On This Page

Applied Hardware Attacks: Hardware Pentesting

Joe FitzPatrick, SecuringHardware.com | August 6-7



You've learned about JTAG, UART, and SPI in your introductory IOT hacking class, but how does this apply to real world devices you encounter on actual engagements?

This course will put what you've already learned into context. We'll analyze how and why hardware hacks belong in scope of certain pen tests, and what that means to threat modeling and deliverables. We'll build upon your basic skills and see how more advance hardware and firmware analysis tells us more about the software vulnerabilities in a system. We'll prototype some hardware exploits into compelling demos or helpful red-team tools.

This course focuses on approaching hardware as part of a pentest or red team engagement, implementing advanced hardware hacks, and managing the hardware 'problem'. This two-day course builds directly upon the skills covered in Applied Hardware Attacks: Embedded Systems - consider taking the two together for a complete 4 days. If you've already taken another class that covers the basics of embedded/IOT/hardware hacking, including UART, JTAG, and SPI, you should have sufficient background.

This course is over 70% lab oriented, with both hands-on hardware and practical problem solving components. Lectures support the background you need to complete the labs, which is where the real learning takes place.

Based on time and depth of student interest, we may not complete every topic in class:

Part 1: Recon and Passive Analysis
Lecture: Recognizing and communicating hardware impact
Practical: Analyze, rate, and rank a list of real-world hardware vulnerabilities
Lecture: Sourcing documentation and tools
Lab: Identify a new system and configure a toolchain for it
Lecture: Reading datasheets and inferring system functionality
Lab: Derive a block diagram of a board and validate assumptions

Part 2: Threat Modeling and System Analysis
Lecture: Threat modeling when hardware is in scope
Practical: Building example threat models
Lecture: Identifying chips by packages, pin configurations, and dynamic analysis
Lab: Identify an unknown chip on an embedded system
Lecture: Tools for analyzing interconnects
Lab: Locate, capture and analyze an unknown protocol

Part 3: Hardware Vulnerability Analysis and Exploitation
Lecture: Equipping a hardware hacking lab
Practical: Estimating time, effort, and expense of hardware attacks
Lecture: Custom hardware & software for custom interfaces
Lab: Script a device to bit-bang a unique protocol
Lecture: Prototyping hardware exploit tools, demos, and deliverables
Lab: Implement a standalone hardware exploit device

Part 4: Firmware Vulnerability Analysis and Exploitation
Lecture: Embedded static vs dynamic analysis and tools
Lab: Static analysis of firmware to map functionality to firmware
Lecture: Dynamic analysis in-circuit vs emulator, tooling for dynamic analysis
Lab: Taking embedded firmware to an emulator

Who Should Take this Course

This course is well suited to pen testers, red teamers, exploit developers, and product developers looking to more smoothly incorporate hardware elements into their daily operations. In addition, security researchers and enthusiasts unwilling to 'just trust the hardware' will gain deeper insight into how hardware works and can be undermined.

Student Requirements

This two-day course builds directly upon the skills covered in Applied Hardware Attacks: Embedded Systems. Taking them together should work well.

If you've previously taken that or another class that covers the basics of embedded/IOT/hardware hacking, including UART, JTAG, and SPI, you should be prepared for this class.

If, in a class or in other experience, you have manipulated an embedded system over a console, tampered with a live system over JTAG, and dumped a devices firmware at least once, you are also prepared for this class.

What Students Should Bring

Your own favored writing instrument, keyboard, and mouse if you have strong preferences (otherwise provided)
USB drive to take home copies of course files
Your own laptop if you prefer to use it for note taking and internet access

What Students Will Be Provided With

To avoid the thrash of compatibility, software installation, virtual machines, and bootable images, attendees will be provided with all equipment for use during the class, including laptops preconfigured with all necessary software.


Joe (@securelyfitz) is a Trainer and Researcher at https://SecuringHardware.com (@securinghw). Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training, instructing hundreds of security researchers, pen testers, hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Thorsten Haas is a Security Consultant who focuses on application security assessments, applied physical attacks on embedded systems, reverse engineering, and training with a focus on hardware hacking. He reverse engineered NVMe hard drives, BMCs, and embedded Internet-connected devices, and analyzed enterprise server hardware for malicious hardware and firmware implants. Previously, he specialized in industrial control systems and functional safety on bullet train OE and power substations in Europe and Asia, developed board support packages and bootloaders for embedded Linux. In his spare time, he's a rookie sailor, open water diver, gardener, and bona fide grease monkey.

Josh Datko is the owner of Cryptotronix, an embedded security consultancy. As a submarine officer, he was sent to Afghanistan to ensure that the Taliban did not develop a submarine force--mission accomplished! He wrote a book on BeagleBones and crypto hardware which not many people have read and presented a better way to make a hardware implant at DEFCON which hopefully helped the NSA improve their spying.