2025-09-06 –, Workshops
What if you didn’t need to go straight to hardware attacks to break embedded devices' protections? In this workshop, we will explore techniques that allow you to pull data out of microcontrollers with a £5 setup using software-based attacks
One of the biggest challenges facing IoT/embedded devices is protecting the flash memory from physical attacks, e.g. reading secret data. Therefore, manufacturers put logical/hardware locks in these devices (typically called code read protection - CRP), which are used to prevent attackers from reading out/modifying the code inside a device, this code read protection mechanism is usually controlled via programming some bits in the device.
In many microcontrollers, the ROM contains the bootloader which is typically responsible for checking if the code read protection is enabled and then enforcing some restrictions depending on the value programmed. When it comes to attacking embedded bootloaders, the go-to attack is often based on hardware attacks, e.g. voltage glitching. Software-based/logical attacks (e.g. buffer overflows) receive less attention
This workshop will start with an introduction to embedded devices' security and then explore my previous research on exploiting embedded devices through logical attacks. Participants will also get hands-on experience by executing a few of these attacks in the labs
Qais is an Information Security Engineer/Researcher with an MSc from the University of Birmingham. He has worked on securing various mobile financial apps from low-level attacks while also monitoring them in the wild and conducting threat hunting. Additionally, his experience includes getting involved in embedded devices' low-level security research and previously published research in top journals and conferences. Qais has also worked on deploying SIEM solutions for financial institutions to meet their regulatory requirements