Adventures in glitching PIC microcontrollers to defeat firmware copy protection

Presented at Kiwicon 9: Cyberwar Is Hell (2015), Dec. 10, 2015, 5 p.m. (45 minutes)

Glitching is a non-invasive fault injection attack. For microcontrollers, the clock and the voltage are typical vectors for glitching. In some previous talks, I came across PIC microcontrollers that were found in home alarm systems and remote keyless entry keyfobs. These PICs had copy protection enabled. Defeating that copy protection and getting the code and data would be pretty useful . It would allow me to hunt for vulnerabilities in firmware. In this talk, I'll document my approach and results having built a glitcher to attack these PIC microcontrollers. I tried clock glitching and voltage glitching using an FPGA coded with Verilog, a Pickit3 PIC programmer and custom electronics. I didn't get a complete result, but so far I've been able to defeat the data protection. This gives me a first step into defeating the code protection. Who knows, maybe I'll have a complete break come Kiwicon?

Presenters:

  • Silvio Cesare
    Dr. Silvio Cesare is the Director of Anti-Malware Engineering at Qualys where he is commercialising his Ph.D. on malware detection and is an adjunct lecturer on Reverse Engineering Malware at the Australian Defence Force Academy (ADFA/UNSW). Silvio is also author of the book Software Similarity and Classification, published by Springer. He has worked in industry within Australia, France and the United States. This work includes time as the scanner architect of Qualys - now the world's largest vulnerability assessment company. He is currently studying part-time in a Master of Engineering (Digital Systems and Telecommunications) at the ANU. He hosts the popular panel discussion at Ruxcon and ran the Hardware Hacking Village this year. He is an organiser of Ruxmon, and lives in Canberra, Australia.

Links:

Similar Presentations: