Hands-on JTAG for fun and root shells
JTAG may be almost 30 years old with little change, but that doesn’t mean most people really understand what it does and how. This workshop will start with a brief introduction to what JTAG really is, then quickly dive into some hands-on practice with finding, wiring, and finally exploiting a system via JTAG.
For this workshop, we’ll target a Raspberry Pi with an ARM microprocessor. In order to interact with the system, we’ll use a JTAG interface cable from FTDI. We won’t do any hardware modifications, but we will hook up wires in weird and wonderful ways to make the Raspberry Pi do things it otherwise shouldn’t.
Jtagsploitation: JTAG to Root, 5 Ways
JTAG comes up in nearly every hardware-related hack. In order to do anything via JTAG, you generally need a hardware debugging device that connects to anything from a standard header to undocumented test points scattered around a device. JTAG access is almost always ‘game over’ but it’s not always clear how to turn that hardware access into privileged software access on the system.
This talk will enumerate a number of different ways to turn a ‘check’ for jtag access into the ‘checkmate’ of root shell access. Each example will demonstrate a unique method for getting root access via JTAG. Each method is also general enough to be broadly applicable across different hardware architectures and implementations. Example code and scripts will be released at the talk.
Scared Poopless – LTE and *your* laptop
With today’s advancement in connectivity and internet access using 3G and LTE modems it seems we all can have a device that’s always internet capable, including our laptops, tablets, 2 in 1’s ultrabook. It becomes easier to be online without using your WiFi at all. In our talk we will demonstrate and discuss the exploitation of an internal LTE modem from Huawei which can be found in a number of devices including laptops by HP.
NSA Playset: Bridging the Airgap without Radios
The NSA ANT catalog contains a number of hardware implants that enable communication, command and control, and data exfiltration over alternate channels that would not typically be monitored. The listed tools fall short when it comes to exfiltrating data from particularly secure or heavily monitored, or radio hostile locations.
This talk introduces a new addition to the NSA Playset. BLINKERCOUGH is inspired by some of the capabilities described in the ANT catalog and expands upon the features of CHUCKWAGON in a number of ways. BLINKERCOUGH is implanted inside an unremarkable cable and communicates optically to jump air gaps, escape faraday cages, and communicate out-of-band with zero radio footprint. This talk will outline the development of the hardware, present several use cases, and demonstrate its use to escape a faraday cage.