2024-08-06 –, Florentine F
Follow us through our “buddy-film-esque” journey through life as servers, electrical engineers, embedded firmware developers, and finally hardware hackers. We have vast experience developing hardware and firmware that for lack of a better term was trash. Unbeknownst to us though each time we developed something that was insecure or simply didn’t work we learned a valuable lesson that would eventually come in handy in the world of cybersecurity. Ranging from laughable mistakes in hardware to endless dependency hell, and even embarrassing security decisions, we will demonstrate some of the tough lessons we have learned on the way to come to this point. We hope this talk is fun and informative but ultimately, we want to encourage the next generation of electrical engineers, hobbyists, hackers, and enthusiasts to venture into the world of hardware hacking and to not be overwhelmed by the subject matter as we are a clear example that with enough trial and error two goofballs can find their way into hardware hacking.
DETAILED OUTLINE:
I. Our Story
a. Who we are now
b. Our history
i. EE students
ii. Servers at the same restaurant
iii. Embedded software developers
iv. Pentesters / cybersecurity consultants
II. Lesson 1: Oh S*** Solder Tips
a. Crappy PCB design examples and the hot fixes we had to make
i. Random boards we designed at our previous employer
b. Buying the wrong parts
i. Open sprinkler
c. Being too cheap to pay for component pick and place
III. Lesson 2: Complex Tools for Simple Stupid Problems
a. Logic anlyzer to debug JTAG not working when the connetor was upside down
b. OScope to debug circuitry that wasn't plugged in at all
IV. Lesson 3: Dependency Hell
a. Never ending dependencies to better understand compilers and dev environments
b. Knowing what the heck is going into the code.
V. Lesson 4: Technically Not Trespassing?
a. We can neither confirm or deny we have frequently had to take steps to bypass physical security measures to gain access to our desks :)
i. Tailgating
ii. Air cans
iii. Lock picking
iv. Gate jumping
v. Statute of limitations have indeed expired
VI. What We Learned
a. Lesson 1
i. Advanced soldering that is necessary when attaching to complex boards / components
a. Deadbugging
b. QFN parts
c. Depopping components
b. Lesson 2
i. Tools that can be used for evil
a. Logic analyzer
b. Universal debugger
ii. Highlight the need to understand advanced tooling to accomplish side-channel analysis exploits
c. Lesson 3
i. An understanding of the sub-components that make up an overall solution
ii. An understanding of how important and potential vulnerable the software supply chain could be
d. Lesson 4
i. Good ol' physical security fun (when legal)
VII. Final Lessons / Call to Action
a. Hardware hacking is not as scary as it seems
b. Don't be afraid to failure
c. Learn from your mistakes
Kyle Shockley is one of the founding members of SolaSec. He received a B.S. in Finance and International Business, as well as an M.S. in Information Systems from Indiana University. Kyle has delivered high-value information technology solutions for over 12 years to clients in multiple industries. With experience in a variety of projects, Kyle has developed vulnerability management programs, executed advanced adversarial attack simulations, and built IT strategic roadmaps for clients around the world.
Caleb Davis is a founding member of the Cybersecurity organization, SolaSec. Caleb operates out of the Dallas/Fort Worth area and has a degree in Electrical Engineering from the University of Texas at Tyler. He is an inventor/patent holder and has a background in embedded hardware/software development. He leads a team of experts that regularly perform penetration testing across a wide variety of products including medical devices, ATMs, chemical control systems, security solutions, and other commercial products. Additionally, Caleb has a passion for integrating security into the product development life cycle and has helped several organizations in their approach to shifting left.