Software is the first thing that comes to mind when you hear that someone, a company or another device was hacked. This is understandable since software is the “brain” or consciousness of modern devices. So controlled software gives an attacker the ability to lock a user out, steal data or wreak havoc. Getting to software is also easier, since an attacker does not need to be close to their target. But software updates can thwart a hacker, and companies have gotten good at preventing attacks and closing vulnerabilities. It is also cheaper to secure software.
However, hardware security is another story. This is where hardware hacking comes in…
What exactly is hardware hacking?
Hardware hacking involves exploiting a flaw in the security of the physical components of a device. Unlike software hacking, attackers need to be on-site and need physical – and reasonably uninterrupted – access to the target device to perform hardware hacking. The tools needed to jailbreak a device can be hardware, software, or a combination of both, depending on the goal.
But why would hackers target hardware? The primary reason is that hardware offers relatively less resistance, and a device model will not change over the years: for example, there are no hardware upgrades to Xbox consoles after release. So an attacker who succeeds in hacking the Xbox 360 hardware may have some speed before Microsoft releases a next-generation console with better security. Besides gaming consoles, this also applies to any device you can think of: laptops, phones, security cameras, smart TVs, routers and IoT devices.
But, of course, the relative immutability of post-production hardware doesn’t mean they’re vulnerable out of the box. Device manufacturers use components – especially security chipsets – that ensure their devices remain resistant to most attacks for a long time. Hardware also has firmware (basically software made specifically for hardware) that gets regular updates to ensure your device is compatible with the latest software even if the components are old. Firmware updates also make the hardware resistant to common methods of hardware hacking.
To put firmware updates into perspective, imagine having to buy a new game console every time a new type of game comes out. It would not only be very frustrating, but also expensive. In the end, you will consider it a wiser financial decision to get a console that is compatible with older and newer games or only requires a small fix to be universally compatible. On the manufacturer’s side, that means they have to anticipate what later generations of games will look like and make consoles that run them just fine. Or at the very least, the components must be compatible with future game releases long enough to make buying the console a wise investment.
6 common methods attackers use to hack hardware
Hardware hacking is very practical: hackers must own, handle or be within physical range of the device they want to hack. The most common methods hackers use involve opening the device, connecting an external tool to a port, exposing the device to extreme conditions, or using special software. That said, here are the common ways attackers hack hardware.
1. Fault injection
Fault injection is the act of inducing stress in hardware to expose a vulnerability or produce a bug that can be exploited. This can be achieved in many ways, including CPU overclocking, DRAM hammering, undervolting the GPU, or shorting. The goal is to stress the device hard enough to trigger protective mechanisms that will not function as designed. The attacker can then exploit the system reset, bypass a protocol and steal sensitive data.
2. Side channel attack
A side channel attack is essentially exploiting a device’s modus operandi. Unlike bug injection attacks, the attacker does not need to induce stress. They just need to observe what makes the system tick, how it does it, and what happens when it does or doesn’t tick. You can think of this type of attack as looking for your friend in a game; Insider reported how tennis legend Andre Agassi learned to beat Boris Becker by looking at Becker’s tongue to guess the direction of his serve.
Side-channel attacks can take the form of timing a program execution, measuring acoustic feedback from failed executions, or measuring how much power a device uses when performing a specific operation. Attackers can then use these signatures to guess the value or type of data being processed.
3. Patching into the circuit board or JTAG port
Unlike the aforementioned methods of hardware hacking, patching the circuit board requires the hacker to open the device. Then they have to study the circuits to find where to connect external modules (like a Raspberry Pi) to control or communicate with the target device. A less invasive method is to connect to a microcontroller to trigger control mechanisms wirelessly. This particular method works for hacking simple IoT devices like coffee makers and pet feeders.
Meanwhile, patching into the JTAG port takes a notch. JTAG, named after its developer, the Joint Test Action Group, is a hardware interface on printed circuit boards. The interface is primarily used for low-level programming, debugging, or testing embedded CPUs. By opening the JTAG debug port, a hacker can dump (ie extract and analyze images of) the firmware to find vulnerabilities.
4. Using a Logic Analyzer
A logic analyzer is software or hardware for recording and decoding digital signals, although it is mostly used for debugging – similar to JTAG ports, hackers can use logic analyzers to perform logic attacks. They do this by connecting the analyzer to a debug interface on the target device and reading the data sent over the circuit. Often this will open a debug console, bootloader or kennel logs. With this access, the attacker looks for firmware bugs they can exploit to gain backdoor access to the device.
5. Replace components
Most devices are programmed to work specifically with proprietary firmware, physical components, and software. But sometimes they work just as well with cloned or generic components. This is a vulnerability that hackers often exploit. Usually this involves replacing the firmware or a physical component – as in the Nintendo Switch modding.
Of course, device manufacturers hate this and install tamper-proof measures that cause hardware hacking attempts to brick the device. Apple is particularly notorious for throwing tantrums when regular customers open or tamper with their hardware, even if it’s to repair a broken device. You can brick your Apple device if you replace a component with a non-MFI (made for iPhone, iPad and iPod). However, tamper-proof measures will not stop a creative hacker from finding a bug and modifying the device.
Memory dumps are files that contain data or logs of the errors that occur when a program or device stops working. Windows computers create dump files when the operating system crashes. Developers can then use these files to investigate the causes of the crash in the first place.
But you don’t have to be a developer working for big tech to understand or analyze dumping. There are open source tools that anyone can use to extract and read dump files. For a user with some technical knowledge, the data from dump files is enough to find the problem and find a solution. But for a hacker, dump files are troves that can help them discover vulnerabilities. Hackers often use this method in LSASS dumping or Windows credential theft.
Should you be worried about hardware hacking?
Not really, especially if you are a regular user of a device. Hardware hacking for malicious purposes involves a high risk for the attacker. Besides leaving a trail that can result in criminal or civil liability, it is also expensive: the tools are not cheap, the procedures are delicate and they take time. So, unless the reward is high, an attacker will not target a random person’s hardware.
Hardware manufacturers, on the other hand, have to worry about the possibility of such hacks revealing trade secrets, infringing intellectual property or exposing customers’ data. They must prevent hacks, push regular firmware updates, use resilient components and put in place tamper-proof measures.
