Hardware hacking is one of those subjects that a lot of hackers appear to have great interest, but most don’t act on that interest. There are a variety of reasons why this may be such as a perceived steep learning curve, financial barrier to entry, and lack of applicability. I’m here to say that these reasons are silly. Hardware hacking can be cheap and easy! And, more importantly, adding hardware hacking to your repertoire of skills can be quite advantageous. Nothing has made this more clear to me than some of the comments I’ve received from other hackers. Here’s a few gems:
- “How do you have root already? You haven’t even had the device for half an hour.”
- “It shouldn’t be able to broadcast that… Can you unlock mine, too?”
- “Why does your keyboard have a rave light?”
But, most alarmingly, a lot of the comments are along the lines of “I could never do that.” Yes you can! And, if you stick around a bit, I’ll prove it. Throughout this series, we’ll work our way from noob’s first LED swap all the way to dumping secrets from a destroyed IoT device. Any and all ages and experience levels are welcome.
The Beauty of Hardware Hacking
From my potentially ever-so-slightly biased perspective, hardware hacking has a few key features that make it rather special. Much like normal hacking, the possibilities are endless. We’re surrounded by hardware, hardware we can hack! …if we have permission, of course. Whether it be something as simple as changing an obnoxiously bright LED or something as complex as dumping, patching, and re-flashing firmware, there’s always an opportunity to hack something. One of the things that makes hardware hacking different from normal hacking is the hands-on nature of the work, and I’m not just talking about fingers on a keyboard. But in my humble opinion, that’s exactly what makes it beautiful!
A lot of the work done in tech-centric jobs is, in a way, imaginary. What I mean by this is the only thing telling us it’s real is symbols on a screen. There’s nothing tangible, nothing we can physically feel. Hardware hacking is much more tangible – you can physically feel it. Of course, this has its ups and downs. Dealing with a tangled mess of PHP5 may cause physical pain but dealing with a tangled mess of electronics could straight-up kill you. But, realistically, it isn’t hard to stay safe, and the ability to physically interact with your work can be quite refreshing.
Another neat thing about hardware hacking is how it helps build skills which are applicable to a wide range of professions. There’s the obvious electrical engineering side of things, but there’s so much more. Let’s take a look at a few examples:
- Programming. This is a very broad category but that’s deliberate. Writing software for embedded devices can be quite different from what most programmers are used to. How do you attach a debugger to software running on bare-metal? How do you check output when the output is a digital signal? Usually, you do a bit of hardware hacking. Furthermore, the software tends to be a lot more low-level. This can force you to dig past the layers of abstraction provided by most languages and software suites, resulting in an overall increased understanding of the system. This knowledge can also be beneficial regardless of language or use-case, as all software must eventually be executed on hardware in some way.
- Vulnerability assessments. Performing vulnerability assessments on embedded devices can be rather tricky at times, especially if it’s closed-source with no clear way of getting a shell. Hardware hacking can be extremely helpful in cases like this, as it can allow an analyst to bypass software limitations and interface with the hardware directly. From there, dumping firmware and breaking into the bootloader are usually all it takes to get a foothold in the system.
- Penetration testing. Bypassing software limitations can also be quite applicable to penetration testing. If an embedded device can be recovered, there’s a very good chance that hardware hacking skills can be used to dump secrets from the device.
- Digital forensics. Dumping secrets is also something that a forensics operation would have great interest in doing. Even if a device is bricked or partially destroyed, directly interfacing with certain components can facilitate recovery of evidence.
Having hardware hacking skills can open a lot of doors for your career. And, if that’s not what you’re looking for, it can be a very rewarding hobby at the very least. If you look at it as hunting down electrons, then it truly feels like you are hacking the very fabric of space and time. In short, hardware hacking is the shiznit!
Classical vs Security-Focused Hardware Hacking
Back in the day, “hacking” meant something a bit different from what most people understand it to mean today. It was more along the lines of finding creative solutions to technological problems. Nowadays, “hacking” leans more towards the side of exploiting systems – much to the dismay of many a hacker. Hardware hacking falls into a similar situation, but still leans more toward the broad original definition. For this reason, I’m going to split hardware hacking into two categories: classical and security-focused.
Classical hardware hacking is a quite broad subject, but it generally focuses on modifying a device to solve a problem with the device or its implementation. This can range from modifications as simple as changing the color of an LED all the way to as complex as developing drop-in replacements for factory boards.
While classical hardware hacking is focused on solving problems related to the device itself, security-focused hardware hacking is more of a means to an end. We’re hacking the hardware to achieve some other goal, such as recovering secrets, implanting backdoors, assessing a device, etc. As such, security-focused hardware hacking tends to be more high-level. We’re usually not worried about the fine details of a circuit. Instead, we just want to interface with it enough to do our dirty deeds.
