How Machines Actually Work: 10 Takeaways from Hardwear.io 2025

A few weeks ago, I had the pleasure of attending Hardwear.io (yes, it’s really spelled like that), a conference all about hardware security. I came in with very little hardware experience, which put me in a great position to learn from the ground up. Below are 10 takeaways to organize my thoughts and provide the curious reader with a taste of what Hardware hacking is all about.

(External) Crystal Oscillators are Real Life Magic

What happens when you turn on a computer? This question teaches you everything you need to know about the intersection of hardware and software if you follow the details closely enough.

When a device is powered on, one of the very first components to receive voltage is the crystal oscillator: a thin disk of quartz crystal. The atomic lattice of quartz lacks a center of symmetry, so voltage applied to the atomic structure causes mechanical strain which bends the crystal slightly. Once the voltage passes, the crystal begins to return back to its natural flat state. However, the voltage is given a little boost by an amplifier and redirected to flow back through the crystal. This causes the quartz disk to oscillate from its flat state to its bent state over and over. It does this fast and consistently. Note that when I say fast, I mean really fast—over 25,000,000 times per second.

This provides the heartbeat of a machine. Computers do a ton of things, but they can only do them one at a time. These operations must be carried out in discrete steps, and there needs to be a way to say “and next and next and next” to the instructions. This is exactly the role of the crystal oscillator—it is the metronome for the flow of computation.

From a security perspective, it’s worth noting that heating or cooling the crystal oscillator can subtly speed up or slow down the system clock—something to keep in mind when exploring ways to exploit a device.

What is Hardware Hacking?

Put simply, hardware hacking involves using a physical electronic device to get it to do something it wasn’t designed to do. This often involves figuring out how it works, which leads to figuring out how to break it.

Consider a smart lock on the front door of a house. It’s programmed to expect a specific code, and if the correct numbers are entered, it unlocks. Otherwise, it stays locked. The code for this smart lock might look something like:

// Secret pin (1111) is kept in memory
const uint8_t SECRET_PIN[4] = {1, 1, 1, 1};

// User types a pin using the keypad
uint8_t USER_INPUT[4] = read_keypad();  // reads 4 digits into a buffer

// Compare the input to the real pin
// stay_locked is false if and only if the correct pin is inputted
bool stay_locked = check_pin(USER_INPUT);


// How does the machine compare the pins?
bool stay_locked(uint8_t guess[4]) {
    for (uint8_t i = 0; i < 4; i++) {  // check each number in the inputted code
        if (guess[i] != SECRET_PIN[i]) {
            return true;  // stay locked if even one digit is wrong
        }
    }
    return false;  // unlock if all digits match
}

In this example, the secret pin is 1111. The smart lock uses the check_pin() function to compare a user’s guess against the stored pin one byte (i.e. one number) at a time. If a user enters 9999, the function immediately sees that the first digit is wrong and returns “stay_locked == true.” However, if a user enters 1119, then the function checks the first three digits, observes that they match the set pin, and only returns “stay_locked == true” after the final digit fails. This means it will take longer to check 1119 than 9999.

The difference in timing is typically on the order of 0.000001 seconds (microseconds). However, with the right equipment, it’s possible to observe these variations and deduce the secret pin that the lock is expecting. It’s worth pointing out that the secret pin can be recovered in O(N) linear time, aka very fast. This example demonstrates that secrets are hidden on Microcontrollers and that by interacting with the hardware, those secrets can be revealed.

It’s worth pondering: what secrets lie in a physical device? For example, when a smart TV powers on, it remembers which apps are logged in by pulling authentication tokens from its non-volatile memory (memory that persists even after the TV is turned off). If an attacker extracts those tokens, they can impersonate the user and access their Netflix, Gmail, Spotify, or anything else tied to the device. These secrets are physically sitting in a chip, waiting to be read by anyone clever enough to try.

Chips Run Everything

The circuit boards inside smart devices might look complicated, but they’re easy to demystify, at least at a surface level. The green board itself is called a PCB (Printed Circuit Board). It’s made of thin copper pathways called traces woven through a non-conductive material. These traces guide pulses of electricity exactly where they need to go. And what reads and controls those pulses? Integrated Circuits (ICs)! Also known as… chips!

