Hardware devices are continually relied upon to maintain a bridge between physical and virtual security. From access cards to OTP tokens, hardware devices receive limited review by application security professionals. They are often considered vastly more complex and difficult to assess than common web- and network-based applications.
In this talk I will cover a lightweight methodology to use when approaching the assessment of USB-based hardware devices. This will include the identification of trust boundaries and threat modeling, use case analysis though protocol analysis, as well as crafting a hardware device to exploit identified vulnerabilities. Not only will this methodology be described, it will be detailed through the assessment and exploitation of a hardware-based proximity sensor. Hardware-based proximity sensors attempt to enforce desktop security and lock a user's desktop when the device has been removed from the vicinity of the computer. I will describe my experience and process for assessing a USB-based proximity sensor device and its eventual exploitation using components of the Arduino hardware architecture. I will describe the entire process not from the view of an electrical engineer, but from that of an application security professional with limited knowledge of current and voltage and a hobbyist's budget.
As an Security Engineer at CME Group, Greg specializes in application security assessment. He also performs research on topics including kernel-level exploitation, malware development and assessment, anti-forensics, USB device security, and web application vulnerabilities. Prior to joining CME Group, Greg was an Application Security Consultant at Neohapsis Inc., performing application security assessments and internal and external penetration testing. Greg has developed a lightweight security framework for mobile devices and implemented a secure boot and re-imaging infrastructure to enforce data integrity.