Given the two tightly connected but distinct types of hardware hacking, I’m going focus on one or the other in subsequent articles. Classical will come first, to lay a foundation, and then security-focused will build upon that foundation.
Building a Hardware Hacking Home Lab
Alright, enough backstory. It’s time to get started! Before we can do any hardware hacking, we’ll need to get some tools. As such, it’s time to start building a home lab. Given the vast array of specialized needs and expensive tools, this is usually a pretty organic process. I highly recommend starting with a small set of core tools and slowly adding more as needed. At a bear minimum, you will want the following:
- A multimeter. I recommend the Uni-T UT139C (~40 USD, eBay). This will be one of your most used tools, and it needs to be something you can trust – potentially with your life. You can use a super cheap $5 meter. I certainly did and sometimes still do, but having a half-decent meter makes an incredible difference. However, if you’re going to be working on anything connected to mains power, please do not use a $5 meter. The fact of the matter is that electricity does not give a damn about your partner and children; it will kill you without hesitation. This is not the time to be cheap. Trusting a $5 meter to warn and protect you from such a danger may not be a wise choice.
- A soldering iron. I recommend the 898D+ (~40 USD, eBay). Make sure you get an iron with temperature regulation and replaceable tips. If you’re going to get into hardware hacking, it’s probably not worth buying a cheap unregulated soldering iron.
- A spool of solder. You’re generally going to want something under 0.5mm in diameter. I prefer lead solder, since it has a lower melting point and is much less brittle compared to other alternatives. Don’t start freaking out about lead. If one takes some simple precautions, it’s absolutely safe.
- Basic hand tools. A few screwdrivers, a pair of pliers, and a pair of flush-cut snips.
- An Arduino starter kit. These are a great resource for miscellaneous parts to get you started. Look for a kit with the following: An Arduino UNO equivalent, a breadboard, some jumpers, an assortment of resistors, an assortment of capacitors, and an assortment of LEDs. A good kit should be around 15-20 USD online.
These few tools can get you surprisingly far and can be used to learn the core electronics skills needed for hardware hacking. However, once you have the core tools in your lab, there are a few more that I highly recommend picking up:
- A manual desoldering pump. This tool is essentially a spring-loaded plunger with a nozzle on the end. It can be used to suck solder off of a pad, allowing for much easier replacement of components – especially DIP packages.
- A flux pen. These things are life changing. I received very little formal training and was never taught the wonders of flux pens. Instead, I relied on the small amount of flux in the solder. Don’t be like me – invest $6 and get a no-clean flux pen. It will make certain soldering jobs orders of magnitude easier.
- Ideally, get a set of a few different shapes.
- A set of pry tools. These are often called “spudgers.” These tools will make it a lot easier to open modern consumer-grade devices that are held together with an exorbitant amount of molded clips.
- A pair of “helping hands.” The ones below are a little elaborate, but could be a fun side project with a 3D printer.
Finally, once you start working with surface-mount components and delving into security-focused hardware hacking, you may want to purchase some of the following tools:
- A hot-air rework station. This tool is more-or-less required for desoldering surface-mount ICs. The 898D+ soldering station that I recommended earlier comes with a hot-air gun and will work fairly well.
- A roll of Kapton tape. This high-temperature tape can be used to shield sensitive components when doing hot-air rework.
- A spool of mod wire, aka “wire-wrapping wire.” This very thin solid core wire is great for soldering directly to surface-mount parts and modifying PCBs, hence the name mod
- A handful of USB TTL adapters. These adapters may as well be magical keys to root shells on a lot of IoT devices, but we’ll get to that in a later article. Modern Linux distros will support just about anything, but Windows and Mac users should probably stick to FT232RL-based models.
- An ST-Link v2 clone. This $3 tool can interact with tons of ARM MCUs via SWD. We’ll cover SWD in a later article, but, for now, know that it can be used for manipulating firmware and in-circuit debugging.
- A logic analyzer. This tool will allow you to monitor and decode a wide variety of digital signals. I recommend starting off with a cheap generic 24HMz USB logic analyzer. These low-end analyzers are not great, but they’ll get the job done. Once you out-grow the 24MHz unit, you’ll probably want to make the jump to the $400 entry-level Saleae Logic 8.
- An oscilloscope. A multimeter can show a measurement at one point in time, while an oscilloscope can show at least one measurement over a span of time – like a photo versus a video. Finding a used digital scope with 2+ channels and 50+MHz of bandwidth would be best. Expect to pay between 100 and 400 USD.