Integrated Circuits are (usually) black rectangles with a bunch of metal legs sticking out of them. Sometimes the legs are tucked underneath the chip in what’s called a ball grid array (BGA). The legs connect directly to the copper traces on the PCB, allowing the chip to send instructions and read responses from the rest of the system. These are some of the most common types of ICs that are found in IoT (Internet of Things) devices:

Just remember: Microcontroller Units (MCUs) have built-in knowledge of some set of protocols and the ability to communicate with other parts of the board via their legs. The operations are done by the MCU but all variables and states are kept in memory. Note that memory can either be a distinct zone within an MCU itself or a separate chip like an SPI NOR Flash.

So what’s important from a security perspective?

Memory Chips (SPI NOR Flash, EEPROM): These store interesting files such as the firmware (the machine developers’ software that makes the device function), auth tokens, and potentially hardcoded secrets. They can typically be copied and read using some specific tools.

Communication Interfaces (UART, JTAG): These protocols provide a direct line of communication with the MCU and hence the whole device. UART is a frequently exposed debugging channel that one interacts with through a terminal-like interface. JTAG is a different protocol used for debugging, but access leads to a total takeover…

JTAG = Instant Pwn

When a device manufacturer buys a Microcontroller Unit (MCU) from a chip manufacturer, how do they put custom firmware onto the chip?

MCUs sold by chip manufacturers typically arrive blank or with a minimal bootloader (a small program physically etched into the microcontroller’s silicon, which is the first code to run when the device is powered). Device manufacturers then put their custom firmware into the chip’s non-volatile memory in a process called flashing. One of the most common ways to flash firmware is via JTAG, a type of communication that many MCUs are built to understand. JTAG was originally designed as a debugging protocol to test and verify that every component on the circuit board is connected and working properly. However, to accomplish this, it must be able to access memory, registers, and firmware. If a chip understands JTAG and accepts input, then it’s possible to rewrite the firmware on the device and hence reprogram what it does.

The impact of this is huge from a supply chain perspective. Making a smart device involves many steps and plenty of opportunity for malicious activity.

If JTAG is enabled, then the device should probably not be bought used. An attacker could easily and discreetly modify the firmware and include a key logger, spy through sensors, and exfiltrate data to an attacker’s server.

Fault Injection is the HOT Technique Right Now

First off—what is fault injection? The idea is to inject something into a device which disrupts the microcontroller at a specific time during its execution. If the timing is right, it’s possible to bypass protections like security checks or code protection. There are lots of different things that we can inject. Here are the major ones:

To find viable targets for fault injection, it’s helpful to analyze the firmware to identify sensitive operations like authentication checks or cryptographic functions. Clues also lurk in the communication flowing along the trace (often using I2C or SPI protocols) and in the voltage fluctuations of the power lines.

Fault injection attacks are currently one of the leading areas of research in hardware security. For one thing, purely software attacks have become harder due to modern protections such as secure boot chains (chain of trust) and cryptographic firmware signatures to prevent unauthorized code modification. Glitching can have significant impact, enabling attacks ranging from bypassing a UART login prompt to gain access to a root U-Boot shell, to recovering passcodes from crypto wallets protected by secure memory. An interesting note: fault injection tends not to be 100% accurate. The reason is that it’s almost impossible to know exactly what processes the MCU is doing and therefore difficult to predict what interrupting it will achieve.

RowHammer: The Coolest Exploit I’ve Never Heard Of

When I was younger and heard “at their core, computers are just 1s and 0s” I thought—why not make a tool that physically flips some of those 1s and 0s in a malicious way? Well, it turns out this idea is already being explored. RowHammer is a hardware-based attack that targets DRAM (Dynamic RAM) memory chips with the intent of changing certain bits. The idea is to rapidly access (i.e. “hammer”) the same row of memory over and over. This can cause electrical interference that changes bits in adjacent memory rows, even though they were not directly accessed. Exploiting this vulnerability requires code execution but can be done remotely.

For nation-state threat actors (or evil geniuses), RowHammer is an excellent way to wreak havoc. For instance, an attacker could rent a virtual machine (VM) on a cloud server and exploit RowHammer to flip bits in another VM’s memory, theoretically compromising the entire cloud environment. Recently, Google cloud servers (hosting services like Discord, Spotify, Snapchat and of course, Google itself) went down due to buggy code. The shutdown only lasted a few hours, but it impacted numerous businesses and cost millions of dollars. If a threat actor successfully leveraged RowHammer against the monopoly of cloud infrastructure, a significant portion of the internet could be effectively shut down.

