WANT SWEET DEALS? JOIN OUR MAILING LIST

No Starch Press's blog

Break It Till You Make It: Q&A with Hardware Hackers Colin O'Flynn and Jasper van Woudenberg


To kick off the Cybersecurity Awareness Month edition of our ongoing Author Spotlight series, we're joined by Colin O’Flynn and Jasper van Woudenberg, co-authors of The Hardware Hacking Handbook (available November, 2021). In the following Q&A, we talk with Colin (@colinoflynn) and Jasper (@jzvw) about the perils of proprietary protocols being replaced with network devices, the problem of having too many interesting targets to test your tools on, the beauty of AI-designed attack systems, the indisputable power of “hammock hacking,” and why nobody cares about fault injection until they get hacked with fault injection.

Hardware Hacking Handbook Cover Colin Oflynn Jasper VanWoudenberg

Colin runs NewAE Technology, Inc., a startup based on his ChipWhisperer project that designs tools to make hardware attacks more accessible, and teaches engineers about embedded security – a topic he frequently speaks about at conferences and on tech podcasts.

Jasper is CTO of Riscure North America, where he leads the company’s pentesting teams, and has a special interest in integrating AI with security. His research has been published in various academic journals, and he’s a regular speaker at educational and hacking conferences.

No Starch Press: I’ll start by saying that your book is timely! Hardware hacking, once a niche field of the exploit world, has become far more relevant amidst the proliferation of embedded devices all around us. What do you think accounts for this, and why are side-channel attacks in particular becoming increasingly common (and difficult to prevent)?

Colin O'Flynn: Hardware hacking has been a niche field, but one with an extensive and long history. Most of the powerful attacks we’re discussing today have been demonstrated for 20 years, so I’d say they should be “well-known.” But the truth seems to be that, until recently, advanced hardware attacks weren’t needed for most IoT devices. Default passwords and unlocked debug interfaces were the norm, so most hardware hackers never needed to dig deeper. Many people I’ve talked to at events have told me they were interested in side-channel and similar advanced attacks but never had time to actually learn them, as they were always able to break devices with easier and faster attacks!

The good news is that device manufacturers seem to be taking security more seriously these days, which means side-channel attacks have become a real threat. So I guess we’re seeing the industry fast-forwarding that 20-year lag of security research to catch up.

Jasper van Woudenberg: Hacking always moves with interesting targets. Once pinball machines started requiring money to play, people “hacked” them by just tilting the whole machine. Nowadays physical pinball machines have a tilt sensor – if you tilt the machine in order to affect the ball, it ceases operation. Of course, we’re talking about digital hardware in our book, but bypassing security systems is as old as security systems. So, the abundance of digital devices naturally increases the amount of hacking going on. Side-channel attacks are fascinating if you’re into the intersection between electronics, signal processing and cryptography. Beyond being fascinating though, they only become relevant when more straightforward attacks are mitigated.

NSP: Fault injection (FI) attacks – which inject a glitch into a target device that alters its behavior so you can bypass security mechanisms – used to be too “high end” for most hackers to bother with, often requiring expensive tools and intimate technical knowledge of the specific system under attack. But those days are over. Not only are low-cost FI toolkits readily available, the explosion of IoT has led to the rise of new defensive features, like Secure Boot, that can be easily subverted by a well-timed FI attack. What are the potential risks to a larger IoT network once a device is compromised this way?

CO: In the past we’ve seen end devices used as a pivot point into a more sensitive network. When it comes to commercial devices, we’re seeing many proprietary protocols replaced with network devices. For example, recent access-control readers are now simply PoE devices that talk back to a central server. With many of these devices, the original designers haven’t considered what happens if an end node becomes compromised. While the network may be correctly secured, you still see sensitive credentials stored in end devices become accessible to an attacker. And if an attacker is able to access these credentials, it means they may be able to pivot off the external network and into more sensitive internal networks.

JVW: I think the cost of the tools is a common misunderstanding – they can be really inexpensive. In our lab, we’ve done attacks literally by soldering a single wire to a bus, connecting it to a button, and when we pressed the button at the right time, the system boots our own code. The cost usually comes from the many days and weeks spent trying to figure out how to carry out the attack. And yes, some attacks do require high-end equipment, or at least equipment that can bring down the time used to figure out the attack.

