Hardware Village
Hardware Village
The Hardware Hacking Village at BSidesTLV brings together enthusiasts, engineers, and security researchers to explore the physical side of cybersecurity. It’s a hands-on environment where participants can learn about electronics, embedded systems, and hardware security through guided sessions and open exploration. A highlight of the village is the hardware Capture-the-Flag, centered around the event’s electronic badge, challenging attendees to uncover its secrets and push their technical skills further.
Itinerary
| Start | End | Duration | Title | Speaker | Description |
|---|---|---|---|---|---|
| 9:45 | 10:15 | 0:30 | Introduction to Physical Access Attack Vectors | Guy Rotenberg | “Physical access attacks rely on the attacker having possession of the target device. This creates unique attack scenarios that are different from the more common remote attack surfaces. Physical access attacks are particularly important in the world of law enforcement, where they enable investigators to extract crucial evidence from digital devices. In this talk, we’ll examine how physical attackers map the attack surface of a device and explore what’s possible when you have the device in your hands. Then we’ll shift our attention to iPhones to see why these same attacks become significantly more challenging, examining some defense mechanisms Apple has implemented.” |
| 10:15 | 10:25 | 0:10 | Break | ||
| 10:25 | 11:05 | 0:40 | Windows into the Past: Exploiting Legacy Crypto in Modern OS’s Kerberos Implementation | Michal Shagam | The Kerberos protocol is used by millions of users and network administrators worldwide for secure authentication, key distribution, and access control management to enterprise networks and services. Since its initial public deployment in 1989, the protocol has undergone many revisions to incorporate new cryptographic primitives and improve security. For example, initially based solely on users' passwords and symmetric cryptographic primitives, current implementations also support smartcard-based authentication with asymmetric cryptographic primitives for improved security. However, this iterative revision process has resulted in implementations riddled with legacy crypto primitives and protocol designs. In this work, we show how we can exploit this legacy crypto to completely break the security of the enterprise network. Firstly, while arguably more secure, smartcard-based authentication uses RSA encryption with the notorious PKCS #1 v1.5 padding scheme. Although the RSA decryption is done securely inside the smartcard, a non-constant time unpadding code runs on the client’s CPU. This makes both Windows’s and several Linux distributions' implementations vulnerable to the Bleichenbacher attack that can recover cryptographic session tokens. Secondly, we show that the RSA smartcard-based authentication does not provide forward secrecy to the cryptographic tokens that the server provisions to the client. Thirdly, we propose and analyze different algorithmic approaches to minimize the overhead required to handle noisy oracles in the Bleichenbacher attack. This general Bleichenbacher attack analysis may be of independent interest. Finally, we demonstrate microarchitectural side channel-based end-to-end attacks on the Windows Kerberos implementation. We start by showing how to recover tokens used to encrypt session transferred remote files by Samba. We then show how to amplify the number of decryptions performed with a single user’s PIN code input, allowing us to accelerate our attack and recover users' (and admins') credentials before expiration. In addition, we describe a remote attack vector that allows us to perform the attack and generate queries. |
| 11:05 | 11:15 | 0:10 | Break | ||
| 11:15 | 11:55 | 0:40 | Stealing Cryptographic Keys with Weird Gates | Eyal Ronen | Over the last two decades, researchers have repeatedly demonstrated that microarchitectural attacks, and in particular cache attack, pose a significant risk to the security of cryptographic implementations. One of the main defenses against such attacks is to follow the constant-time programming paradigm, which ensures that the memory addresses a program accesses do not depend on secret data. While effective, constant-time programming can incur a significant performance penalty. Consequently, when constant-time programming is deemed to be too hard, developer may choose to use heuristic defenses that aim to limit the attacker’s ability to observe the memory access patterns of the victim. For example, web browser reduced the resolution of the timer they provide, based on the observation that a high resolution timer is required to distinguish cache hits from