BootPwn: Breaking Secure Boot by Experience


Niek Timmers

Cristofaro and Niek tell you what BootPWN is about, in their own words.


Secure Boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of embedded devices. Recent attacks on Secure Boot, on a wide variety of devices such as video game consoles and mobile phones, indicate that Secure Boot vulnerabilities are widespread.

The BootPwn experience puts you in the attacker's seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style format.

Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios. All practical exercises are performed on our custom emulated attack platform which is based on publicly available code bases.

As an attacker, you will be able to:

  • open the device and make physical modifications
  • communicate with the internal and external interface
  • program the external flash of the device
  • perform hardware attacks like fault injection

You will be guided towards an interesting range attack vectors and vulnerabilities specific for Secure Boot, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.


During the BootPwn experience we will cover the following topics:

  • Fundamentals
    • Embedded devices
    • Verification
    • Decryption
  • Secure Boot
    • Attack surface
    • Real-world attacks
  • Identifying Secure Boot vulnerabilities
    • Design information
    • Flash dumps
    • Source code
    • Binary code
  • Exploiting Secure Boot vulnerabilities
    • Insecure designs
    • Vulnerable software
    • Weak cryptography
    • Incorrect cryptography
    • Configuration issues
    • Incorrect checks
    • Insecure parsing
    • Vulnerable hardware

Key Learning Objectives

The primary learning objectives of the BootPwn experience are to:

  • Gain a thorough understanding of Secure Boot as implemented on modern devices
  • Identify vulnerabilities across the Secure Boot attack surface
  • Gain hands-on experience with exploiting Secure Boot specific vulnerabilities

Intended Audience

The BootPwn experience is intended for:

  • Security Analysts and Researchers, interested in breaking Secure Boot on secure devices
  • Security enthusiasts with an interest in embedded device security
  • Software Security Developers/Architects interested in an acquiring an offensive perspective

Student Prerequisites

The following pre requisites catalyse the learning experience of BootPwn:

  • have experience with Python/C programming
  • have experience with the ARM architecture (AArch64)
  • have an understanding of typical software vulnerabilities
  • be familiar with reverse engineering (AArch64)
  • be familiar with common cryptography (RSA, AES and SHA)

Don’t worry if you don’t meet all of the above expectations!

System requirements

  • Any modern computer system with sufficient memory
  • A modern browser (Chrome preferred)
  • Virtualisation software (VMware preferred)

Student Deliverables

During the training you will get access to:

  • a personal cloud based VM
  • the exercise registry
  • the exercise instructions
  • the CTF server

To continue practicing after the training is completed:

  • a personal offline VM
  • a temporary token to access the exercise registry
    • for downloading all training exercises in the offline VM
  • a copy of the exercise instructions