The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks
- Length: 512 pages
- Edition: 1
- Language: English
- Publisher: No Starch Press
- Publication Date: 2021-12-14
- ISBN-10: 1593278748
- ISBN-13: 9781593278748
- Sales Rank: #83442 (See Top 100 Books)
The Hardware Hacking Handbook takes you deep inside embedded devices to show how different kinds of attacks work, then guides you through each hack on real hardware.
Embedded devices are chip-size microcomputers small enough to be included in the structure of the object they control, and they’re everywhere—in phones, cars, credit cards, laptops, medical equipment, even critical infrastructure. This means understanding their security is critical. The Hardware Hacking Handbook takes you deep inside different types of embedded systems, revealing the designs, components, security limits, and reverse-engineering challenges you need to know for executing effective hardware attacks.
Written with wit and infused with hands-on lab experiments, this handbook puts you in the role of an attacker interested in breaking security to do good. Starting with a crash course on the architecture of embedded devices, threat modeling, and attack trees, you’ll go on to explore hardware interfaces, ports and communication protocols, electrical signaling, tips for analyzing firmware images, and more. Along the way, you’ll use a home testing lab to perform fault-injection, side-channel (SCA), and simple and differential power analysis (SPA/DPA) attacks on a variety of real devices, such as a crypto wallet. The authors also share insights into real-life attacks on embedded systems, including Sony’s PlayStation 3, the Xbox 360, and Philips Hue lights, and provide an appendix of the equipment needed for your hardware hacking lab – like a multimeter and an oscilloscope – with options for every type of budget.
You’ll learn:
- How to model security threats, using attacker profiles, assets, objectives, and countermeasures
- Electrical basics that will help you understand communication interfaces, signaling, and measurement
- How to identify injection points for executing clock, voltage, electromagnetic, laser, and body-biasing fault attacks, as well as practical injection tips
- How to use timing and power analysis attacks to extract passwords and cryptographic keys
- Techniques for leveling up both simple and differential power analysis, from practical measurement tips to filtering, processing, and visualization
Whether you’re an industry engineer tasked with understanding these attacks, a student starting out in the field, or an electronics hobbyist curious about replicating existing work, The Hardware Hacking Handbook is an indispensable resource – one you’ll always want to have onhand.
Title Page Copyright Dedication About the Authors Foreword Acknowledgments Introduction What Embedded Devices Look Like Ways of Hacking Embedded Devices What Does Hardware Attack Mean? Who Should Read This Book? About This Book Chapter 1: Dental Hygiene: Introduction to Embedded Security Hardware Components Software Components Initial Boot Code Bootloader Trusted Execution Environment OS and Trusted Applications Firmware Images Main Operating System Kernel and Applications Hardware Threat Modeling What Is Security? The Attack Tree Profiling the Attackers Types of Attacks Software Attacks on Hardware PCB-Level Attacks Logical Attacks Noninvasive Attacks Chip-Invasive Attacks Assets and Security Objectives Confidentiality and Integrity of Binary Code Confidentiality and Integrity of Keys Remote Boot Attestation Confidentiality and Integrity of Personally Identifiable Information Sensor Data Integrity and Confidentiality Content Confidentiality Protection Safety and Resilience Countermeasures Protect Detect Respond An Attack Tree Example Identification vs. Exploitation Scalability Analyzing the Attack Tree Scoring Hardware Attack Paths Disclosing Security Issues Summary Chapter 2: Reaching Out, Touching Me, Touching