Well, RowHammer is easy to fix—just restart the physical machine… But how often do major cloud servers restart?

Almost never.

You Can Learn Interesting Things from Patents

Looking for a niche attack surface on a target? Check out their patents on Google Patents or the USPTO. Back in 1989, Nintendo patented a system that authenticates game cartridges for their NES gaming console. A group called Tengen used the patent to help reverse-engineer the system and bypass the authentication check. This allowed them to load non-Nintendo games and sell their own cartridges without going through Nintendo’s licensing system.

There Exist a Lot of Vulnerable Wireless Protocols

At a fundamental level, wireless communication is electromagnetic radiation (light) typically produced by the jiggling of charged particles like electrons. This radiation travels as waves across a broad spectrum of different wavelengths, only a tiny portion of which is visible to our eyes: 380 to 700 nm (nanometers) per wave. Humans use the wavelengths of visible light to communicate via images or videos (anything you can see). On the other hand, devices transmit information using invisible light at different wavelengths:

Technology	Wavelength
Radar	7.5 mm – 30 cm
Satellite	.75 – 7.5 cm
Wi-Fi	6 – 12.5 cm
Bluetooth	~12.5 cm
LTE / 4G	12 – 50 cm
Radio	170 – 560 m (meters)

Most IoT devices communicate with standardized protocols such as Zigbee (12.5 cm) or Z-Wave (33 cm), or through proprietary radio frequency protocols like PowerG. PowerG touts AES-128 encryption on all communication, frequency hopping so an attacker needs to track changing wavelengths, and two-way communication which requires verifying receipt of messages. However, as demonstrated by presenters at Hardwear.io, it’s possible to completely capture and decrypt PowerG signals.

It seems that custom-made wireless protocols are a bit of a Wild West; new ones appear all the time but almost none are vetted as much as they should be. I believe a lot more interesting research lies in attacking devices at a protocol level where custom communication is reverse engineered, packet structures are analyzed, and the encryption is broken.

Hardware in the Quantum Era

As someone interested in quantum mechanics and computing, I’m intrigued by how hardware is evolving in the quantum era. Just as early computers were the physical embodiment of Turing machines and theoretical computer science, today’s engineers are racing to build the first physical processors that can perform quantum computing. Among the frontrunners, IBM leads in raw qubit count (1,121 qubits), Google leads in error correction research, and Microsoft is exploring a totally different physical realization that could scale more easily than other designs.

Besides actually making a quantum computer, many chip designers are racing to implement post-quantum (PQ) algorithms—cryptographic schemes designed to be unbreakable by quantum computers. One of the biggest motivations behind making a quantum computer is that they can run efficient algorithms that break many common forms of encryption. However, there are still many protocols (ex: Kyber for encryption and Dilithium for digital signatures) that can run on classical computers but can’t be broken by quantum computers. Major chipmakers like Intel, ARM, NXP, and Infineon are working to burn post-quantum algorithms directly into their chips at a silicon-level in order to run them very quickly. This difficult challenge will likely happen in the next few years.

But don’t worry, once post-quantum algorithms are used, hardware will still be vulnerable. It’s been shown that by performing a power analysis on a chip (measuring subtle fluctuations in a chip’s power usage), it’s possible to extract secret keys and break “quantum secure” algorithms.

A Lot of Cool People Do Projects Just to Do Them

One thing I quickly picked up at Hardwear.io is that many hardware hackers are driven by curiosity. Ask why they did something and the answer is often “because I can.” I heard about projects ranging from hacking a toothbrush to play different songs, to building a spoofer for credit cards and magstripes. One particularly awesome project came from Samy Kamkar (look him up—he’s a legend). He created a device that shines a laser through a window, measures the minute vibrations in the reflected beam caused by changes in air pressure, and translates that back to sound to recover all noise occurring in the room. As if that wasn’t cool enough, he noticed that each letter on a keyboard makes a slightly different sound, so he modified his device to capture keystrokes. It’s straight out of a spy movie!

A deeper insight I took away is this: nearly anything is possible in hardware, it just might be really hard. The consequence of this reminds me of something a math professor at Princeton, Sophie Morel, once taught me: when you do research, you set out to prove something new. Even if you don’t find exactly what you’re looking for, you will find something.

---

Bonus: