Posts Tagged ‘HardwareHacking’
[DefCon32] Nano Enigma: Uncovering the Secrets in eFuse Memories
Michal Grygarek and Martin Petr, embedded systems security experts at Accenture in Prague, reveal the vulnerabilities of eFuse-based memories used to store sensitive data like encryption keys. Their presentation explores the process of extracting confidential information from these chips using accessible tools, challenging the assumption that eFuse memories are inherently secure. Michal and Martin’s work underscores the need for enhanced protection mechanisms in embedded systems.
Decoding eFuse Vulnerabilities
Martin opens by explaining the role of eFuse memories in securing encryption keys and debugging interfaces. Traditionally considered robust, these memories are susceptible to physical attacks due to their readable properties. Martin details their journey, starting with chip decapsulation using household items like a wet stone, demonstrating that determined attackers can bypass protections without advanced equipment.
Reverse-Engineering Techniques
Michal delves into their methodology, which involved delayering chips to access eFuse data. Using a Scanning Electron Microscope (SEM) rented from a local university, they read encryption keys, breaking the confidentiality of encrypted flash memory. Their approach, supported by Accenture, highlights the ease of extracting sensitive data, as the physical destruction of the chip was not a barrier to recovering firmware.
Implications for Embedded Security
The duo emphasizes the broader implications, noting that eFuse vulnerabilities threaten devices relying on these memories for security. Martin addresses the misconception that delayering is prohibitively complex, showing that basic tools and minimal resources suffice. Their findings, including a giveaway of decapsulated ESP32 chips, encourage hands-on experimentation to understand these risks.
Strengthening Protection Mechanisms
Concluding, Michal advocates for advanced obfuscation techniques and alternative storage solutions to secure sensitive data. Their work, presented at DEF CON 32, calls for vendors to reassess eFuse reliance and implement robust safeguards. By sharing their techniques, Michal and Martin inspire the cybersecurity community to address these overlooked vulnerabilities in embedded systems.
Links:
[DefCon32] From Getting JTAG on the iPhone 15 to Hacking Apple’s USB-C Controller
Thomas Roth, known as Stacksmashing, a hardware security researcher and co-founder of HexHive, takes the audience on a technical odyssey to compromise Apple’s proprietary ACE3 USB-C controller in the iPhone 15. Using reverse-engineering, RF side-channel analysis, and electromagnetic fault injection, Thomas achieves code execution on this custom chip, unlocking JTAG access and exposing its inner workings. His work highlights the persistence required to tackle secure hardware.
Cracking the ACE3 Controller
Thomas introduces the ACE3, a microcontroller managing USB-C functions, internal buses, and JTAG on the iPhone 15. Unlike its predecessor, ACE2, which was vulnerable to software exploits, ACE3 employs personalized firmware and disabled debug interfaces. Through meticulous reverse-engineering, Thomas mapped its architecture, revealing access to UART and SPMI buses, critical for deeper device exploration.
Leveraging Side-Channel Attacks
To bypass Apple’s protections, Thomas employed RF side-channel analysis and electromagnetic fault injection. Using tools like ChipShouter, he induced faults to read and write arbitrary memory, dumping the ACE3’s ROM and RAM. This painstaking process, despite battery challenges, yielded a complete firmware dump, enabling further analysis of the chip’s security mechanisms.
Democratizing Hardware Hacking
Recognizing the high cost of professional tools, Thomas ported his attack to the affordable PQM-P1, reducing the cost to $60. This democratization of fault injection empowers researchers to explore similar chips without prohibitive expenses. His open-source firmware for ChipShouter automates the process, making hardware security research more accessible to the community.
Future of Hardware Security Research
Thomas concludes by encouraging researchers to persist in analyzing unknown silicon, as demonstrated by his success with minimal prior knowledge. His glitching lab at the MedSec Systems Village invites hands-on exploration of fault injection techniques. By sharing his tools and methodologies, Thomas fosters a collaborative approach to uncovering vulnerabilities in secure hardware.