Wednesday, 30 September 2020

Hardwear.IO 2020 Wall Challenges

The Hardwear.IO conference is online on the 1st and 2nd of October 2020, and they used me for some of the pre-publicity! As usual, I've submitted some Wall Challenges for people to try and solve, and here's a visual clue that may or may not help...

My Wall Challenges are a way to get you to look at the world differently. Hardware is an interesting mix of the old, the new, the obscure and the arcane, and often requires you to think in two or more directions at once. 

Here's an example of multi-directional thinking: 

You have hired a pen-tester company to check your latest piece of hardware. The tester starts their analysis by trying to brute-force the hidden RS232 terminal via the pins that you tried to obfuscate by spreading them across the board, not silk-screening them, and making them look like ATE test-points and unpopulated thru-holes. Of course, the tester finds them disarmingly quickly. The User ID is totally obvious, and the password is just 8 numbers. so you are expecting that to be cracked pretty quickly as well. But after a day or so, the tester is not looking happy, and has not gleefully told you the UID and password. What might be happening?

1. One of the developers lied to you and deliberately set a very long password.
2. There's a bug in the terminal login code and it won't actually accept any password!
3. The tester thinks the obvious User ID must be a honey trap, and is trying other routes into your micro-controller.
4. The tester's USB-to-Serial adapter is broken.
5. The tester hacked your hardware in a few minutes, has all of your micro-controller code, and has IDA'd it so he knows just about everything about how it works - but is worrying that it was too easy and doesn't dare tell you!

Actually, the tester's brute force programme was broken and wasn't brute forcing at all... 

Post-conference Wall Challenge Extras: 

https://securitytiruces.blogspot.com/2020/10/hardweario-wall-challenges-q-and-extras.html

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following links for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):


Synthesizerwriter's StoreSynthesizerwriter's Store
 (New 'Modular thinking' designs now available!)








No comments:

Post a Comment

Note: only a member of this blog may post a comment.

NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!).  The NULLCON 2022 b...