Most consumer tech manufacturers figure that once a hacker can physically access a device, there's not much left that can be done to defend it. But a group of researchers known as the Exploitee.rs say that giving up too soon leaves devices susceptible to hardware attacks that can lead to bigger problems. Hardware hack techniques, like a flash memory attack they developed, can facilitate the discovery of software bugs that not only expose the one hacked device, but every other unit of that model.

The group, which includes the hackers Zenofex, 0x00string, and maximus64_, presented their flash memory hack this week at the Black Hat security conference in Las Vegas. On Saturday, they built on it at DefCon by presenting 22 zero-day (previously undisclosed) exploits in a range of consumer products—mainly home automation and Internet of Things devices—a number of which they discovered using that hack.

"We [wanted] to get this technique into the hands of more people, because there are so many more devices out there that nobody’s looking at," that have the susceptible type of flash memory, says CJ Heres, a hardware hacker in the Exploitee.rs group. "And manufacturers are still releasing things using this. It's still a very prevalent flash type."

Tinker, Hacker, Solder, Spy

On many devices, all it takes to access everything stored on the flash memory chip is a $10 SD card reader, some wire, and some soldering experience. The researchers focus on a type of memory called eMMC flash, because they can access it cheaply and easily by connecting to just five pins (electrical connections). By soldering five wires to the chip—a command line, a clock line, a data line, a power line, and a ground—they can get read/write access that lets them exfiltrate data and start reprogramming to eventually control the whole device.

This process could theoretically work on any digital device that uses flash memory, but most types would require interfacing with more pins than eMMC does, and many necessitate specialized readers and protocols to gain access. "For the most common types of memory, most people don’t want to open things up, solder to them, do all that kind of stuff, because it’s kind of a giant mess," Heres says. "But with eMMC you can do it with five wires. Of course, the soldering is a little difficult, but totally doable. It’s not 40 or 50 wires."

Some data recovery services already use that method to help customers retrieve their information from broken devices, but it isn't widely known.