How long can we continue to rely on critical electronic devices without being able to properly assess their security? They control our daily lives and modern society cannot operate without them, but ironically, their security aspects remained underestimated. As they grow, it is legitimate to wonder if the IT security community and industries are prepared to secure or audit this type of equipment. These technical devices are at the heart of what is called today “Internet of Things”. We know that the technical knowledge needed to assess the security level of electronic equipment isn’t generally acquired by stakeholders (industry, software or IT security consultants, software pentesters etc.).
This type of audit requires a wide range of electronics skills like analog signal processing, FPGA or the use of specific measurement tools (oscilloscope, logic analyzer, etc.). These skills are not part of those which are generally teach to people who choose to be specialized in computer security. Malicious actors are aware of this weakness. As a result they move their attentions to other less secure intrusion vectors such as hardware, embedded systems and / or microchip itself. Why? Because they are the basis of almost any equipment and the attack surface is larger. In addition, there is no built in (or few) basic security functions inside these hardware devices. Malicious actors have less barriers that can stop them.
The most surprising (disturbing?) fact is that our industrial security experts have not mastered secure design techniques or audit / pentest methodology related to hardware systems. There is a gap between the threat and the operational response capacity of the actors in this field. Therefore the risks of attacks increases on the processed data in Internet of things world (personal, sensitive device supervision, industrial process, HealthCare products etc).
It is clear that something is needed to help the security researchers evaluate, audit and / or control the security of embedded systems. This is what motivated us to create Hardsploit – a complete tool box (Hardware + Software) plus a Framework which aims to: