Hardwear.io 2018

Visiting the hardwear.io 2018 conference in Den Haag

HardwearIO2018: Main tab A training session on Hardwear.io [0].

For the second year SCHUTZWERK was a sponsor of the hardwear.io conference in Den Haag. This year, we attended the conference with 3 employees focused on hardware and embedded security.

The Training Session

One of our hardware specialists, Heiko Ehret, learned how to reverse engineer a microchip in the training IC reverse engineering 101 from Tuesday to Wednesday. In this training the principles of gaining access to the DIE of a chip were presented and in the practical part for example photos, which were taken with a scanning electron microscope (SEM), were analyzed to extract the computational structure as well as reading out the contents of the memories. Using these methods, you can analyze the chip for possible vulnerabilities. With this knowledge, intrusive attacks like microprobing, ion-beam or laser fault injection were planned against the target to gain control of the IC and extract information.

HardwearIO2018: Main tab Training Session IC reverse engineering 101 [1].

The Conference

On the following days, two students joined him, visiting the conference. At the registration, each attendee was given a “badge” and a “tag”. The badge is a small device capable of reading a tag through NFC and showing some information on the display. The tag is a wristband with an NFC business card, containing the name and Email address of the person. The first tag, assigned to the badge will “adopt” it and the name of the person is visible in a small screen on the badge. Then, the owner can collect further business cards simply by placing the tag to the reader of the badge. After the conference, the contact information can be collected with an USB cable from a PC.

HardwearIO2018: Main tab Badge with Tag [2].

The keynote was held by Kate Temkin, who explained her exploit for the Nintendo Switch and tried to promote the message, that the differences between securing hardware and software becomes more and more fluent and the developers of each camp need to work more closely together to develop secure devices. (Link to Talk and Video)

The next speaker José Lopes Esteves, employed by the French intelligence service, talked about the threats of unmanned aerial vehicle (UAV) and how to stop them. Then, he presented a framework to analyze the communication to and from the drone and how to break it to gain control over the UAV. (Link to Talk and Video)

After a short coffee break, Brandon Wilson held an inspiring presentation about the history of hacking Texas Instruments (TI) graphing calculators. At the beginning it was easy for hardware enthusiasts to execute arbitrary code on the devices due to some hardware vulnerabilities. Later TI worked with the modders together and provided an API for reprogramming their calculators. However due to legal reasons and wishes of certain customers (schools mainly) they needed to prevent that and tried to implement protection mechanisms and even weren’t afraid of threatening with lawsuits. However, it did not prevent the community to continue their efforts. Brandon invited others to join them, because there are plenty of reasons you can trust a simple calculator under your control more than a highly complex computer. (Link to Talk and Video)

After the lunch break, David Berend presented us his study about exploiting smartphone sensor data to extract the entered pin of the users. The access to the sensor data is not protected and every application (even java script code in the browser) can read it. Therefore every application on Android mobilephones has the ability to track the input of the user. Fortunately he also gave advice on how to protect oneself, but the best solution would be limiting the access of the valuable sensor data by Android itself. (Link to Talk and Video)

A highlight of the second Day talks was in my opinion the presentation of Andrew Tierney also known as “Ask Cybergibbons!” on twitter presenting the timeline of the “Unhackable” bitcoin hardware wallet sold by bitfi and how the correspondence with the vendor escalated. This finally led to a broken device and also bitfi winning the “Pwnie Award for the Lamest Vendor Response”. (Link to Talk and Video)

The CTF

The quality of the presentations was good, but another option on the conference sparked our interest, the Hardware CTF by Quarkslab. There were 21 challenges with different level of difficulty related to hardware hacking, which wanted to be solved. For example a smart lock with NFC needed to be opened. Or another challenge was to reverse engineer the code of microchips to find an exploit and capture the FLAGs. Another example was the sniffing of the communication between a Mifare card and a reader which has to be cracked afterwards. But there were also also non-coding challenges, like microsoldering a tiny chip to another circuit or 3D modeling a key, printing it with plastic and then open a lock of a box to gain the FLAG.

Our team “Void” managed to score the 2nd place in a nerve-racking race for the points in the end. All in all the CTF was great fun and also involved acquiring some new skills and training old ones.

Opening a smart lock in 2 seconds [3].

We are looking forward to visit the hardwear.io conference next year again.

References

[0] Picture with permission by hardwear.io https://hardwear.io/ (https://hardwear.io/images/hardwear-home-bg.jpg)
[1] Picture with permission by hardwear.io‏ @hardwear_io (https://twitter.com/hardwear_io/status/1039426618182303744)
[2] Picture with permission by Michael Wolf
[3] Video with permission by Slawomir Jasek (smartlockpicking.com)‏ @slawekja (https://twitter.com/slawekja/status/1040177919153397760)

Michael Wolf