Yuanzhe Wu
Yuanzhe Wu (Hans) has received a Master of Science in Mechanical Engineering degree with specialization in robotics and control from Columbia University in 2019. He has 5 years of experience in embedded device security analysis and is RBS's leading hardware and firmware reverse engineering expert. Mr. Wu was the engineering lead for the cold-boot robot work as well as in recent work examining root-of-trust for Siemens PLC secure boot implementations.
Sessions
We present the design and construction of a robot that reliably extracts contents of RAM of modern embedded devices at runtime. We discuss the practical engineering challenges and solutions of adapting the traditional cold-boot attack to non-removable DDR chips commonly found on modern embedded devices. Lastly, we present a practical guide to building your own cryo-mem rig from COTS parts for less than a thousand bucks.
Have you noticed that embedded hardware is getting harder to reverse? BGA chips, massively integrated packages, vertical stackups, encrypted firmware at rest, and a pinch of "no jtag or uart" has become standard fare. While these artifacts do not correlate to material improvements in device security, you can't prove it because you can't dump the firmware or debug the hardware. Skip the noise and change up the game. Sometimes it's easier just to grabbing unencrypted firmware from live RAM. All you have to do is keep the chips at -50C on a running system, pull all the chips off on the same CPU instruction, slap it on an FPGA that sort of respects the DDR state machine without punching a whole in your device, or cause shorts due to condensation, and without freezing your eyebrows off. We'll show you how to build a robot to do this in an afternoon for about a thousand dollars.