Hardwear.io (https://hardwear.io/) is a niche and highly technical conference aimed at hardware security researchers. It consistently attracts everyone from vulnerability researchers who are curious about getting started with embedded or radio device hacking to seasoned professionals looking to explore a broad range of topics across hardware security research. The conference took place from May 26 to May 30 in San Jose, California.
Presentations
This was my first time attending Hardwear.io, and I was eager to experience a conference that so many people had spoken highly of. Rather than trying to cover every talk, which will likely be released later, I want to highlight a few that stood out to me, either because they touched on areas I work in and care about, or because they were especially well presented.
More broadly, the conference maintained a consistently high technical standard, with talks spanning topics from advanced fault-injection techniques to wireless security.
The keynote by Dr. Yossi Oren delivered a strong message to a room full of people accustomed to “breaking” things: our skills as breakers can also be applied as builders. It was a useful reminder that security research is not only about finding flaws, but also about helping design products that remain both useful and secure over time.
The first talk I found exceptionally well presented was “Reverse Engineering a Ledger Nano X Hardware Implant,” given by Joe Grand. I have enjoyed Joe’s YouTube content for some time, so I was especially glad to see him present in person. In the talk, he recounted the sequence of events that ultimately led him to reverse engineer a hardware implant found in a Ledger Nano X crypto wallet in the wild. The presentation spanned several disciplines required for that work, including PCB analysis, firmware reverse engineering, and RF analysis. As impressive as the technical content was, what stood out just as much was Joe’s ability to pull the audience into the investigation and make the presentation feel immediate and memorable.
The second talk I found particularly interesting was “Your MediaTek Wi-Fi Chip’s Secrets: Bypassing Firmware Encryption,” given by Edoardo Mantovani. Having previously worked on the SoftMAC portion of the MediaTek wireless driver while investigating a wireless parsing issue in a Sonos speaker a couple of years ago, I found it interesting to see a different part of MediaTek’s wireless stack targeted—specifically the firmware. In this talk, the speaker explained the prior research he used as a starting point, including past NCC Group fault-injection work on the MediaTek BootROM (https://www.nccgroup.com/research/there-s-a-hole-in-your-soc-glitching-the-mediatek-bootrom/). From there, he described the process that led to several vulnerabilities which allowed him to bypass firmware encryption. One bug in particular stood out as both a powerful primitive and a novel exploitation path to code execution. It abused a ROM-patching mechanism in a way that allowed a large chunk of attacker-controlled code to be inserted and then directed at selected portions of ROM firmware, overwriting critical code involved in the MediaTek boot process and ultimately leading to arbitrary code execution.
Training Course
While at Hardwear.io, I attended LoraPWN, taught by Sebastien Dudek. The class provided a useful introduction to LoRa and showed how less ubiquitous radio modulations are becoming increasingly relevant across a range of devices and applications. We started with the fundamentals and built upward from there, beginning with identifying LoRa from a radio-frequency perspective and progressing through exercises that introduced additional layers of the protocol, including LoRaWAN at layer 2. Most of the class used GNU Radio to build practical workflows, ranging from focused modulation and demodulation exercises to more complete, production-oriented examples of LoRa use in devices such as drones, where Sebastien also highlighted vulnerabilities and areas where security could be improved.