Riscure offers a four day hands-on course covering the most relevant attacks for embedded systems. This is a foundation course recommended for anyone interested in security from a system level perspective. The main focus of the course is hardware attacks, providing a solid primer for both our course series; software security: Reverse Engineering, Vulnerability Identification and Software Exploitation, and hardware security: Fault Injection and Side Channel Analysis.
The concepts taught in this course are applicable to a wide range of COTS (Commercial off the Shelf) products such as gaming consoles, IP cameras, routers, diverse IoT devices, but also automotive ECU (Electronic Control Units).
Through a series of practical exercises you learn how to identify relevant assets and how to discover the most likely attack paths. Your primary target is a WiFi router. You refine your attack path, by discovering tooling available to an attacker and how these tools can be used to compromise assets on your primary target. You put your new knowledge and skills to use when we discuss available defense mechanisms such as secure boot, encryption, special hardware and their cost. Finally, you can put your new knowledge and skills to the test; you attack a different target - an IP camera - and afterwards discuss defense strategies.
During the training course, by means of hands-on exercises, you will:
- Learn to identify relevant assets on your embedded systems (define assets and attack paths for different attacker profiles)
- Build best practices for securing embedded systems (how to defend them)
- Have the ability to prioritize your defence according to risk, time, cost, surface, etc. in a way that goes beyond checklists
Perform a guided attack on the first embedded system target and practise your new knowledge and skills on a second different embedded system. After the training you can take home this second
Day 1. Let’s get started
Typically everyone has its own answer to the question “what is an embedded system? “, therefore, first we level the field before diving into the details. Next, we introduce the concept of assets by example (e.g. keys, memory content and firmware,), present a methodology for discovering attack paths and learn about attacker’s profile.
During the second half of the day, we discuss the typical components present on an embedded system and in particular on your practice target (the WiFi router) and gather information to prepare for the attack phase.
Day 2. Interfaces and tooling
We go through the tooling available to an attacker and use these tools to identify the basic components present on your first target. To consolidate knowledge you practice using the tools on your target board, your tasked with using them initially for simple tasks such as identifying signals (e.g. VCC and GND),
In the second half of the day you learn about the interfaces available to an adversary (UART, I2C, SPI and JTAG). Sometimes these interfaces can be tricky to identify, as you can experience during a practical exercise on your target board.
Day 3. More tooling and defense mechanisms
We continue exploring interfaces such as 1-Wire, CAN-bus and briefly discuss typical network and logical interfaces (USB and Ethernet/WiFi). During the practical assignments you use the oscilloscope and learn how to extract information from signals. Finally we dump the firmware and use software tools (such as vbindiff and binwalk) to extract interesting information.
During the second half of the day we put on the developer hat and discuss options available for defense at three different system levels: hardware (e.g. glues, seals and locks), architecture/design (e.g. OTP memory) and software (e.g. encryption and obfuscation).
Day 4. Putting it all together
During the last day you apply all the knowledge and skills you learned in the last three days on a different embedded system target. This exercise is useful to consolidate your knowledge but also to expose you to a new environment. The exercise has two parts: after learning as much as possible about your new target, first, you plan an attack strategy and second, you put back the developer hat and discuss appropriate defense mechanisms. You can take the target home and continue learning.
Which tools will we be using?
Hardware tools (a selection)
Oscilloscope and multimeter
Software tools (a selection)
JTAG tools (e.g. Open OCD+GDB)
Binary exploration tools (e.g. vbindiff, binwalk, …)
Linux command line tools (xxd, strings, …)