You: Hardware Peripheral Interfaces Electricity Basics Voltage Current Resistance Ohm’s Law AC/DC Picking Apart Resistance Power Interface with Electricity Logic Levels High Impedance, Pullups, and Pulldowns Push-Pull vs. Tristate vs. Open Collector or Open Drain Asynchronous vs. Synchronous vs. Embedded Clock Differential Signaling Low-Speed Serial Interfaces Universal Asynchronous Receiver/Transmitter Serial Serial Peripheral Interface Inter-IC Interface Secure Digital Input/Output and Embedded Multimedia Cards CAN Bus JTAG and Other Debugging Interfaces Parallel Interfaces Memory Interfaces High-Speed Serial Interfaces Universal Serial Bus PCI Express Ethernet Measurement Multimeter: Volt Multimeter: Continuity Digital Oscilloscope Logic Analyzer Summary Chapter 3: Casing the Joint: Identifying Components and Gathering Information Information Gathering Federal Communications Commission Filings Patents Datasheets and Schematics Information Search Example: The USB Armory Device Opening the Case Identifying ICs on the Board Small Leaded Packages: SOIC, SOP, and QFP No-Lead Packages: SO and QFN Ball Grid Array Chip Scale Packaging DIP, Through-Hole, and Others Sample IC Packages on PCBs Identifying Other Components on the Board Mapping the PCB Using the JTAG Boundary Scan for Mapping Information Extraction from the Firmware Obtaining the Firmware Image Analyzing the Firmware Image Summary Chapter 4: Bull in a Porcelain Shop: Introducing Fault Injection Faulting Security Mechanisms Circumventing Firmware Signature Verification Gaining Access to Locked Functionality Recovering Cryptographic Keys An Exercise in OpenSSH Fault Injection Injecting Faults into C Code Injecting Faults into Machine Code Fault Injection Bull Target Device and Fault Goal Fault Injector Tools Target Preparation and Control Fault Searching Methods Discovering Fault Primitives Searching for Effective Faults Search Strategies Analyzing Results Summary Chapter 5: Don’t Lick the Probe: How to Inject Faults Clock Fault Injection Metastability Fault Sensitivity Analysis Limitations Required Hardware Clock Fault Injection Parameters Voltage Fault Injection Generating Voltage Glitches Building a Switching-Based Injector Crowbar Injected Faults Raspberry Pi Fault Attack with a Crowbar Voltage Fault Injection Search Parameters Electromagnetic Fault Injection Generating Electromagnetic Faults Architectures for Electromagnetic Fault Injection EMFI Pulse Shapes and Widths Search Parameters for Electromagnetic Fault Injection Optical Fault Injection Chip Preparation Front-Side and Back-Side Attacks Light Sources Optical Fault Injection Setup Optical Fault Injection Configurable Parameters Body Biasing Injection Parameters for Body Biasing Injection Triggering Hardware Faults Working with Unpredictable Target Timing Summary Chapter 6: Bench Time: Fault Injection Lab Act 1: A Simple Loop A BBQ Lighter of Pain Act 2: Inserting Useful Glitches Crowbar Glitching to Fault a Configuration Word Mux Fault Injection Act 3: Differential Fault Analysis A Bit of RSA Math Getting a Correct Signature from the Target Summary Chapter 7: X Marks the Spot: Trezor One Wallet Memory Dump Trezor One Wallet Internals USB Read Request Faulting Disassembling Code Building Firmware and Validating the Glitch USB Triggering and Timing Glitching Through the Case Setting Up Reviewing the Code for Fault Injection Running the Code Confirming a Dump Fine-Tuning the EM Pulse Tuning Timing Based on USB Messages Summary Chapter 8: I’ve Got the Power: Introduction to Power Analysis Timing Attacks Hard Drive Timing Attack Power Measurements for Timing Attacks Simple Power Analysis Applying SPA to RSA Applying SPA to RSA, Redux SPA on ECDSA Summary Chapter 9: Bench Time: Simple Power Analysis The Home Lab Building a Basic Hardware Setup Buying a Setup Preparing the Target Code Building the Setup Pulling It Together: An SPA Attack Preparing the Target Preparing the Oscilloscope Analysis of the Signal