Talk Title:

Hands-on IoT firmware extraction and forensics of eMMC flash

Abstract:

For a complete analysis of an IoT device, it is required to look at the firmware itself. In most cases this means that the firmware, data or encryption keys need to be extracted from the device memory. Many researchers are hesitant to do that as there is a high risk of destroying the device or leaving it in an inoperable state. In this workshop we will look at different flash memory types (EEPROM, SPI flash, NAND flash, eMMC flash) and how to extract the information from them.

After the intro, we will focus on the chip-off method of eMMC/eMCP ICs. In the workshop you have the opportunity to replicate the findings of the paper "Amazon echo dot or the reverberating secrets of IoT devices" [1].

Participants will have the opportunity to work in groups and being provided an Amazon Echo Dot Gen2 or a similar device. After a tear-down, participants can use different methods (e.g. Hot air, IR soldering) to remove the flash chip and read it out. Optionally, the tools re-ball and re-solder the IC will be available. In the end, each team should have the data and a functional device again.

It is strongly recommended, that participants read the paper [1] before joining the workshop. Tools will be provided. Due to the limited amount of IoT devices, space is limited.

[1] Dennis Giese and Guevara Noubir. 2021. Amazon echo dot or the reverberating secrets of IoT devices. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '21). Association for Computing Machinery, New York, NY, USA, 13–24. https://dl.acm.org/doi/10.1145/3448300.3467820

Speaker Bio:

Dennis Giese is a researcher with focus on the security and privacy of IoT devices. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices.

His most known projects are the documentation and hacking of various vacuum robots. He calls himself a "robot collector" and his current vacuum robot army consists of over 60 different models from various vendors.

He talked about his research at the Chaos Communication Congress, REcon BRX, NULLCON and DEFCON.

Braelynn is a security consultant at Leviathan Security Group where she conducts pentests of products for startups, Fortune 500 companies, and everything in between. She enjoys partaking in CTFs and researching the security anything that piques her curiosity. She has previously presented her research at conferences such as Chaos Communication Congress.