image image
Adam Laurie, Grzegorz Wypych

EMFI and Voltage Fault injection attacks with Raiden

Duration: 4 days (5hrs each day)

Date: 27th to 30th January 2021


TRAINER

Adam Laurie & Grzegorz Wypych


Overview

This 4-day training is focused on learning fault injection techniques using our own pulse generator - Raiden (open sourced during Black Hat Asia 2020). We build it, we know it inside out, and we can share this knowledge with students. During training we want to teach you not only how to use Raiden but also how to apply gained knowledge for real attack scenarios. We want to show you attack vectors like: Voltage glitching, Electromagnetic Field Injection. You will learn how to build test setup, trigger fault injection attacks on UART/USB packets. Labs will include real CVEs reported in 2020 by us.


Hardware Targets

NXP 11xx series, STM32CubeX Microcontrollers


Target Audience

  • security researches
  • embedded developers who want to understand how bootloader architecture issues could impact security
  • everyone who wants to learn how hackers may reverse engineer and exploit your product

Topics

  • Know your tools: Oscilloscope, Raiden, USB hardware triggering, Logic Analyzer, GDB
  • Bootloader reverse engineering for profit
  • Understanding use of Differential Power Analysis for more accurate timing
  • Understand where and how apply voltage/EMFI glitching attacks
  • Understanding how to use manuals to find flaws and potential attack vectors
  • Understand how USB2 descriptors works
  • Building custom tools in Python to support device recon

Labs

  • Connecting tools and targets
  • Recompiling and upgrading libUSB library to support USB glitching attacks
  • Reverse engineer USB device library and find attack vectors
  • Programming Microcontrollers for CRP an RDP protection using C and Python
  • Bypassing CRP3 protection on NXP microcontrollers
  • Firmware recovery on protected NXP microcontrollers
  • Reverse engineer USB device library and find attack vectors
  • Attacking USB device library for memory leaks

Note: Labs will be available remotely via VPN access. Students will have chance to work with advanced devices and configurations in order to solve provided challenges and tasks. Labs will include real vulnerabilities with CVEs that trainers found during they research work. This will give students necessary skills to start their own hardware research journey after training and ability to reuse gained skills


Class requirements

  • Understanding of reverse-engineering hardware and software (basic knowledge)
  • Basic knowledge of IoT and/or embedded systems security
  • Understanding of C language and python scripting skills
  • Laptop with network access

ABOUT THE TRAINER

Grzegorz Wypych is a 37 year old security researcher, tool inventor, speaker at hardwear.io, SecurityPWNing - Poland. He specializes in reverse engineering binaries and fault injection attacks. He is the author of blogs on securityintelligence.com, reporting 0-day vulnerabilities for IoT devices. Before joining X-Force Red, he worked as a Software Developer and Network Engineer/Architect.

Adam Laurie is an old school hacker, DEF CON Quartermaster who specializes in embedded systems and OTA protocols. He also runs the hardware live hacking contest called Hardpwn at hardwear.io