Podcast: Play in new window | Download
Subscribe: Apple Podcasts | RSS
Welcome, Joe FitzPatrick! (@securelyfitz)
- Joe got started working at a CPU vendor, analyzing verilog and hardware for vulnerabilities. He moved on to training people in the company to look for these as well.
- Afterwards, he moved to a private company doing trainings with his company SecuringHardware.com
- Joe worked on a part of the NSAplayset, specifically the Slot Screamer, which works over PCI express. Ulf Frisk later built a software suite for it that auto ran a bunch of commands.
- A recent snafu with software behind the mirror…
I woke up and looked in the mirror. My face was the color of television, tuned to a dead channel. pic.twitter.com/LrSpcro0b7
— Joe Fitz (@securelyfitz) June 1, 2017
- With USB-C, every device needs to be smart. If you want to watch traffic you need to do so with a tool like USB Proxy (Dominic Spill). The other Great Scott Gadget being used for USB analyisis is the Daisho (Jared Boone)
- Thunderbolt3 converged with USB C.
- We had previously talked about USB C when Jason Cerundulo was on talking about his EZ Bake Oven.
- Joe talks about “hardware implants“
- JTAG, SVF files
- Oregon professional engineer who was getting sued
- Bug bounty companies like Bug Crowd
- There is an ISO standard about security disclosures
- Joe will be at Recon helping with former guest Dmitry Nedospasov‘s training about using programmable hardware devices to test vulnerabilities.
- There is a new joint group of trainings happening Nov 6-9 in San Francisco. More info can be found here: HardwareSecurity.training
- devtty0 on Twitter
- Joe’s talk about compromising a yubikey and an RSA Token. Slides can be found here.
Joe’s final words: Trust, but verify
Chris is still frightened.
Great interview. I did not know anything about hardware-level security and this was a good primer and I learned a lot.