One common stepping-stone attack we see is the firmware dump. Typically, embedded-device firmware does not receive a lot of scrutiny, and may have lingering vulnerabilities that can be exploited. This usually means gaining control over a single device, but there have been wormable firmware issues in the past.

NSP: What measures can be taken to harden embedded systems against FI attacks, and do you see this happening throughout the industry (why or why not)?

JVW: We always advise our customers to threat model and see if it makes sense to consider FI in scope. Usually that’s the case for embedded systems that are out in the field and have some sensitive assets to protect. Next is the question of whether faults can be mitigated in hardware and/or software. Both is ideal, but that’s not always feasible. Our book contains a chapter on countermeasures that also has a lab, so people can try out some ideas for FI countermeasures. Finally, verification of countermeasures early and often is critical. It’s virtually impossible, as a human, to predict all the ways a system can fault. Pre-silicon fault simulation and post-silicon fault injection, without exception, turn up surprises. Iteration and adaptation are key.

And then the million-dollar question: why is the hardening not happening throughout the industry? It’s a combination of cost and human nature. There is a real engineering cost to these countermeasures, so typically we only see customers that have had their devices compromised requiring FI resistance. If a compromise hasn’t happened, it’s very easy to write the attacks off as unrealistic or irrelevant. Nobody cares about fault injection until they get hacked with fault injection.

CO: Fault injection can be tricky to prevent, as we see countermeasures applied that aren’t effective. For instance, Jasper and I demonstrate a few examples in the book where compilers might remove the effect of your clever countermeasures. There seems to be a lot more interest in this now – for many companies, they just need some “end customer” to ask about it. I talked to silicon vendors a few years ago who were tracking countermeasure ideas, but basically none of their customers (people who actually build products) cared about FI attacks. So that meant they weren’t going to pay for engineering efforts to add those countermeasures. We seem to be seeing a very fast shift in the last couple of years though, so people who were tracking this early-on are in a good position to quickly offer solutions.

NSP: Speaking of low-cost fault-injection toolkits, Colin, you developed one of the most popular models out there, the ChipWhisperer, and built a company around it (NewAE Technology). Given that just about everything we use in our homes and offices has embedded computing systems and could be vulnerable to attack, how do you pick which devices to test your boards and analysis algorithms on? An example from your book would be smart toothbrushes – are you ever doing something like brushing your teeth when it suddenly occurs to you, “Wow, I could totally hack this thing”?

CO: This is actually a big problem! Unfortunately I tend to buy a lot of devices (microcontrollers, IoT products, industrial control systems, etc.) because I think they will be interesting to poke at! As a result, I’ve got a storage cabinet full of various devices along these lines… I’m slowly working through some of them, and when we get some time at the company, we’ll pick away at one or two of those devices as well.

But as more devices include embedded security, there are more “interesting" targets than there is hope of having time to deal with them. Part of why we design many different target-board devices (our “UFO targets” for ChipWhisperer) is actually to help out other researchers by giving them an easier platform to work with.

NSP: Once you successfully exploit a commonly used product, do you let the manufacturer know or is that generally considered an exercise in futility?

CO: If I plan on talking about the issue publicly I’ll reach out, even if I don’t think it’s a serious issue. Sometimes it takes a bit of time to reach the correct person (or team), but so far they have all generally spun it into positive experiences all around.

With one ongoing disclosure, for example, the engineering team had internally flagged that there could be some issues related to a relatively unsecure microcontroller that they were using in a product, and my report had validated their internal concerns. In this case they were already working on a new design, but I’m sure my report was a nice bonus for the people involved, as they can point to that as proof that the issue would be found eventually “in the wild.” In the meantime it gave them the opportunity to provide an interim fix via a firmware update for existing customers.

NSP: Jasper, one of your specialized areas of interest is combining AI with security research. Would you explain what this entails? And looking into the future, how could AI applications be leveraged to improve hardware and embedded security at the design level?

