The Hardware Hacking Handbook takes you deep inside embedded devices to show how different kinds of attacks work, then guides you through each hack on real hardware. Embedded devices are chip-size microcomputers small enough to be included in the structure of the object they control, and they’re everywhere—in phones, cars, credit cards, laptops, medical equipment, even critical infrastructure. This means understanding their security is critical. The Hardware Hacking Handbook takes you deep inside different types of embedded systems, revealing the designs, components, security limits, and reverse-engineering challenges you need to know for executing effective hardware attacks. Written with wit and infused with hands-on lab experiments, this handbook puts you in the role of an attacker interested in breaking security to do good. Starting with a crash course on the architecture of embedded devices, threat modeling, and attack trees, you’ll go on to explore hardware interfaces, ports and communication protocols, electrical signaling, tips for analyzing firmware images, and more. Along the way, you’ll use a home testing lab to perform fault-injection, side-channel (SCA), and simple and differential power analysis (SPA/DPA) attacks on a variety of real devices, such as a crypto wallet. The authors also share insights into real-life attacks on embedded systems, including Sony’s PlayStation 3, the Xbox 360, and Philips Hue lights, and provide an appendix of the equipment needed for your hardware hacking lab – like a multimeter and an oscilloscope – with options for every type of budget. You’ll learn: • How to model security threats, using attacker profiles, assets, objectives, and countermeasures • Electrical basics that will help you understand communication interfaces, signaling, and measurement • How to identify injection points for executing clock, voltage, electromagnetic, laser, and body-biasing fault attacks, as well as practical injection tips • How to use timing and power analysis attacks to extract passwords and cryptographic keys • Techniques for leveling up both simple and differential power analysis, from practical measurement tips to filtering, processing, and visualization Whether you’re an industry engineer tasked with understanding these attacks, a student starting out in the field, or an electronics hobbyist curious about replicating existing work, The Hardware Hacking Handbook is an indispensable resource – one you’ll always want to have onhand. Contents 4 1: Dental Hygiene: Introduction to Embedded Security 5 Hardware Components 6 Software Components 8 Initial Boot Code 9 Bootloader 9 Trusted Execution Environment OS and Trusted Applications 10 Firmware Images 11 Main Operating System Kernel and Applications 11 Hardware Threat Modeling 11 What Is Security? 11 The Attack Tree 14 Profiling the Attackers 14 Types of Attacks 16 Software Attacks on Hardware 16 PCB-Level Attacks 19 Logical Attacks 20 Noninvasive Attacks 22 Chip-Invasive Attacks 22 Assets and Security Objectives 26 Confidentiality and Integrity of Binary Code 27 Confidentiality and Integrity of Keys 27 Remote Boot Attestation 28 Confidentiality and Integrity of Personally Identifiable Information 28 Sensor Data Integrity and Confidentiality 29 Content Confidentiality Protection 29 Safety and Resilience 29 Countermeasures 30 Protect 30 Detect 30 Respond 31 An Attack Tree Example 31 Identification vs. Exploitation 34 Scalability 34 Analyzing the Attack Tree 34 Scoring Hardware Attack Paths 35 Disclosing Security Issues 37 Summary 38 2: Reaching Out, Touching Me, Touching You: Hardware Peripheral Interfaces 39 Electricity Basics 40 Voltage 40 Current 40 Resistance 41 Ohm’s Law 41 AC/DC 41 Picking Apart Resistance 41 Power 42 Interface with Electricity 43 Logic Levels 43 High Impedance, Pullups, and Pulldowns 45 Push-Pull vs. Tristate vs. Open Collector or Open Drain 46 Asynchronous vs. Synchronous vs. Embedded Clock 47 Differential Signaling 48 Low-Speed Serial Interfaces 50 Universal Asynchronous Receiver/Transmitter Serial 50 Serial Peripheral Interface (SPI) 52 Inter-IC Interface (I2C) 54 Secure Digital Input/Output and Embedded Multimedia Cards 57 CAN Bus 59 JTAG and Other Debugging Interfaces 60 Parallel Interfaces 63 Memory Interfaces 64 High-Speed Serial Interfaces 65 Universal Serial Bus 66 PCI Express 67 Ethernet 67 Measurement 68 Multimeter: Volt 68 Multimeter: Continuity 69 Digital Oscilloscope 69 Logic Analyzer 73 Summary 74 4: Bull in a PORCELAIN Shop: Introducing Fault Injection 75 Faulting Security Mechanisms 76 Circumventing Firmware Signature Verification 77 Gaining Access to Locked Functionality 77 Recovering Cryptographic Keys 77 An Exercise in OpenSSH Fault Injection 78 Injecting Faults into C Code 78 Injecting Faults into Machine Code 79 Fault Injection Bull 81 Target Device and Fault Goal 82 Fault Injector Tools 82 Target Preparation and Control 83 Fault Searching Methods 87 Discovering Fault Primitives 88 Searching for Effective Faults 91 Search Strategies 98 Analyzing Results 100 Summary 102 6: Bench Time: Fault Injection Lab 103 Act 1: A Simple Loop 104 A BBQ Lighter of Pain 105 Act 2: Inserting Useful Glitches 108 Crowbar Glitching to Fault a Configuration Word 109 Mux Fault Injection 124 Act 3: Differential Fault Analysis 129 A Bit of RSA Math 130 Getting a Correct Signature from the Target 133 Summary 136 7: X Marks the Spot: Trezor One Wallet Memory Dump 137 Attack Introduction 138 Trezor One Wallet Internals 138 USB Read Request Faulting 140 Disassembling Code 142 Building Firmware and Validating the Glitch 143 USB Triggering and Timing 147 Glitching Through the Case 150 Summary 157 8: I’ve Got the Power: Introduction to Power Analysis 159 Timing Attacks 160 Hard Drive Timing Attack 163 Power Measurements for Timing Attacks 166 Simple Power Analysis 167 Applying SPA to RSA 168 Applying SPA to RSA, Redux 170 SPA on ECDSA 172 Summary 178 The Hardware Hacking Handbook is a deep dive into embedded security, perfect for readers interested in designing, analysing, and attacking devices. You'll start with a crash course in embedded security and hardware interfaces and learn how to set up a test lab. Real-world examples and hands-on labs throughout allow you to explore hardware interfaces and practice various attacks. "A deep dive into hardware attacks on embedded systems explained by experts in the field through real-life examples and hands-on labs. Topics include the embedded system threat model, hardware interfaces, various side-channel and fault injection attacks, and voltage and clock glitching"-- Provided by publisher "A deep dive into hardware attacks on embedded systems explained by experts in the field through real-life examples and hands-on labs. Topics include the embedded system threat model, hardware interfaces, various side-channel and fault injection attacks, and voltage and clock glitching"-- Résumé de l'éditeur