cache misses. Moreover, as cache attacks have a limited temporal resolution, implementations whose access patterns are indistinguishable except at a high sampling rate are considered more secure. In this talk we show that such restrictions are insufficient to protect against cache attacks. We start by representing the cache status of a memory address as a Boolean value. This allows us to express cache attacks as computing a logical function of the cache state. We then design “weird gates” that compute logical functions of cache state and store the result in the cache. We demonstrate that through composing these gates, we can perform arbitrary computations on cache state. Finally, we leverage our gates to perform two attacks against cryptographic implementations. Our first attack shows that an implementation of ElGamal remains vulnerable even when the clock resolution is reduced by six orders of magnitude. Our second attack shows that we can increase the frequency of cache probing to a level that allows key recovery from an S-box-based AES implementation. This talk is based on the USENIX Security'23 publication “The Gates of Time: Improving Cache Attacks with Transient Execution” and the CCS'24 distinguished paper “Spec-o-Scope: Cache Probing at Cache Speed”. |
| 11:55 | 12:05 | 0:10 | Break | ||
| 12:05 | 12:55 | 0:50 | Making Chips | Uri Shaked | You’ve mastered assembly languages, dissected binaries, and navigated processor architectures—but have you ever wondered what’s below even the lowest level you’ve worked with? I’ve spent the past three years diving deep into what makes chips tick, and now I’d like to share this journey with you. We’ll see how open source silicon is enabling people like you and me to get into the world of chip design using modern tools and without spending a fortune, and see an inspiring collection of real-world silicon designs from makers like us. Ready to get started with your own open source silicon journey? |
| 12:55 | 14:00 | 1:05 | Lunch | ||
| 14:00 | 14:30 | 0:30 | The Badge Talk | Gili Yankovitch | “Designing PCBs is usually simple and fun… until a factory forgets to mill the exposed copper layer on an entire batch! This year’s badge was a different kind of challenge since it’s based on an earlier design, so the problems showed up in completely new places. In this talk, I’ll walk you through how the badge came to life and how you can manufacture real PCBs straight from your couch. We’ll crack open the design process, look at mistakes that turned into lessons, and explore practical techniques for hardware reverse engineering and hardware exploitation. Whether you’re into PCB design, hacking electronics, or just curious how these badges are actually built, you’ll leave with a much better idea of how to create and break hardware in the wild.” |
| 14:30 | 14:55 | 0:25 | Your Device Has a Pulse, And the Web Can Feel It | Tomer Laor | Think incognito mode protects your privacy? Think again. Every device has a unique rhythm - subtle behaviors in how it handles threads, timing, and computation. And modern websites can sense it. In this talk, we’ll dive into the emerging world of microarchitectural device fingerprinting via the web, where JavaScript and WebGPU are enough to reveal who you are. Even identical machines can be told apart using machine learning applied to these invisible fingerprints. We’ll explore how these techniques work, why it’s a game-changer for tracking, and what it means for the future of online privacy. No permissions. No user interaction. Just the web watching you, more closely than ever. Bring curiosity. Leave with paranoia. |
| 14:55 | 15:00 | 0:05 | Break | ||
| 15:00 | 15:30 | 0:30 | PWN without OWN - ISC Edition | Vera Mens | “In the world of computers and phones (IT), devices are pretty standardized. But in the world of industrial control and specialized gadgets (OT), everything is unique - different operating systems, architectures, and peripherals. Every such “toy” is a whole new exciting world for a researcher. The problem? These unique ““toys”” are often expensive, hard to get due to custom regulations, or not for sale to the public. - So, how do you hack something you can’t even buy? - In this talk, we’ll dive into several of Team82’s real-world security research projects where we successfully found and exploited vulnerabilities without ever touching the actual device. We will see how we choose new target to research, how to bring its main interfaces to life using simple tools like a Raspberry Pi or an emulator (QEMU), and how combining with reverse engineering we uncover the kind of flaws that lead to the ultimate hacker prize: Remote Code Execution.” |
| 15:30 | 17:30 | 2:00 | Badge Hacking |