JVW: What I love about AI is also what I love about hacking: making a computer device do more than the original designer put in. With AI, this is tying a couple of artificial neurons together and getting a cat-and-dog image detector. With hacking, this is sending some weird input into a program and all of a sudden it executes arbitrary code.

The combination, I find fascinating. For instance, we’ve used neural networks to do side-channel analysis and outperform human-designed algorithms. We created an algorithm with colleagues that automatically optimizes fault injection parameters. I’ll work very hard to create some automation so I can be – paradoxically – lazy afterwards.

I firmly believe that most if not all cognitive activities, such as designing or attacking systems, will be better performed using AI rather than brains – the big question is when. I prefer to be on the side of making systems more secure through AI, so my research is going towards automating both the detection and mitigation of vulnerabilities, at scale. For instance, a big push we have currently is in pre-silicon security – detecting side-channel and fault issues before they make it into products. I wouldn’t say we’ve arrived at using AI yet, but the first steps are being made.

NSP: Both of you have advanced degrees, which makes sense given all of the academic knowledge involved with embedded security. Yet, The Hardware Hacking Handbook makes very little assumption about a reader’s background. What was your approach to making this challenging field accessible to novices and newcomers, and why was it important enough that you wrote an entire book on this premise?

CO: My career path on paper seems relatively full of academic love – I was an assistant professor for several years in the Electrical & Computer Engineering department at Dalhousie University. But back at the start, when I was considering applying to start my undergraduate degree in electrical engineering, I came relatively close to not attending university at all. I had self-taught myself a fair amount about electronics in high school, and managed to get a summer job that was effectively an electrical engineering internship, and was considering just continuing to grow with the “on the job” experience instead. In the end I fell onto the academic path, but I’ve always believed that it is not the only path, and part of this shapes my desire to make this as accessible as possible.

While many readers may be undergraduate or grad students, it’s clear that a classic academic textbook would cut out readers coming from other backgrounds (including everyone from high school students to professionals interested in looking at other careers). Practically, what we write down isn’t the only consideration – one of the great things about working with No Starch Press is that the pricing of the books makes them more accessible as well. From academic publishers, this book would have been $150+. And there would never be Humble Bumble sales that make it completely accessible on the level that NSP does!

JVW: I’ve taught courses on side-channel and fault injection for years, and it has taught me that the group of people that has to defend against these attacks is not necessarily interested in all the theory and all the research in this field. They want to focus on their goals of creating a system.

Then there’s the group of people like teenage me. I started hacking software before I had an internet connection, so I know the struggle of having to figure out everything by yourself. Looking around at the amazing blogs, videos, tutorials, etc. that exist for the software space currently, it really made me realize what a gap there is in the hardware space.

So, for both these groups, it’s really about breaking things down into practical tips and tricks, and then some of the unavoidable theoretical background. I really would like to show people that this space isn’t daunting, and that even someone like me – who came off a software background – can learn and enjoy it.

NSP: I’ll end with an easy one (I think) – what is your favorite hacking tool, and has that changed since you first got interested in hardware hacking when you were young?

CO: I should probably say my favourite tool is one of my own more-advanced products. But really, a good DMM is the most important tool! And in that regard, it hasn’t changed much over the years – one of my first “dream gifts” (back when Santa would be responsible for it) was a Fluke 12 multimeter, long before I knew about hardware hacking. I’ve since upgraded to a nicer meter (Fluke 179/EDA2 kit), but as we talk about in the book, there is so much you can do with this tool! Finding where pins go, checking the state of logic levels and voltages – it’s still my most used tool when I’m looking at a new device.

JVW: I started being “creative with technology” in the mid-’90s. What has changed is the amount of information available, and the fact that security is now an actual career – I still don’t always believe people are willing to pay me to do this. What hasn’t changed is my curiosity, and the rush that comes with solving a complex problem.

Favorite hacking tool? Hah. Although I use devices for a significant portion of the day, they are also a source of frustration. So, those are out. I’m going to say: my hammock. When I get stuck on a problem and I sense no more new ideas are being produced, or I get frustrated, I drop the problem for a few hours or days. Then I hop in my hammock for what I call “hammock hacking.” This is where I hang back and relax. I’ll almost always have a new view on the problem, or another way of connecting some dots that I hadn’t considered before. Or I fall asleep. But it’s a win in either case.