Scripting the Communication and Analysis Scripting the Attack ChipWhisperer-Nano Example Building and Loading Firmware A First Glance at the Communication Capturing a Trace From Trace to Attack Summary Chapter 10: Splitting the Difference: Differential Power Analysis Inside the Microcontroller Changing the Voltage on a Capacitor From Power to Data and Back Sexy XORy Example Differential Power Analysis Attack Predicting Power Consumption Using a Leakage Assumption A DPA Attack in Python Know Thy Enemy: An Advanced Encryption Standard Crash Course Attacking AES-128 Using DPA Correlation Power Analysis Attack Correlation Coefficient Attacking AES-128 Using CPA Communicating with a Target Device Oscilloscope Capture Speed Summary Chapter 11: Gettin’ Nerdy with It: Advanced Power Analysis The Main Obstacles More Powerful Attacks Measuring Success Success Rate–Based Metrics Entropy-Based Metrics Correlation Peak Progression Correlation Peak Height Measurements on Real Devices Device Operation The Measurement Probe Determining Sensitive Nets Automated Probe Scanning Oscilloscope Setup Trace Set Analysis and Processing Analysis Techniques Processing Techniques Deep Learning Using Convolutional Neural Networks Summary Chapter 12: Bench Time: Differential Power Analysis Bootloader Background Bootloader Communications Protocol Details of AES-256 CBC Attacking AES-256 Obtaining and Building the Bootloader Code Running the Target and Capturing Traces Calculating the CRC Communicating with the Bootloader Capturing Overview Traces Capturing Detailed Traces Analysis Round 14 Key Round 13 Key Recovering the IV What to Capture Getting the First Trace Getting the Rest of the Traces Analysis Attacking the Signature Attack Theory Power Traces Analysis All Four Bytes Peeping at the Bootloader Source Code Timing of Signature Check Summary Chapter 13: No Kiddin’: Real-Life Examples Fault Injection Attacks PlayStation 3 Hypervisor Xbox 360 Power Analysis Attacks Philips Hue Attack Summary Chapter 14: Think of the Children: Countermeasures, Certifications, and Goodbytes Countermeasures Implementing Countermeasures Verifying Countermeasures Industry Certifications Getting Better Summary Appendix A: Maxing Out Your Credit Card: Setting Up a Test Lab Checking Connectivity and Voltages: $50 to $500 Fine-Pitch Soldering: $50 to $1,500 Desoldering Through-Hole: $30 to $500 Soldering and Desoldering Surface Mount Devices: $100 to $500 Modifying PCBs: $5 to $700 Optical Microscopes: $200 to $2,000 Photographing Boards: $50 to $2,000 Powering Targets: $10 to $1,000 Viewing Analog Waveforms (Oscilloscopes): $300 to $25,000 Memory Depth Sample Rate Bandwidth Other Features Viewing Logic Waveforms: $300 to $8,000 Triggering on Serial Buses: $300 to $8,000 Decoding Serial Protocols: $50 to $8,000 CAN Bus Sniffing and Triggering: $50 to $5,000 Ethernet Sniffing: $50 Interacting Through JTAG: $20 to $10,000 General JTAG and Boundary Scan JTAG Debug PCIe Communication: $100 to $1,000 USB Sniffing: $100 to $6,000 USB Triggering: $250 to $6,000 USB Emulation: $100 SPI Flash Connections: $25 to $1,000 Power Analysis Measurements: $300 to $50,000 Triggering on Analog Waveforms: $3,800+ Measuring Magnetic Fields: $25 to $10,000 Clock Fault Injection: $100 to $30,000 Voltage Fault Injection: $25 to $30,000 Electromagnetic Fault Injection: $100 to $50,000 Optical Fault Injection: $1,000 to $250,000 Positioning Probes: $100 to $50,000 Target Devices: $10 to $10,000 Appendix B: All Your Base Are Belong to Us: Popular Pinouts SPI Flash Pinout 0.1-Inch Headers 20-Pin Arm JTAG 14-Pin PowerPC JTAG 0.05-Inch Headers Arm Cortex JTAG/SWD Ember Packet Trace Port Connector Index
Donate to keep this site alive
How to download source code?
1. Go to: https://nostarch.com/
2. Search the book title: The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks
, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. Download the Source Code.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.