​Shravan Singh will present Attack Surface of IoT Hacking and Practical Overview

Transcript

1. Exploiting UART for Root Shell Access A Practical Guide to

   Embedded Security Testing Shravan Singh 2024 November BreachForce Community| Cyber Security Cohort

2. Currently Working 2024 November ❑Senior Penetration Test Engineer - LTTS

   Past Experience ❑ Security Engineer –Redfox Security ❑ Postgraduate Researcher –COE CNDS, VJTI ❑ Process Executive –Nvidia ❑ R&D Engineer –Robokart Shravan Singh BE- ACE, Malad M.Tech – VJTI, Matunga BreachForce Community| Cyber Security Cohort

3. 2024 November Agenda ❑ What is UART – Basics and

   importance in embedded security ❑ Tools in Use – Hardware essentials for the session ❑ Analyzing PCB – Chips, debugging ports, and vulnerabilities ❑ Pinout Identification – Finding and mapping UART pins. ❑ Connection Setup – Linking UART to hardware tools. ❑ Root Shell Access – Gaining root access to the device ❑ What’s Next – Start your lab, test smart devices, and explore findings like TP-Link and Philips Shravan Singh BreachForce Community| Cyber Security Cohort

4. 2024 November What Is UART Exploitation? Universal Asynchronous Receiver-Transmitter UART

   enables serial communication by converting data between parallel and serial forms. It is used for debugging, device communication and accessing firmware in embedded systems. In hardware hacking, UART helps uncover device internals via exposed debug ports or test points. Shravan Singh BreachForce Community| Cyber Security Cohort

5. 2024 November Other Protocols in Embedded Systems Shravan Singh BreachForce

   Community| Cyber Security Cohort

6. 2024 November Target Device ❑ Consumer-grade router demonstrating UART exploitation.

   ❑ Testing applicable to healthcare devices (e.g., patient monitors). ❑ Extendable to automotive systems (e.g., ECUs, infotainment units). ❑ Relevant for smart home devices (e.g., locks, cameras). Shravan Singh BreachForce Community| Cyber Security Cohort

7. 2024 November Tools in Use for the Session Shravan Singh

   BreachForce Community| Cyber Security Cohort

8. 2024 November PCB Analysing ❑ What do we notice on

   the front and back of this PCB? ❑ Can we identify the key chipsets like memory or wireless modules? ❑ Do you see any unlabeled pinouts that might hint at UART or JTAG? ❑ What reversing clues can debugging ports or test points reveal? Shravan Singh BreachForce Community| Cyber Security Cohort

9. 2024 November PCB Analysing Shravan Singh BreachForce Community| Cyber Security

   Cohort

10. 2024 November Identification of Pinout ? Shravan Singh BreachForce Community|

    Cyber Security Cohort

11. 2024 November Identification of Pinout (GND) ❑ Step –1 Continuity

    Test Shravan Singh BreachForce Community| Cyber Security Cohort

12. 2024 November Identification of Pinout (GND) Shravan Singh BreachForce Community|

    Cyber Security Cohort https://youtu.be/eCxGUmFt8Q0

13. 2024 November Identification of Pinout (VCC) ❑ Step –2 Voltage

    Test Shravan Singh BreachForce Community| Cyber Security Cohort

14. 2024 November Identification of Pinout (RX & TX) ❑ Step

    –3 Jtagulator Test Shravan Singh BreachForce Community| Cyber Security Cohort

15. 2024 November Identification of Pinout (RX & TX) Shravan Singh

    https://youtu.be/KgEZOePaWuk BreachForce Community| Cyber Security Cohort

16. 2024 November Identification of Pinout (RX & TX) ❑ Step

    –3 Jtagulator Test Shravan Singh BreachForce Community| Cyber Security Cohort

17. 2024 November Identification of Pinout (RX & TX) Shravan Singh

    BreachForce Community| Cyber Security Cohort

18. 2024 November Connection Setup Shravan Singh BreachForce Community| Cyber Security

    Cohort

19. https://youtu.be/44Sk9i3Pj6w?si=Qu-Fs_wjI4FPKXhS 2024 November Boot Process of Router Shravan Singh https://youtu.be/44Sk9i3Pj6w

    BreachForce Community| Cyber Security Cohort

20. 2024 November Root Shell Access Shravan Singh BreachForce Community| Cyber

    Security Cohort

21. 2024 November What’s Next ❑ Start exploring your nearby smart

    devices—routers, smart bulbs, security cameras, or smart plugs. ❑ Many of these devices are easily available online for testing and learning. ❑ Refer to detailed blogs and online resources to deepen your understanding of hardware hacking. ❑ Use today’s insights to set up your own hardware testing lab and uncover vulnerabilities in everyday IoT devices. Shravan Singh BreachForce Community| Cyber Security Cohort

22. 2024 November Latest Findings: Philips Lighting Devices Vulnerabilities ❑ Philips

    Lighting IoT devices are reported to have a critical vulnerability that allows attackers to obtain sensitive information from the target. This highlights the importance of securing everyday smart devices against exploitation. Shravan Singh BreachForce Community| Cyber Security Cohort

23. 2024 November IoT Devices: A New Security Challenge ❑ CERT-In

    Alert: A newly discovered IoT vulnerability may allow unauthorized access, putting device security at risk. With IoT adoption skyrocketing, addressing such gaps is crucial. Shravan Singh Breach Force | Cyber Security Cohort

24. 2024 November IoT Devices: Hall of Fame as Recognition ❑

    Philips lightning: Hall of Fame Shravan Singh BreachForce Community| Cyber Security Cohort

25. 2024 November IoT Devices: A Bounty for Recognition Shravan Singh

    BreachForce Community| Cyber Security Cohort

26. 2024 November IoT Devices: A Bounty for Recognition Shravan Singh

    BreachForce Community| Cyber Security Cohort

27. 2024 November Q & A Shravan Singh BreachForce Community| Cyber

    Security Cohort

28. THANK YOU FOR ATTENTION Exploitation UART for Root Shell Access

    | A Practical Guide to Embedded Security Testing See You Next Time 2024 November Shravan Singh BreachForce Community| Cyber Security Cohort