InfoSec Warrior Vickie Li: From Hunting Bugs to Helping Developers

Vickie Li is the resident developer evangelist at the application security firm ShiftLeft, and a self-described “professional investigator of nerdy stuff.” Her new book, Bug Bounty Bootcamp, leverages her expertise in offensive web security as well as her background in vulnerability research to introduce beginners to all aspects of web hacking, showing readers how to find, exploit, and report bugs through “bounty” programs. In her free time, when she’s not podcasting, speaking at conferences, or dropping infosec and cybersecurity knowledge on YouTube, she’s writing articles and blog posts about nipping security problems in the bug.

Bug Bounty Bootcamp Cover Vickie Li

For the September edition of our ongoing Author Spotlight series, we talk with Vickie about her first bug bounty payout, how her success hacking apps made her a passionate advocate for secure development, and why she means it quite literally when she tells you that becoming a good web hacker is like learning to ride a unicycle.

No Starch Press: First of all, that’s a pretty impressive intro for someone in their mid-twenties! But let’s go back a few years. You graduated with a CS degree from Northwestern, then worked as a freelance web developer before getting into infosec, pentesting, and offensive-security content creation, which – correct me if I’m wrong – led to your current full-time gig as a developer evangelist. So where did your foray into bug hunting come into play, and how did you get started with bounty programs?

Vickie Li: I got interested in security through my university courses, and started bug bounties as a way to learn more about infosec. Hacking on bug bounty programs helped me learn a lot about web hacking and web application security in general. But sitting in front of my laptop all day, I started to lose motivation because I really wanted my work to connect me with other people, and doing bug bounties all alone was quite lonely. That’s why I started my technical blog, where I wrote about whatever I was learning at the moment. I really tried to make the blog posts easy to understand, because I hoped people who were studying the same thing would find it helpful.

My blog actually kickstarted my career in infosec. Because of it, I was able to get some freelance penetration testing and technical writing jobs, and eventually landed my current job at ShiftLeft. Knowing how to explain complex technical concepts also helped me with writing Bug Bounty Bootcamp and making it an approachable web-hacking book.

NSP: What was your first real catch, and what was it like earning your first paid bounty?

VL: I found my first paid bug – a CSRF – about a week into hunting for bugs. The bounty was just a hundred dollars, but it was amazing to be able to earn a bit of money as I learned about the field. The most memorable part about the experience was when [the company’s] security team triaged the bug I found, and fixed it on the website. It was very motivating to know that I can contribute to the security of a widely used site through my work!

NSP: Over the past year you’ve gone from working as a freelancer/bug hunter to a full-time gig as a “developer evangelist” – a job focused on bridging communications between external dev teams and your internal app-security colleagues. Can you elaborate on what exactly your day-to-day is like, and how it satisfies your infosec interests?

VL: My primary role at ShiftLeft involves making secure coding practices approachable for developers, and spreading the word about how static analysis can help in this process. Every day is different: I might be writing a blog post, preparing to speak at a conference, or helping my team understand the needs of developers during the security process. I really enjoy the work because it fits into my original motivation for getting into infosec: helping make the internet a safer place for everyone.

NSP: The name of your company refers to shifting security to the left – or, introducing security checks earlier in the development life cycle rather than at the end. You underscored this in a blog post, comparing app security to wearing a facemask during the pandemic (“Building a Security-First Culture”). At the same time, your book is about hunting for zero-day vulnerabilities and getting started in bounty programs. Do you ever worry that if you’re too good at your job there won’t be any more bugs to hunt?

VL: I am not worried about that. Shifting left and bug bounties are not an either-or situation. These practices work together to help organizations become more secure. Bug bounty hunters are creative and are constantly coming up with new ways to attack an application. Organizations can use bug bounty programs to tackle new and inventive attack vectors before malicious attackers discover them. But most bugs should still be discovered early in the development cycle, when they are the easiest to fix. Shifting left will help eliminate most security vulnerabilities in your applications, and bug bounties can help you catch the rest.

NSP: To take this question in the opposite direction, has your bug-hunting experience helped or informed your current work advocating for better security practices?

