1
00:00:01,540 --> 00:00:03,100
Hi there, welcome back.

2
00:00:03,400 --> 00:00:10,720
In this lesson, I will talk about hardware exploitation of Iot devices, in particular exploitation

3
00:00:10,720 --> 00:00:12,670
of UART interfaces.

4
00:00:13,830 --> 00:00:21,660
But let's start by listing what the consequences of hardware exploitation can be, exploitation of the

5
00:00:21,660 --> 00:00:30,780
hardware of an unsecured Iot device can allow you to: obtaining access as root/admin on the Iot device,

6
00:00:31,290 --> 00:00:34,380
dumping the firmware from the Iot device, make live

7
00:00:36,480 --> 00:00:47,040
debug execution to verify the possibility to bypass security protection and do a  firmware modification

8
00:00:47,040 --> 00:00:49,230
and rewright on the device.

9
00:00:51,990 --> 00:00:57,010
First of all, let's see an introduction to UART communication.

10
00:00:57,960 --> 00:01:05,790
UART stands for Universal Asynchronous Receiver Transmitter and is an hardware component for a

11
00:01:05,790 --> 00:01:08,930
asynchronous serial communication. The UART

12
00:01:08,940 --> 00:01:15,840
interface of a device requires the presence in addition to the ground connection and the power supply

13
00:01:16,380 --> 00:01:19,610
of two cables for bidirectional communication.

14
00:01:19,980 --> 00:01:27,290
That is a transmission cable (TX) and a reception cable (RX) as shown in picture.

15
00:01:28,240 --> 00:01:38,940
UART ports could be hardware or software emulated on GPIOs (general-purpose input outputs) that are present

16
00:01:38,940 --> 00:01:41,400
on many microcontrollers.

17
00:01:45,470 --> 00:01:55,240
In UART communication, data is transmitted as frames, transmitter and receiver do not share a common

18
00:01:55,260 --> 00:02:04,240
clock, so they should transmit at the same speed or baud rate that is symbols per seconds.

19
00:02:05,160 --> 00:02:14,130
Common UART baud rates  are listed on the slide from four thousand eight hundred to one

20
00:02:14,130 --> 00:02:16,830
hundred fifteen thousand two hundred.

21
00:02:19,360 --> 00:02:28,480
Now, let's see how the UART data transmission frame format is structured, UART frame or packet

22
00:02:28,480 --> 00:02:41,170
format consists of: a start bit, then data bits that could be seven data bits plus one parity bit or

23
00:02:41,290 --> 00:02:51,970
eight data bits without a parity bit, with least significant bit transmitted first.

24
00:02:52,790 --> 00:03:00,250
Then we have a parity bit that is optional and at the end a stop bit.

25
00:03:03,290 --> 00:03:12,410
To be able to correctly identify the structure of the UART data transmission frame of a specific physical

26
00:03:12,410 --> 00:03:17,220
device, it is useful to use logic analyzers.

27
00:03:18,140 --> 00:03:20,420
There are several on the market.

28
00:03:20,580 --> 00:03:27,320
The figure shows an example of analysis of a signal made with the Saleae logic analyzer.

29
00:03:28,070 --> 00:03:34,700
The waveform of the UART signal relating to a transmitted data sequence is clearly visible.

30
00:03:39,090 --> 00:03:48,450
Now, let's talk about the steps to follow, to test the robustness in terms of security of a UART interface

31
00:03:48,450 --> 00:03:52,630
present in a printed circuit board of an IoT device.

32
00:03:53,340 --> 00:03:57,870
The first step to follow is to identify the UART pinouts

33
00:03:59,400 --> 00:04:11,730
that is TX, RX, Ground, Vcc generally three point three Volts, or five Volts of the Iot device.

34
00:04:12,510 --> 00:04:19,740
The indication of the pinouts can be done with a multimeter or with the use of tools such

35
00:04:19,740 --> 00:04:21,630
as JTAGulator

36
00:04:22,690 --> 00:04:25,570
of which a photo is shown in the slide.

37
00:04:27,370 --> 00:04:35,770
The photo in this slide shows the identification of the four UART interface pinouts in a printed

38
00:04:35,770 --> 00:04:38,950
circuit board related to a TPLink router.

39
00:04:41,340 --> 00:04:42,750
The second step

40
00:04:43,730 --> 00:04:53,090
in UART exploitation is to connect the UART pinouts of the Iot device to the PC used for the

41
00:04:53,090 --> 00:05:03,860
analysis via a USB-TTL that is transistor transistor logic converter interface, for example, using

42
00:05:03,860 --> 00:05:12,560
hardware tools such as Shikra, Attify badge, Bus Pirate, Adafruit, etc. In figure is shown

43
00:05:12,560 --> 00:05:16,790
an image of the Bus Pirate converter interface.

44
00:05:19,710 --> 00:05:26,280
And here is a schematic connection of an IoT device with UART interface connected to an analysis

45
00:05:26,300 --> 00:05:30,480
PC through an Attify Badge interface.

46
00:05:33,020 --> 00:05:39,470
The next step before establishing a data communication between the PC and the UART interface of the

47
00:05:39,470 --> 00:05:46,480
Iot device is to identify the correct baud rate to set for data transmission.

48
00:05:47,180 --> 00:05:56,360
To do this, it is possible to proceed either by using adhoc software scripts such as the Python 

49
00:05:56,360 --> 00:06:05,060
baudrate.py the script, that can be downloaded from a github project, or by using a diagnostic made

50
00:06:05,060 --> 00:06:09,230
using hardware tools such as the JTAGulator tool.

51
00:06:11,830 --> 00:06:19,450
Then you can proceed to establish a connection between the PC and the Iot device through the chosen

52
00:06:19,780 --> 00:06:28,600
connection interface, launching appropriate connection programs from the PC such as the Linux minicom

53
00:06:28,600 --> 00:06:32,980
or screen commands, as shown in the slide.

54
00:06:35,740 --> 00:06:42,400
Once the connection with minicom or screen has been established, if the UART communication of the Iot

55
00:06:42,400 --> 00:06:45,680
device is not protected with authentication

56
00:06:46,120 --> 00:06:53,690
It is possible to gain access to the device's operating system through an authenticated root

57
00:06:53,710 --> 00:06:54,190
shell.

58
00:06:55,960 --> 00:07:04,810
These are the basics to finding and communicating with an embedded device via UART, and it's only

59
00:07:04,810 --> 00:07:06,340
the tip of the iceberg.

60
00:07:06,640 --> 00:07:12,550
There are many more things that can be done once you get a connection via UART to a device, such

61
00:07:12,550 --> 00:07:21,160
as interrupting the boot process to access the bootloader, make use of the boot logs to identify how to

62
00:07:21,160 --> 00:07:29,200
trigger scripts to run custom code, and change settings to give more access permissions.

63
00:07:30,010 --> 00:07:36,790
But luckily, most modern enbedded devices aren't as simple as the examples shown here.

64
00:07:37,150 --> 00:07:46,960
Many have protections in place to disable the UART console or have the debug pads removed from the PCB.

65
00:07:49,070 --> 00:07:51,620
OK, this lesson ends here.

66
00:07:52,730 --> 00:07:55,340
Thank you for your kind attention bye