- Critical Thinking - Bug Bounty Podcast
- Posts
- Episode 22 Blogcast: Chipping Away at Hardware Hacking
Episode 22 Blogcast: Chipping Away at Hardware Hacking
Let's take a quick dive into last week's episode and cover our recent insights on hardware hacking in the bug bounty field!
If you missed it, catch episode 22 here and follow along!
News Shout-outs!
SVG element vector going Extinct!
Gareth Hayes signaled he end of their favorite XSS vector on Twitter recently. If you haven’t already learned about Gareth’s overwhelming love of JavaScript, be sure to pick up a copy of JavaScript for Hackers. RIP SVGUseElement.href for data: URL, you will be missed.
Huntress MOVEit Critical Vuln
From PCAP to insights, it was inspiring to see John Hammond’s passion on display the MOVEit Transfer exploit. Watching someone give live-updates as a hacker enthralled and piecing together an exploit is always inspiring to the channel. Digging through source-code and navigating through rabbit holes in the middle of the night is what it is all about!
Speaking of Rabbit Holes
What does Rhynorater do when they hit a rabbit hole?
At some point, you get to the stage where I loop over the same outcome multiple times and keep coming to the same conclusion. My threshold is 5-10 cycles of seeing the same information. When I get through these cycles and realize there's nothing at this code pathway, I move on.
The OSCP taught me to pay attention to my timeline. You've got 24 HRS, and you are forced to cut down time on rabbit holes. The ability to know when to stop is learned through personal experience. Knowing when to cut your losses is a skill too.
Are you the type of person who feels better pivoting when they hit a wall, or are you the type who is determined to break through? Both are valid, but they are up to you to decide.
I've been in both places and found it has yet to impact my bounties dramatically.
However, I am more fond of a competitive effort to continue trying.
How about Joel?
I am the type to keep testing, even if there is a little push-back. I want to clear the floor of what I'm doing before I move on– I want to be sure I haven't missed anything or made an error in my requests.
I don't have a specific number of attempts. Instead, I go based on the number of interesting things I have to look at. It will change how lenient I am to stick with something. If there's new information or artifacts that are pulling me in another direction, and I haven't found anything, then I'll allow myself to pivot to something new.
What/Why/How of Episode 22
We like to bring people into topics revolving around current information we are gaining ourselves. Hardware hacking is relatively untouched in programs, regardless of which platform you choose to hack on. There's a short list for competition and high bounties for those who dedicate time to building their skills.
Hardware hacking is relatively less crowded than web-based disciplines, primarily due to the specialized tools and foundational knowledge it necessitates. Consequently, the competitive landscape is less intense, and the demand for these skills frequently outpaces the supply of people in the field. Given the laws of supply and demand, this results in elevated opportunities and potential rewards within the hardware hacking domain.
As Joel stated, "There are not many people who know this kind of stuff. It's a very sparse knowledge space within hacking. So, if you can pop one of these devices, it usually pays a significant amount because most of these are owned by large conglomerates. They have a massive amount of money on the line; they have an entire user base with these devices in their hands."
Here's the trade-off, cost.
Hardware hacking requires equipment to ensure proper testing environments, confident readings, and lower failure rates. Additionally, there's a good chance you will be the one purchasing the device you're hacking. You must be comfortable voiding the warranty of whatever you buy and potentially bricking it. (It should be noted that there are times bug bounty companies will send out the hardware for you to test on, but it all depends on the program)
Don't let that discourage you.
You want to build up your knowledge, so before you go out there voiding warranties, a fun way to get started with hardware hacking is with conference badges! If you don't already know, conference badges can be collected at security conventions. They are fun, interactive, and often complex electronic devices given to attendees as part of their conference swag.
High level eMMC Recon
eMMC stands for “embedded MultiMediaCard." This is the storage device in many IoT applications where the file system and source code are stored. So, there’s no doubt at it being an attractive target to start with. The essential idea here is that we are locating test pins necessary for dumping information we need. Once you have pins located, you use specialized equipment to read information and save it to a file you can use.
Note: The pin layout for an eMMC can be looked up using datasheets for the chip model that’s found on the board. Still! Hardware is all about hands-on, so get in there!
Speaking of which, here are some high-level tips we walked through the podcast.
Locate the test pins on the eMMC chip: These pins can be used to read data from the chip without removing it from the board. However, be aware that reading data from an eMMC chip while it's in use can be problematic due to potential conflicts with other operations. You can always do this manually, but finding a data sheet if you can find the model.
Solder connectors onto the test pins: This allows the chip to communicate with a device capable of understanding the eMMC protocol, potentially enabling a file system read without damaging the device.
Use a multimeter for continuity testing: This can help verify the pinout and test the test pads. Every chip will have a voltage and a ground pin, and you can test for continuity between these pins.
Identify the main parts of the eMMC protocol: This requires identifying three main parts: the clock, the CMD (command line), and data zero (minimum requirements you need to communicate over eMMC).
Use a logic analyzer (Read the blips!): This tool can read the shifts in power across the clock, CMD, and data zero lines, helping to understand the eMMC protocol. Recommended logic analyzers include analyzers from Saleae and the Analog Discovery 2 by Digilent.
We're thrilled to have you along on this journey of discovery and learning. Tune in next week for another exciting episode of the Critical Thinking Bug Bounty Podcast, where we'll dive into more fascinating topics in the realm of cybersecurity. Until then, keep hacking, keep learning, and keep pushing the boundaries. Happy hacking, everyone!