VL: During my time as a bug bounty hunter, I helped lots of developer teams fix security issues in their applications. That’s when I noticed that many serious security vulnerabilities stem from small programming mistakes that could be easily discovered with static analysis. It’s easier to find and fix vulnerabilities early in the development process because you do not risk an attacker exploiting it in production.

This experience made me a really passionate advocate for secure development and security education. Offensive security practices like penetration testing or bug bounties are a great way to secure your applications, but they should only be used as a fail-safe to catch novel bug classes and vulnerabilities that slip past security protocols during the development cycle.

NSP: The AppSec space, and the cybersecurity industry as a whole, lives in a constant state of change, with new types of exploits emerging every day. How do you keep up with the ever-evolving landscape?

VL: I’m known to be quiet on social media, but I actually use Twitter a lot – mostly to get informed on the latest security news and understand the security challenges people are currently facing. In other words, I am the classic Twitter lurker. I also read a lot of infosec books, and follow a few well-written security blogs and YouTube channels.

NSP: Are there any online resources (besides your own) that you can recommend to aspiring web hackers, bug hunters, or security researchers?

VL: I am a big fan of reading security books to gain in-depth knowledge about a topic, and then reading blog posts for the latest infosec techniques – Orange Tsai’s blog is one of my favorites. He is a really creative hacker and has been a big inspiration for me ever since I started. Also, Web Security Academy by PortSwigger is a great starting point for web hackers who want to get some hands-on experience.

NSP: Okay, I’ve saved the most pressing question for last. You recently posted on Twitter that you were having a hard time selling your unicycle. This implies that 1) you own a unicycle, and 2) that you know how to ride a unicycle. Do tell.

VL: Happy to announce that I have sold my unicycle to a new loving owner! I learned to unicycle in college because I’ve always thought it’s cool to have an uncommon skill like unicycling. Unicycling is really hard to learn! It took me countless falls and months of practice to finally learn to ride it in a straight line.

But, this experience really boosted my confidence in learning. Like web hacking, learning to unicycle is hard but possible if you put your mind to it and persist. Now when I am trying to learn something difficult, I know I can ‘cause hey – I learned to unicycle! 10/10 would recommend unicycling as a sport. There are few things in this world cooler than a unicycling hacker.

Article-19 Activists Mallory Knodel and Ulrike Uhlig Reimagine the Internet

For Women’s History Month, No Starch Press is spotlighting the contributions and individual achievements that female authors have made in the world of tech and on our bookshelves.

Mallory Knodel How the Internet Really Works Ulrike Uhlig

This week, the focus is on two of the co-authors behind How the Internet Really Works (Dec. 2020), a collaborative work produced by Article 19 activists. Mallory Knodel is the CTO of the Center for Democracy & Technology, co-chair of the Human Rights and Protocol Considerations group of the Internet Research Task Force, an advisor to the Freedom Online Coalition, and former head of digital for ARTICLE 19, where she integrated a human rights-centred approach to communications and technology work for social justice movements. Ulrike Uhlig is a (comic) artist, graphic designer, front-end web developer, and Debian Developer. She works with non-profit organizations at the intersection of technology, arts and human rights.

No Starch Press: You both work in technology and human rights – and gender equality is one of the most fundamental guarantees of human rights. Given that ICT is an area where women commonly experience discrimination, exclusion and harrassment, what role does internet governance and/or protocol standards play in achieving a more equitable and inclusive global cyberspace?

Mallory Knodel: Gender discrimination is present in internet governance, too. That is to say that, while setting standards and building governance mechanisms presents the opportunity to provide guidance on best practice, efforts to address inequality are undervalued. Rather than getting trapped in the endless loop that starts and ends with the demographics of participant data, there are two things that should be ubiquitously understood by now: 1) inclusion is everyone’s responsibility, and 2) participation is, in some part, related to interest. I hope that my work on human rights and the public interest in standard bodies and internet governance is sufficiently interesting to attract experts who are also feminists, anti-racists, and social justice advocates.

NSP: Your work has brought attention to the theme of the “digital gender divide.” How does gender affect the way women access, use the web, and benefit from internet technology?

