Introduction
After describing the MITRE eCTF competition and our updated project, we’ll begin with the process of attacking the insecure example. Attacks always begin with an “information gathering” step, so in this article, we’ll discuss what information attackers look for and where they can often find it. By the end of this article, you’ll be able to produce a portfolio for an electronic device with information about how it works and where its potential vulnerabilities lie. Most importantly, you’ll begin to train yourself to spot those vulnerabilities in other designs and source code (especially yours!). Let’s get started!
Challenge question!
Why do you think attackers bother with reconnaissance at all? Why not just start trying random exploits?
What do you think changes when you have good information about your target? What’s an example of a “good” piece of information that you think an attacker would find highly valuable?
Answer these questions to yourself before you continue reading!
The importance of reconnaissance
As any skilled spy, thief, or all-around “bad guy” knows, the first step of any job is to “case the joint”; that is, to collect a lot of information about the people and places pertinent to the “job”.
Image of How Hardware Gets Hacked (Part 3): Adopting the Attacker Mindset
"The humans bring the food through the front door weekly. If we target the source, we can--SQUIRREL!!!"
Successful heists begin by getting the answers to key questions, such as:
“What’s their normal daily routine?”,
“How do contractors access the building?”, and
“Where does the trash go when it’s picked up?”
Even if the answers aren’t particularly interesting (i.e., they don’t identify an easily exploitable vulnerability), every answer learned builds a person’s understanding of the “target”, increasing the chances that the answer to the next question will expose a vulnerability. Good reconnaissance enables an attacker to aim for specific vulnerabilities that can be exploited; without it, they’re merely guessing.
Reconnaissance objectives
In general, we’re looking for any information that can enable a successful attack, including the payoffs we hope to achieve after a successful attack. Put another way:
Image of How Hardware Gets Hacked (Part 3): Adopting the Attacker Mindset
Find possible payoffs
Before we can “case the joint,” we have to identify a “joint” to “case”! In other words, there must be something of value to be gained by attacking our target to justify an attack in the first place.
An attacker’s desired payoffs might include:
making the device run attacker-controlled firmware,
extracting protected user data, or
extracting secret keys.
These might be acquired for the purposes of:
unlocking pay-to-play features,
customizing device behavior,
selling secret or protected data to another interested party,
gaining access to a network or physical location (like a car!) that they would otherwise be denied, or
defaming the manufacturer.
Only some of these payoffs may be applicable for a given device and a given attacker. Pay attention to all possible payoffs during your initial reconnaissance, though. Later, you can prioritize just the ones that seem to have a higher value while being protected by more easily exploitable vulnerabilities.
In the case of the eCTF, the payoff we’re chasing is clear: read or extract flags from opposing teams’ designs.