The Hardware Hacking Handbook
Breaking Embedded Security with Hardware Attacks
by Jasper van Woudenberg and Colin OFlynn
THE HARDWARE HACKING HANDBOOK. Copyright 2022 by Jasper van Woudenberg and Colin OFlynn.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.
First printing
25 24 23 22 21 1 2 3 4 5 6 7 8 9
ISBN-13: 978-1-59327-874-8 (print)
ISBN-13: 978-1-59327-875-5 (ebook)
Publisher: William Pollock
Production Manager and Editor: Rachel Monaghan
Developmental Editors: William Pollock, Neville Young, and Jill Franklin
Cover Illustrator: Garry Booth
Cover and Interior Design: Octopod Studios
Technical Reviewer: Patrick Schaumont
Copyeditor: Barton Reed
Compositor: Jeff Wilson, Happenstance Type-O-Rama
Proofreader: Rebecca Rider
For information on book distributors or translations, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900; info@nostarch.com
www.nostarch.com
Library of Congress Cataloging-in-Publication Data
Names: Woudenberg, Jasper van, author. | O'Flynn, Colin, author.
Title: The hardware hacking handbook : breaking embedded security with
hardware attacks / by Jasper van Woudenberg and Colin O'Flynn.
Description: San Francisco, CA : No Starch Press, 2022. | Includes
bibliographical references and index. | Summary: "A deep dive into
hardware attacks on embedded systems explained by experts in the field
through real-life examples and hands-on labs. Topics include the
embedded system threat model, hardware interfaces, various side-channel
and fault injection attacks, and voltage and clock glitching"--Provided
by publisher.
Identifiers: LCCN 2021027424 (print) | LCCN 2021027425 (ebook) | ISBN
9781593278748 (print) | ISBN 9781593278755 (ebook)
Subjects: LCSH: Embedded computer systems--Security measures. | Electronic
apparatus and appliances--Security measures. | Penetration testing
(Computer security)
Classification: LCC TK7895.E42 W68 2022 (print) | LCC TK7895.E42 (ebook)
| DDC 006.2/2--dc23
LC record available at https://lccn.loc.gov/2021027424
LC ebook record available at https://lccn.loc.gov/2021027425
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.
The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the authors nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.
Dedicated to all the kids who took apart their parents devicesand dealt with the consequences.
Dedicated to Hilary and Kristy, who had never-ending patience to support us throughout the years of writing. And to Jules and Thijs, who (sometimes) patiently waited.
Dedicated to our parents, John, Eleanor, Pieter, and Margriet, who put up with us taking apart expensive devicesand dealt with the cost of having to replace it.
About the Authors
Colin OFlynn runs NewAE Technology, Inc., a startup that designs tools and equipment to teach engineers about embedded security. He started the open source ChipWhisperer project as part of his PhD research and was previously an assistant professor with Dalhousie University, where he taught embedded systems and security. He lives in Halifax, Canada, and you can find his dogs featured in many of the products developed with NewAE.
Jasper van Woudenberg has been involved in embedded device security on a broad range of topics: finding and helping fix bugs in code that runs on hundreds of millions of devices, using symbolic execution to extract keys from faulted cryptosystems, and using speech recognition algorithms for side-channel trace processing. Jasper is a father of two, husband of one, and CTO of Riscure North America. He lives in California, where he likes to bike mountains and board snow. The family cat tolerates him but is too cool for Twitter.
About the Technical Reviewer
Patrick Schaumont is a professor of computer engineering at Worcester Polytechnic Institute. He was previously a staff researcher with IMEC, Belgium, and a faculty member with Virginia Tech. His research interests are in design and design methods of secure, efficient, and real-time embedded computing systems.
Foreword
There was a time in the not-so-distant past when hardware was relegated to the fringes of hacking. Many considered it too difficult to get involved with. Hardware is hard, theyd say. Of course, this is true of anything before you become familiar with it.
When I was a juvenile delinquent with a passion for hardware hacking, access to knowledge and technology was often out of reach. Id jump into dumpsters to find discarded equipment, steal materials out of company vehicles, and build tools described in text files with schematics fashioned from ASCII art. Id sneak into university libraries to find data books, beg for free samples at engineering trade shows, and lower my voice to sound distinguished when trying to get information from vendors over the telephone. If you were interested in breaking systems instead of designing them, there was rarely a place for you. Hacking was a long way from turning into a respectable career.
Over the years, attention to what hardware hackers could accomplish shifted from the underground to the mainstream. Resources and equipment became more available and cost affordable. Hacker groups and conferences provided a way for us to meet, learn, and join forces. Even academia and the corporate world realized our value. Weve entered a new era, where hardware is finally recognized as an important part of the security landscape.
Within The Hardware Hacking Handbook, Jasper and Colin combine their experiences of breaking real-world products to elegantly convey the hardware hacking process of our time. They provide details of actual attacks, allowing you to follow along, learn the necessary techniques, and experience the feeling of magic that comes with a successful hack. It doesnt matter if youre new to the field, if youre arriving from somewhere else in the hacker community, or if youre looking to level up your current embedded security skill settheres something here for everyone.
As hardware hackers, we aim to take advantage of constraints placed on the engineers and the devices theyre implementing. Engineers are focused on getting the product to work while remaining on schedule and within budget. They follow defined specifications and must conform to engineering standards. They need to make sure the product is manufacturable and that access is available to program, test, debug, repair, or maintain the system. They place trust in the vendors of the chips and subsystems they are incorporating and expect those to function as advertised. Even when they