This past month or so I’ve delved into hacking hardware (not building, but taking apart). I’m leading the efforts at Owl, the company I work with, to expand their device inspection and analysis service to medical devices. As part of this work, I have been learning quite a bit about how hardware can be inspected and hacked.
Grand ideas
I had no intention to go deep into hardware snooping, but, while reading up on DEFCON #badgelife, I stumbled upon Joe Grand, also known as Kingpin of the notorious L0pht Heavy Industries of the 90s. I had heard of L0pht back in the day, so it was quite interesting to catch up with what Joe and his cohorts have been up to since.
While Joe is one of the fathers of #badgelife, I started reading up on his hardware hacking. Quite fascinating topic.
Crossing streams
Then, while doing apparently unrelated research on optoisolators and hacking data diodes for a demo I am building, I stumbled upon a video showing how to create an out of band connection over a data diode via RF.
You now how this goes. Digging deeper into the guy mentioned in the video, Monta Elkins, I found his SANS instructor’s page and a presentation his did on jumping air gaps.* More searching and I came upon this incredibly interesting and fun presentation of hacking 20 things in 45 minutes (getting root access to a bunch of consumer electronics). Then I watched Monta’s DEFCON presentation where he uses an electric drill as a proxy for hacking an industrial logic control.
Drilling into the subject
The video did a great job reinforcing all the things I had been learning from our own hardware guys, reading about Joe Grand and others, and other research into hardware inspection and circumvention (always about circumvention – we are in the cyber security space, after all).
Two things I want to point out from what Monta said in the electric drill presentation.
First, he was examining the firmware and showed how knowing the hash of the code of the firmware, one could check for a compromise. So, Monta asks, should manufacturers publicly publish hashes of their firmware so we could verify the software is good?
Secondly, with all this hacking, he pointed out that things would have been easier if the programming pins were on the outside. So, he ask, should manufacturers make their programming pins accessible from outside their device to make it easy to check firmware, make mods, and the like?
Both are interesting questions.
Not just academic
OK, so I mentioned at the top I had not intended to get deep into hardware hacking. But it fit well the path I’ve been taking. At first, I wanted to turn to our own device inspection experts to help me get the word out on Owl’s device inspection services. But after talking to our experts, reading and researching the topic, and validating my thoughts with our experts again (I don’t want to say something impossible), I did a hardware inspection of my own.
I had purchased a patient monitor for our experts to examine, but the shutdown (and their schedules) got in the way. So I did it myself. And did a webinar on it. The webinar is a great summary of all that I learned on this hardware hacking journey (and you get to peek inside a patient monitor).
Fascinating. And looking forward to doing more.
*In case you’re interested, here are two more examples of jumping air gaps, via RF and via power supply vibration.