Advanced Physical Attacks and Hardware Pentesting 2-Day Advanced Physical Attacks and Hardware Pentesting

08 November 2017 - 09 November 2017
Hosted by
Bently Reserve
301 Battery Street, San Francisco, CA, 94111
View on Google Maps
Joe Fitzpatrick

Event Overview

Course Description

You’ve learned about JTAG, UART, and SPI in your introductory IOT hacking class, but how does this apply to real world devices you encounter on actual engagements?

This course will put what you’ve already learned into context. We’ll analyze how and why hardware hacks belong in scope of certain pen tests, and what that means to threat modeling and deliverables. We’ll build upon your basic skills and see how more advanced hardware and firmware analysis tells us more about the software vulnerabilities in a system. We’ll prototype some hardware exploits into compelling demos or helpful red-team tools.

This course focuses on approaching hardware as part of a pentest or red team engagement, implementing advanced hardware hacks, and managing the hardware ‘problem’. This two-day course builds directly upon the skills covered in Physical Attacks on Embedded Systems - consider taking the two together for a complete 4 days. If you’ve already taken another class that covers the basics of embedded/IOT/hardware hacking, including UART, JTAG, and SPI, you should have sufficient background.


This course targets a custom arm-based embedded device representative of a wide range of consumer electronics, medical devices, industrial control hardware, and mobile devices. This course builds directly on the content of Applied Physical Attacks on embedded Systems.


This course is well suited to pen testers, red teamers, exploit developers, and product developers looking to more smoothly incorporate hardware elements into their daily operations. In addition, security researchers and enthusiasts unwilling to ‘just trust the hardware’ will gain deeper insight into how hardware works and can be undermined.


  • 20% lecture
  • 70% Lab
  • 10% discussion


Please note that the course is still in development and the exact details may evolve:

  1. Recon and Passive Analysis
    • Lecture: Recognizing and communicating hardware impact
    • Practical: Analyze, rate, and rank a list of real-world hardware vulnerabilities
    • Lecture: Sourcing documentation and tools
    • Lab: Identify a new system and configure a toolchain for it
    • Lecture: Reading datasheets and inferring system functionality
    • Lab: Derive a block diagram of a board and validate assumptions
  2. Threat Modeling and System Analysis
    • Lecture: Threat modeling when hardware is in scope
    • Practical: Building example threat models
    • Lecture: Identifying chips by packages, pin configurations, and dynamic analysis
    • Lab: Identify an unknown chip on an embedded system
    • Lecture: Tools for analyzing interconnects
    • Lab: Locate, capture and analyze an unknown protocol
  3. Hardware Vulnerability Analysis and Exploitation
    • Lecture: Equipping a hardware hacking lab
    • Practical: Estimating time, effort, and expense of hardware attacks
    • Lecture: Custom hardware & software for custom interfaces
    • Lab: Script a device to bit-bang a unique protocol
    • Lecture: Prototyping hardware exploit tools, demos, and deliverables
    • Lab: Implement a standalone hardware exploit device
  4. Firmware Vulnerability Analysis and Exploitation
    • Lecture: Embedded static vs dynamic analysis and tools
    • Lab: Static analysis of firmware to map functionality to firmware
    • Lecture: Dynamic analysis in-circuit vs emulator, tooling for dynamic analysis
    • Lab: Taking embedded firmware to an emulator
    • Lecture: Bringing it all together and hardware pen-test workflow
    • Practical: Final pen-test report
    • Please ensure that your virtualization solution supports USB in the Virtual Machine.


$2200 (until September 4th)
$2900 (after September 4th)
Cancellation requests by paid registrants must be made at least 45 days before the event and may be subject to an administration fee. In the event of course cancellation by the trainer, students may choose to attend an alternate course (space pending) or receive a full refund.

Pay by Credit Card

Purchase Both Classes

This course picks up where Applied Physical Attacks on Embedded Systems leaves off. Get a discounted rate by registering for both classes together.

Pay by Check/Wire or
Request a Group Discount

Group discounts are available for 3 or more registrations.
Request Invoice

Onsite Training

Can't make it? Training is also available at a location of your choice.
Request an Onsite Quote