TIPA simple communications program such as Minicom can be used to connect and interact
with the UART. However, we will have to tell Minicom exactly what baud rate to use. (Baud is
the unit for how many bits are transferred in a second.) The baudrate tool can be used to auto-
matically detect the baud rate and connect to the device.
The “Reverse Engineering Serial Ports” tutorial walks through how to locate UART pins
and connect to the UART of a hardware device in order to gain access to the system shell on
the device.
The Exploitee.rs website is a great resource that provides photos of identified UART pins
and baud rates for many popular devices. This information can be used to obtain UART
access to configure the devices, obtain firmware, and update firmware on devices in order to
insert additional features or bypass security controls and limitations designed by the manufac-
turer.
The cloudBit module website states: “We’ve left pads on the bottom of the board so that you can con-
nect to the cloudBit’s serial console using 3.3V UART (8-N-1, 115,200 baud) and poke around.” Read-
ers who have the UART hardware and software tools outlined in this chapter can use the baud settings listed
(8-N-1, 115,200 baud) to tinker with their cloudBit’s UART interface.Another popular hardware debug interface is implemented by the Joint Test Action
Group (JTAG). There are various JTAG pin combinations. Most JTAG interfaces have five
basic pins: TDI (Test Data In), TDO (Test Data Out), TCK (Test Clock), TMS (Test Mode
Select), and TRST (Test Reset). Identifying these pins can be tedious, but the popular JTAGu-
lator hardware tool can automatically identify them. Joe Grand, the creator of the tool, explains
how to use JTAGulator in a YouTube video.
The LIFX lightbulbs were found to use the JTAG interface by security researchers who
used the interface to uncover a security vulnerability. Unlike the Philips hue system, the LIFX
architecture does not require a hub. Instead, one lightbulb is connected to the WiFi network
and is deemed the master bulb. Other bulbs connect to the master bulb using the 6LoWPAN
standard (the name stands for IPv6 over Low Power Wireless Personal Area Networks). This
allows the bulbs to use low power, especially when not illuminated, and to extend their net-
work via a mesh network to reach bulbs past the range of WiFi.
The researchers used the JTAG interface to obtain the firmware stored on the lightbulbs.
This firmware contained a global encryption key that was the same in all LIFX lightbulbs. This
symmetric encryption key is utilized to encrypt and decrypt communication between all light-
bulbs from this company. Armed with this information, the researchers demonstrated that
they could inject arbitrary instructions into any LIFX mesh network, allowing them to
command the lights. In this case, the attacker would have to be within 30 meters of the LIFX
bulbs, since the attack is conducted on the local network.
SECURITY EVALUATION 215