Finding the Needle in the Hardware Haystack - Identifying and Exploiting Vulnerabilities

Intro
What is the focus of today's talk? Today we are talking about why reverse engineering of embedded hardware systems is an important part of a security program Discussion regarding current state of hardware embedded RE security testing We are discussing why your organization should invest time and resources into performing this work
Is embedded device security a new problem? No, but now the risk is increasing with the staggering number of new embedded devices being deployed in organizations
Problem - No Standards for Embedded RE Testing Has become a new service offering with many security consulting companies who also perform penetration testing services Work performed currently does not follow a defined standard for hardware reverse engineering
Network Penetration Tests vs Hardware Security Testing
What is the risk to your organization? When we look at the hardware security problem we tend to associate several risks to an organization if these systems are compromised They include
Defining the testing Process We feel that the community needs to define a standard on how to properly RE hardware and embedded devices.
Pre-Engagement Interactions First ensure that your legal department has reviewed your testing plan and given approval for testing of devices Establish Rules of Engagement and scope
Intelligence Gathering During this phase we will be gathering data regarding our device, the chips and any firmware on device. We will also need to document how the device looks prior to disassembly Spec sheet research and schematic download • Photograph device prior to and during disassembly
Phase 3: Threat Modeling Process This phase will help you narrow your testing focus by identifying potential targets This should include business process reviews, threat intel analysis, and threat capability analysis Which components pose greatest risks of being compromised
Vulnerability Assessment During this phase we will be testing both the hardware and software for potential vulnerabilities. This can include: Solder jumpers on board (as needed) - Extract data from flash chips (SPI, EEPROM, etc.)
Exploitation Physical Exploitation, Memory Exploitation Wireless Exploitation Management System Exploitation, and Destructive Exploitation will all be avenues of attack Develop Proof-of-Concept exploits against discovered vulnerabilities to demonstrate code execution and process redirection Bypass restrictions (firewall [Data Diodes] or IDS, access permissions, etc.) to show that network controls can be bypassed If push comes to show, assess creative exploit methods (social engineering) to demonstrate the insider threat
Post-Exploitation During this phase we will now be showing how exploiting the device could lead to further system compromise. Other areas of interest include data exfiltration network pivoting destruction of device, Dos. Some things to think about for this phase of testing • Code developed should enable persistent access to device Code developed should enable privilege escalation on device
Testing Report "Responsible Disclosure" should be performed for any O-day discovered in vendor
HRES-A Repeatable Measurable Process Based on what we have outlined and tested we feel this process is repeatable and measurable