Avast News

Avast Hacker Archives Episode 1: Joe FitzPatrick

Grace Roberts, 19 January 2021

In our pilot episode, Avast CISO Jaya Baloo asks hacker extraordinaire Joe FitzPatrick about his earliest “Aha!” moments

We are very excited to share Episode 1 of our brand new series, Avast Hacker Archives, or AHA for short. Hosted by Avast CISO Jaya Baloo, the series showcases those valuable “Aha!” moments achieved by white hat hackers and researchers that changed the course of our digital world. We’ll not only dig into the history and significant moments of our technological age, but also shine a light on the positive side of hacking – it’s not all cyberattacks and selfish motives.

We’re kicking it off with our special guest Joe FitzPatrick, the Hardware Security Trainer and Researcher at SecuringHardware.com. Educated as an electric engineer, Joe has spent over a decade working on silicon debugging, security validation, and penetration testing of CPU systems on chips and microcontrollers. He has worked at Intel, and he has trained hundreds of budding hackers and researchers. In his spare time, he contributes to the NSA playset. 

In our episode, Joe recollects about the first hack he ever presented at a conference. It was a Nikon D800 camera. The high-end apparatus used a very expensive proprietary Wi-Fi adaptor, and Joe didn’t understand why a generic $50 adaptor, at a tenth the cost, shouldn’t work just as effectively. Applying some electrical engineering skill and technical know-how, Joe hacked the device and made the cheaper adaptor work like a charm on it.

Aside from leading Joe down the road to many more camera hacks, this also led him to a passionate new hobby – armchair hacking (his term). Joe says that armchair hacking is among the most important steps in a successful hack, because it’s the critical first step. It entails using a discerning eye to study the object that’s going to be hacked, looking at it, seeking holes in the armor, and plotting the angle of approach.

One of Joe’s most significant hacks would be the time he hacked Direct Memory Access (DMA). DMA is a protocol that allows add-in cards to directly access memory instead of asking the CPU to fetch it. After some armchair hacking, Joe took a testing chip that used USB, he added a little hardware, added a little software, wrote a Python script, and suddenly he had a drive-less way to push and pull data from the system’s memory.

The point of all this hacking? It tests the integrity of systems. If there is any vulnerability in the tech being used by governments, businesses, or the masses, it’s a much more desirable situation for Joe and his colleagues to find it first so it can be fixed rather than for bad actors to discover it and cause harm. “We can’t always assume the hardware works as we think it does,” says Joe. “And we can’t always assume the hardware is fully trustworthy and perfect and infallible. A protocol is not secure until you have the tools to poke at it and inspect it.”

Joe offers his own official training to be a white hat hacker, but he also has advice for those just starting out. “Figure out your core skill set – electronics, software, interpersonal communication, politics, etc. You’re dealing with understanding a system, and when you combine that with the desire to see how a system works, you get the ability to reverse engineer and take apart and manipulate that system, which makes you productive as a hacker, someone who makes change.” As for where hackers should begin – Joe says hardware hacking villages at conferences are a great place to start. Also, he advises, you can always go to a thrift store, buy some cheap hardware, take it home, and take it apart. That’s hacking at its core.

History can be seen as a series of “Aha!” moments, and we’re excited to trace those milestones that have shaped our digital age. Hear Joe go deeper in depth on the topics mentioned above as well as much more in our premiere episode of Avast Hacker Archives.

In addition to the video below, you can also tune in to the episode as a podcast on Transistor and Spotify.