering) to remove the flash chip and read it out. You can also try simple ways like probing, that do not require soldering. Optionally, the tools re-ball and re-solder the IC will be available after the workshop. In the end, each team should have the data and a functional device again.

Bonus: If you brick the device, you can keep the parts as a souvenir or can wear them as badges.

Speaker Bio:

Dennis Giese is a researcher with the focus on the security and privacy of IoT devices. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices. His most known projects are the documentation and hacking of various vacuum robots. He calls himself a "robot collector" and his current vacuum robot army consists of over 60 different models from various vendors. He talked about his research at the Chaos Communication Congress, REcon, HITCON, NULLCON, and DEFCON.