Presented at ToorCon San Diego TwentyOne (2019)
Nov. 9, 2019, 4 p.m.
All smart devices, from cars to IoT, are based around processors. Often these processors are not considered as part of the threat model when designing a product: There is an implicit trust that they just work and that the security features in the datasheet do what they say. This is especially fatal when the processors are used for security products, such as bitcoin wallets, cars, or authentication tokens.
In this presentation we will take a look at using fault injection attacks to break some of the most popular IoT processors - using less than 100USD of equipment.
We will also release software & hardware tools to do so.
- What is Fault Injection?
- What's glitching?
- Our setup
- - Glitch-o-matic, an automated FPGA-based glitching system
- ARM Cortex-M
- - How configuration bytes are stored on most Cortex-M (Flash vs fuses)
- - Lockdowns on the STM32F01/2/3 (+ 4 if we manage to do it)
- - Lockdowns on NXP LPC
- - Most processors have integrated bootROMs
- - Bootroms can be glitched
- - All Cortex-Ms have a complex bootROMs
- - Most chips boot very slowly form integrated clock
- Attacks used in the wild
- - NXP LPC Glitch
- - Nvidia Tegra Glitch (to glitch the Switch)
- Preparing for glitching
- - Analyze the bootROM for search space optimization
- - Measuring power-consumption to find option byte reads
- - Identifying where to glitch
- - - Details on power-management
- Let's get glitching
- - How things can go wrong -- we summarize the many, many, mistakes and false starts we made over multiple months, multiple iterations of the glitcher, false indications of success, and funny anecdotes of conducting an international glitching experiment)
- - Identifying subjectability to glitching (Glitching simple loops + flash reads)
- - Building a test setup
- - Detailed case study: STM32F2
- - - Where are these chip used?
- - - - medical, financial, cryptocurrency, automotive, IoT
- - - Read-protection Downgrade vulnerability
- - Detailed case study: ESP32
- - Some more chips (depending on success)
- Glitch matrix: What can we easily glitch?
- - A matrix of all the chips we tried to glitch and how successful we were
- Mitigations & how to protect
- - Trust, but verify
- - Adapting your threat model for glitching attacks
- - Vendors claim to have voltage sensors. Again, trust but verify.
- - STM32F2 Glitcher
- - ESP32 In-situ board
- - Needed software
- - The $7 Glitcher
Thomas Roth and Josh Datko
Thomas Roth is an embedded and IoT security researcher and founder of leveldown security. Thomas was named as one of the 30 under 30 in Technology by the Forbes Magazine. His main focus is on IoT, automotive and embedded security, with published research on topics such as ARM TrustZone, payment terminals, hardware wallet security and industrial security.
Josh Datko is an embedded systems engineer, security researcher and former submarine officer. He’s been glitching hardware wallets since 2017, running Cryptotronix since 2013, operating ham radio since 2007, and telling amazing sea stories since before birth.