MK: The digital gender divide is the result of compounded inequalities that all derive from access to the internet. There is inequality in access to literacy, devices, mobile data, in-home internet subscriptions, information that is censored, paywalled, filtered, and blocked. On the other hand networked mobile devices can exacerbate stalking, police surveillance, harassment, and economic harms such as theft and private data brokerage. At the same time, the offline world of bookstores, government services and public spaces, is disappearing. For initiatives like e-commerce and remote jobs aimed at women to work, ubiquitous, cheap and quality internet access is a fundamental requirement.

NSP: “Alice & Bob” – fictional characters used in discussions about cryptography to make complex concepts more understandable – have been a popular archetype in CS since the ‘70s. But in How the Internet Really Works, you made a conscious decision not to use the “couple” for explaining cryptographic protocols and systems; instead, Alice talks about these topics with a friendly dragon. What inspired you to do this, and what was your intent by recasting “Bob”?

MK: I credit Ulrike with the creative side to our book. She was able to bring to life the everyday objects, characters and mythologies from technology and retell them through her brilliant illustrations of reimagined and more contemporary archetypes.

Ulrike Uhlig: While making the book, we’d come across a very interesting and well-researched work by Quinn DuPont and Alana Cattapan: “Alice & Bob. A History of The World’s Most Famous Cryptographic Couple.” There we learned, for example, that Eve, the person who listens to, and eventually tampers with Alice and Bob’s conversations has sometimes been depicted as Bob’s rejected ex-wife, and that Alice and Bob are not only longer names for representing “A” and “B” (in cryptographic transmissions) but we understood there was also an assumption of their role, related to their gender. We found this to be a bit too heteronormative. We want all sorts of people to be able to identify with our characters, and to, sort of, pass the (non-existing but self-imposed) Bechdel test for books.

However, when writing the text for our book, we noticed that there seemed to be one advantage to using gendered characters – it makes it a little bit easier to explain complex systems, because we can use two different pronouns so readers can more easily follow who is doing what. At first, we had the idea of simply inversing the assumption that Bob is a man and Alice is a woman, and wanted to call those characters “Aob and Blice.” Later we had the idea that Alice could just be talking to her friends, Catnip and Dragon – like, that we accidentally got rid of her assigned role as Bob’s partner. Finally we realized that we didn’t need to use gendered pronouns to make the text easy to understand, we could simply repeat the characters’ names.

Actually, creating the characters of our book has been a challenge for similar reasons. While we knew from the start that we wanted the main character to be a cat by the name of Catnip – an acronym for Censorship, Access, Telecommunications, Networks, and Internet Protocols – we initially thought our secondary characters would be the commonly used ones for explaining cryptography. When we did the first sketches though, it became clear that it would be hard to be inclusive and diverse using “human” characters. So we turned to the imaginary animal world to represent Eve, Mallory, and Catnip’s friend, Dragon. There is now only one human character in How the Internet Really Works who has a name: Alice. With the image of Alice, I encoded a bit of ourselves – women in tech – into the book.

NSP: Women were key to the development of computing in its early history. But in the decades since, they’ve been increasingly marginalized throughout the industry. Are there any notable actions being undertaken right now to help solve the persistent problem of gender inequality in tech and governance?

UU: That’s a good question. I have the impression that ever since I started working in tech, this question has been turned into all possible directions, with a bit of change, but not significant enough change that I would call it progress. I personally think that we need to open up the gender inequality discussion and talk about diversity. To me, this means first of all to question ourselves: How do we encode inequality in our systems? How do we (often unconsciously) reproduce patterns of classism, sexism, ableism, racism, and oppression? How are privilege and social reproduction part of our spaces, organizations, perceptions? Those questions are collective ones, not questions that can be solved on an individual level.

We can ask ourselves similar questions about the technologies that we produce. Technologies, such as internet protocols, are inherently political, as they shape how we interact with each other. How do we encode bias and power into those technologies and how can we do it differently? I would even dare to ask: How can we bring empathy into the technologies that we create? To that end, the Human Rights Protocol Considerations Research Group at the IRTF, that Mallory is a chair of, aims at researching whether standards and protocols can enable, strengthen (or threaten) human rights, and therefore gender diversity.