A $10 Hardware Hack Turns Up Zero Day Vulnerabilities in IoT Devices

Most consumer tech manufacturers figure that once a hacker can physically access a device, there’s not much left that can be done to defend it. But a group of researchers known as the Exploitee.rs say that giving up too soon leaves devices susceptible to hardware attacks that can lead to bigger problems. Hardware hack techniques, like a flash memory attack they developed, can facilitate the discovery of software bugs that not only expose the one hacked device, but every other unit of that model.

The group, which includes the hackers Zenofex, 0x00string, and maximus64_, presented their flash memory hack this week at the Black Hat security conference in Las Vegas. On Saturday, they built on it at DefCon by presenting 22 zero-day (previously undisclosed) exploits in a range of consumer products—mainly home automation and Internet of Things devices—a number of which they discovered using that hack.

“We [wanted] to get this technique into the hands of more people, because there are so many more devices out there that nobody’s looking at,” that have the susceptible type of flash memory, says CJ Heres, a hardware hacker in the Exploitee.rs group. “And manufacturers are still releasing things using this. It’s still a very prevalent flash type.”

Tinker, Hacker, Solder, Spy

On many devices, all it takes to access everything stored on the flash memory chip is a $10 SD card reader, some wire, and some soldering experience. The researchers focus on a type of memory called eMMC flash, because they can access it cheaply and easily by connecting to just five pins (electrical connections). By soldering five wires to the chip—a command line, a clock line, a data line, a power line, and a ground—they can get read/write access that lets them exfiltrate data and start reprogramming to eventually control the whole device.

Continue reading…