After going through this list and seeing all of the prices, you may be a bit disheartened by how expensive building a home lab can be. I certainly was at first. Remember what I said earlier: building a home lab is an organic process. Start small and add tools as you need them. It might also be a good helpful hint to try out some equipment before you buy. This can be from friends and family or definitely at your local hacker space / maker space. As an added benefit, you’re sure to find kindred spirits with a wealth of knowledge they’re dying to share… and maybe even an old oscilloscope just collecting dust.
Getting up to Speed on Electronics
Now that we have established some foundational tools to outfit our labs, we need to establish some foundational knowledge. All of the hardware hacking that we’ll be doing will require basic electrical engineering (EE) skills. Although I’d like to provide a detailed introduction to EE, doing so would take quite some time, wouldn’t benefit a large percentage of readers, and would generally miss the point of this series. Instead, I’ve compiled a list of concepts and relevant learning resources. I’ll also recap some introductory material with each project in future publications, but I highly recommend building a basic understanding via these resources beforehand.
- Electronics basics such as Ohm’s law, AC vs DC, capacitance, diodes, transistors, breadboarding, etc. by Randy Sarafan.
- Using a multimeter. There are lots of links on this page to other basic tutorials.
- How to solder. This series by Dave Jones of EEVBlog also highlights a lot of the hardware that a basic lab should have.
- Try it out yourself. There are plenty of ways to dip your toe in the water as well as get one-on-one instruction (sometimes for free). We’ve mentioned hacker / maker spaces, but you may also want to look for conferences with dedicated “villages” such as DEF CON Hardware Hacking Village (DCHHV) and IoT Villages at RSA, DEF CON and DerbyCon.
There are countless resources to teach basic electronics, but these will give you a good running start. Feel free to explore as many of them as you can find (or afford). We will add more suggestions in the “Hardware Hacking” Group right here on EH-Net, and we encourage you to share your faves as well. But be sure not to become a victim of analysis paralysis. Although you will need some rudimentary knowledge of EE, a degree is not required for this series. Learning by doing is the mantra here!
The First Step is Always the Hardest
Hardware hacking certainly has a learning curve and bit of a financial barrier to entry, but both of these sticking points can be mitigated by starting small and giving yourself time to grow. Once you make that initial jump and start building a repository of tools and skills, hardware hacking can be quite rewarding. Everyone from programmers, to penetration testers, to hobbyists can benefit from these new skills. And, now that you have some tools and learning resources, you’re all set to make that first step and start hacking some hardware.
CAUTION! Learning electronics and expanding into hardware hacking can be addictive! You may find yourself wanting to purchase every tool and every component. You’ll be searching through Craigslist, OfferUp, garage sales, pawn shops, Chinese wholesalers, your grandfather’s basement and even your neighbors’ garbage for devices to explore and spare parts for your lab. All things in moderation as they say. But if we spark a passion in you, then go for it. Far be it from us to judge. Just know that you’ve been warned!
Next time, we’ll get our hands dirty and put our new foundational knowledge and tools to good use. Over the course of the next several publications, we’ll go from basic classical hardware hacking and gradually work our way up to advanced security-focused hardware hacking. Along the way, we’ll build experience with the basic theories, learn that surface-mount isn’t as scary as it looks, and eventually shake some shells out of IoT devices. Until then, the world is your oyster! Crack it open, replace some LEDs, and make it spit rainbows.
Hardware Hacking Resources
In addition to some links from above, here are just a few more to keep your new obsession going until next month!
- Adafruit Learn
- Big Clive
- bunnie’s blog
- Charles Platt’s Electronics Pages
- DEF CON Hardware Hacking Village
- IoT Village
- ISE Blog
- Make: Magazine
- Randy Sarafan
- SparkFun Tutorials
Ian Sindermann is an Associate Security Analyst at Independent Security Evaluators (ISE), a firm of security specialists that provide a wide range of services including custom security assessments and software development. He is also a researcher for ISE’s newly formed research division, ISE Labs. ISE also runs IoT Village, which hosts talks by expert security researchers who dissect real-world exploits and hacking contests consisting of off-the-shelf IoT devices. Ian’s day-to-day duties include conducting rigorous security assessments on a wide variety of web applications, researching the security posture of various IoT devices, and sharing knowledge whenever possible. His background is somewhat varied, with a primarily self-taught education, prior experience as a wannabe Linux admin, and a childhood spent as a traveling performer. Interests include hardware hacking, legacy systems, mainframes, and whatever tech obscurities he can get his hands on.electronicshackerspacehackinghardwarehighlightiotlessonsindermannstemtutorial