1 00:00:00,680 --> 00:00:08,180 Hi there, welcome back to this course. In this lesson, i'll talk about exploitation of I2C communication 2 00:00:08,180 --> 00:00:10,280 protocols of Iot devices. 3 00:00:11,260 --> 00:00:20,860 I2C stands for Inter-Integrated Circuit, invented in 1982 by Philips Semiconductors, known 4 00:00:20,860 --> 00:00:30,430 today as NXP Semiconductors. Is a Synchronous Serial Bus Protocol, (Multi Master, Multi Slave), 5 00:00:30,730 --> 00:00:39,010 used for short distance intra-board data communications between lower-speed peripheral of integrated 6 00:00:39,010 --> 00:00:43,210 circuits and processor/microcontrollers. 7 00:00:45,910 --> 00:00:53,590 Let's see some possible applications of the I2C communication protocol. It is used, for example, 8 00:00:53,590 --> 00:00:55,460 for data storage 9 00:00:55,480 --> 00:01:03,640 via EEPROM, (electrical erasable, programmable read only memory), for accessing low speed DACs 10 00:01:04,030 --> 00:01:14,890 That is a Digital to Analog Converter or for Analog to Digital Converters, for controlling small OLED or LCD 11 00:01:14,890 --> 00:01:22,330 displays, for turning on and off the power supply of system components. 12 00:01:23,640 --> 00:01:29,940 These are just some possible applications of I2C technology. 13 00:01:32,290 --> 00:01:40,960 Regarding the method of data transmission, I2C can only send or receive data at the given point 14 00:01:40,960 --> 00:01:46,070 of time, thus allowing an half-duplex communication. 15 00:01:46,990 --> 00:01:54,880 The image shows a printed circuit related to an analog to digital converter with I2C interface. 16 00:01:57,120 --> 00:02:07,550 I2C needs just two wires to enable the data exchange: a Serial Data line (SDA) and a Serial 17 00:02:07,550 --> 00:02:16,790 Clock line (SCL). Typical voltages used are five volts or three point three volts. 18 00:02:17,600 --> 00:02:25,220 They image shows a schematic of an I2C Master in connection with three slaves, where it is assumed 19 00:02:25,220 --> 00:02:33,980 that the master is a microcontroller and the slaves are an ADC, a DAC and an additional microcontroller. 20 00:02:36,670 --> 00:02:45,610 Let's see the operating speed categories of I2C. For a bidirectional bus communication are possible 21 00:02:45,610 --> 00:02:47,230 four operating speeds 22 00:02:47,270 --> 00:02:57,550 categories. A standard mode with a bitrate up to 100 kilobits per second, a fast mode, fast 23 00:02:57,550 --> 00:03:06,580 mode plus, high speed mode with a bit rate up to three point four megabits per second. 24 00:03:06,970 --> 00:03:16,030 Ultra fast-mode with a bit rate 25 00:03:16,030 --> 00:03:18,310 up to five megabits per second. 26 00:03:22,010 --> 00:03:29,210 For those wishing to further explore the technical and operational specifications of the I2C protocol, 27 00:03:29,210 --> 00:03:38,600 it is possible to directly consult some technical manuals from NXP Semiconductors website, as you 28 00:03:38,600 --> 00:03:40,360 can see in the slide. 29 00:03:43,800 --> 00:03:53,400 Attack scenarios to I2C, let's see, which could be, first of all, sniffing the communication 30 00:03:53,400 --> 00:04:02,400 between an I2C device and the controller/processor, or patching the data in the I2C EEPROM 31 00:04:02,400 --> 00:04:10,590 memory, causing a malfunction of the device, and modifying the frequency of the I2C Clock's 32 00:04:10,590 --> 00:04:14,960 signal, an attack known as a clock glitching attack. 33 00:04:15,240 --> 00:04:21,930 And this can lead, for example, to an abnormal execution of applications running on the device. 34 00:04:24,450 --> 00:04:32,340 Now let's see the steps to follow, to verify the safety of the I2C interface with respect, 35 00:04:32,340 --> 00:04:41,230 for example, the possibility of extracting data directly from an EEPROM memory via the I2C interface. 36 00:04:41,970 --> 00:04:52,920 The first step is to identify I2C pinouts, in particular, the SCL and SDA pinouts of the EEPROM. 37 00:04:53,860 --> 00:05:04,780 And for this could be useful to fetch the datasheet of the I2C EEPROM chip. 38 00:05:08,360 --> 00:05:18,320 The next step is to connect the I2C pinouts to PC via a USB TTL converter interface, for example, 39 00:05:18,530 --> 00:05:29,260 the Attify badge, BusPirate, etc. There are two ways to connect the I2C pinouts, to the USB 40 00:05:29,270 --> 00:05:30,790 TTL converter: 41 00:05:31,700 --> 00:05:40,100 1) You can unsolder the I2C EEPROM from the printed circuit board and insert it into an adapter 42 00:05:40,100 --> 00:05:42,260 suitable for the EEPROM packaging, 43 00:05:42,710 --> 00:05:53,140 or 2) you can directly connect the I2C EEPROM pinouts to the USB TTL converter using SOIC clips 44 00:05:53,330 --> 00:05:55,010 without unsoldering 45 00:05:55,010 --> 00:05:55,730 the EEPROM. 46 00:05:58,270 --> 00:06:07,720 And here we can see a schematic connection of the EEPROM of an Iot device connected to an analysis PC 47 00:06:08,020 --> 00:06:11,260 through an Attify badge interface. 48 00:06:13,440 --> 00:06:13,950 then 49 00:06:15,270 --> 00:06:26,250 you can proceed with the exploitation steps by establishing a connection between the PC and the 50 00:06:26,250 --> 00:06:33,480 Iot device through the chosen connection interface, launching an appropriate connection program 51 00:06:33,480 --> 00:06:39,420 from the PC to read and write data, such as the python script 52 00:06:39,630 --> 00:06:45,780 i2ceeprom.py, downloadable as a project from GitHub. 53 00:06:46,770 --> 00:06:55,260 So if the data is not securely managed on the device, an attacker can read it or manipulate it. 54 00:06:57,650 --> 00:07:00,770 OK, thank you for your kind attention.