[HackerNotes Ep. 153]: Hacking the Robots of the Future: Hardware, AI, and Bug Bounties with Matt Brown

Hacker TL;DR

• Incremental Session Tokens:" Industrial control systems using predictable, incrementing session IDs across the entire fleet allow attackers to enumerate and hijack remote sessions - even when tokens are "obfuscated" with a date offset.

• Hardware Bug Bounties: Hardware programs often pay 3x web bounties, but require significant upfront investment. Amazon's program stands out for well-defined severity guidelines.

• Hardware Hacking Philosophy: Most hardware vulnerabilities are actually software flaws in hardware devices. Hardware hacking is a means to turn blackbox assessments into graybox by extracting firmware and accessing debug interfaces.

• IoT Hackbot: Using Claude Code with custom skills, Matt built IoTHackBot, a IoT security testing toolkit.

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Bring a Bug: An IDOR in Industry

Matt shares a vulnerability he discovered in a device that allowed him to remotely view the controls of an industrial control system.

By monitoring traffic with Wireshark, he noticed cleartext session data over UDP. Next, he used Frida to bypass cert pinning in the device's corresponding mobile app. Once he was able to view the web traffic, he discovered session tokens were incremental. With this information, he initiated a session and then walked backwards or forwards from his own ID to assume other sessions.

The Hardware Bug Bounty Scene

• Due to the significant time investment required for hardware hacking, program selection is crucial and overall there are less public programs when compared to web hacking.

• However, if you submit a valid finding and start collecting private invites, you'll be sent products not available to the general public to test and invites to live events quicker than you would with web testing.

• Matt recommends Amazon's hardware program due to their clear threat model.

Pro Tip: Write that you are open to hardware hacking in your platform bio to advertise for invites.

AI on Hardware

Initially, data processing was handled on the backend for devices that incorporated machine learning (such as facial recognition in security cameras). But Matt believes that this will be handled locally at some point in the near future, meaning vulnerabilities such as prompt injection may be within the devices themselves.

Attack vector ideation that seems like its from a sci-fi novel:

• Recording prompt injection attacks outside of the audible range to humans and playing them to a listening device.

• Transmitting audio data via lasers. (Shoutout to @samykamkar!)

  Methodology: The First 8 Hours

  Recon: Identify and Collect Known Info

  • Matt utilizes Grok in the recon phase: "Look into all of the subcomponents and give me any known CVEs and previous blog posts/research."

  • This is the point when disassembly starts, to discover all the unknown components, and add them to another prompt.

  Pro Tip: If it transmits wirelessly in the US, by law specifications must be provided and can be found on fccid.io.

  Debug Interfaces: Your Entry Point

  • In devices with multiple PCBs, Matt uses a logic analyzer (Saleae/$20 knockoffs) to read the digital signals (Wireshark at a physical level).

  • In any hardware assessment Matt looks for debug interfaces that provide developers with access to logs/a shell/upload and download functionality:

    • UART: Serial communication, often provides shell access or boot logs.

    • JTAG: For microcontrollers, allows code upload/download.

    • USB: Common on Android-based devices, can provide shell access if ADB is enabled.

  Pro Tip: Sometimes USB headers aren't soldered - you can cut a USB cable and solder the four wires (power, ground, D+, D-) directly to the board.

  • For more complex robotic systems, it is common to see the Nvidia Jetson platform running Linux (which comes with some security out-of-the-box, but things can be misconfigured). Look for UART. Microcontrollers handling physical movement will typically use JTAG or SWD (ARM's version of JTAG).

  • I²C and SPI protocols can also be used.

  Device Safety: Don't Break the $50,000 Robot

  • Ideally, having 2-3 devices eliminates the stress of testing.

  • Designate one as "destructive testing" - don't care if it bricks.

  • Keep one "clean" for safe operations only.

  Pro Tip: Practice on $20 routers from Goodwill before touching expensive targets to get a sense of which operations are risky and which aren't (UART is relatively safe but removing chips for firmware extraction can be fragile).

  Hardware Hacking Philosophy: Blackbox to Graybox

  Key Takeaway: Most hardware vulnerabilities are actually software flaws in hardware devices. Hardware hacking is a means to an end of hacking on software.

  The Two Main Operations

  1. Debug Interfaces

  • Get shell access to view running processes.

  • Use netstat to see which binaries open which ports.

  • Connect the dots: "Port 80 is opened by process 'web' - now I know where to look in the firmware".

  2. Firmware Extraction

  When debug interfaces aren't available or are disabled:

  Identifying Flash Chips

  Common Types:

  • eMMC: Larger square/rectangular chips (153 solder balls standard).

  • SPI Flash: Smaller 8-pin chips common on budget devices.

  • TSOP 48: 48-pin chips (24 pins per side).

  For Beginners: Read the model number on the chip, Google it. You'll eventually learn to recognize chip shapes through pattern recognition.

  Extraction Tools

  Xeltek XGecu: The universal programmer Matt recommends.

  • Multiple socket adapters for different chip packages.

  • Official software runs on Windows (Chinese .exe - use a burner laptop).

  • Open-source alternative: MiniPro (works sometimes - use a burner laptop).

  The Process:

  1. Remove chip with hot air gun.

  2. Place in appropriate socket adapter.

  3. Click button → get binary firmware file.

  Analyzing the Binary

  Binwalk: The go-to tool for firmware extraction.

  • Signature detection for filesystems (ext4, etc.).

  • Carves out partitions automatically.

  When Binwalk Fails:

  • Check UART boot logs for partition table and offsets.

  • Convert to dd commands to manually extract partitions.

  • Use standard filesystem tools to mount and explore.

  The Reality: Most IoT firmware is compiled C/C++ binaries. You'll need:

  • Ghidra (NSA open-sourced, free).

  • Binary Ninja (commercial, competitive pricing).

  • IDA Pro (expensive, industry standard).

  These decompilers can get you back to "more or less what the original C looked like" - turning blackbox into graybox.

  Exception: Bug bounty targets are often "overspeced" devices that can afford to run Python, making your life easier.

  Hardware Hacking Resources

  Matt provided several learning resources:

  • Hardware Hacking Tutorial by Make Me Hack: Intro playlist for hardware hacking beginners

  • Router Analysis Part 1: UART Discovery and SPI Flash Extraction by wrongbaud: Blog post on UART interaction and SPI firmware extraction.

  • Matt's Videos:

    • UART Interaction content: https://youtu.be/B0Wi2EP-BCY & https://youtu.be/pogUY9jH3sw

    • Matt’s Firmware Extraction content: https://youtu.be/Su4MTlgDfzI & https://youtu.be/IkXbuF7_VPk

  A Bot for Bots

  Matt built an IoT hackbot called... drumroll ... IoTHackBot.

  "IoTHackBot is a collection of specialized tools and Claude Code skills designed for security testing of IoT devices, IP cameras, and embedded systems. It provides both command-line tools and AI-assisted workflows for comprehensive IoT security assessments."

  Closing Thoughts

  Hardware hacking represents a unique intersection of physical and digital security:

  • Higher barriers to entry but higher rewards: Compared to web app bounties.

  • More resilient to AI automation: The need for physical access and specialized tools are obstacles.

  • Evolving attack surface: With AI integration bringing prompt injection to physical devices.

  • Philosophical shift: Hardware hacking is really software hacking with extra steps to get source code.

  And as always, keep hacking!