Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices, Microcontrollers and System on Chips (SoC) by Christian Kudera

Zielgruppe: Personen die an Angriffsszenarien gegen IoT-Geräte und eingebettete Systeme interessiert sind
Schwerpunkt: technisch
Sprache: Deutsch

Abstract:
**********
Dieser Vortrag gibt einen Einblick in physische Angriffe gegen IoT-Geräte und eingebettete Systeme. Mögliche Angriffe sowie Gegenmaßnahmen werden im Überblick präsentiert.

About the Speaker:
*********************
Christian Kudera is researcher and security analyst at SBA Research. Christian received an MSc in Hardware & Software Security from TU Wien. Currently he is working towards his PhD degree with the focus on Internet of Things and embedded systems security. He has more than six years of experience as security analyst in the areas of hardware and software security. He teaches multiple courses at TU Wien (Internet Security, Advanced Internet Security) and at Universities of Applied Sciences (Rosenheim Technical University of Applied Sciences, FH Campus Wien, FH St. Pölten).

  • Be the first to comment

  • Be the first to like this

SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices, Microcontrollers and System on Chips (SoC) by Christian Kudera

  1. 1. Classification: Public 1 Welcome to the SBA Live Academy #bleibdaheim #remotelearning Today: Physical Attacks against (I)IoT-Devices, Embedded Devices, Microcontrollers and System on Chips (SoC) by Christian Kudera You are automatically muted by entry, please use the chat for interacting with us. This talk will be recorded as soon as the presentation starts! Recording will end BEFORE the Q&A Session starts.
  2. 2. Classification: Public 2 Physical Attacks against (I)IoT-Devices, Embedded Devices, Microcontrollers and System on Chips (SoC) Christian Kudera SBA Research gGmbH, 2020
  3. 3. Classification: Public 3 Acknowledgement • Presentation partially based on slides from Markus Kammerstetter (Trustworks GmbH) o https://www.trustworks.at/ SBA Research gGmbH, 2020
  4. 4. Classification: Public 4 Hardware Security Fundamentals SBA Research gGmbH, 2020
  5. 5. Classification: Public 5 Newer Designs SBA Research gGmbH, 2020
  6. 6. Classification: Public 6 Integrated Circuit (IC): Die SBA Research gGmbH, 2020
  7. 7. Classification: Public 7 IC Structure
  8. 8. Classification: Public 8 Mechanical Invasiveness • Non-invasive o It is not necessary to open the chip • Semi-invasive o The chip has to be decapsulated, so that the die is visible o Passivation layer stays intact • Invasive o The chip is fully decapsulated o Passivation layer is (partially) removed o Physical contact to chip signals possible SBA Research gGmbH, 2020 Costs
  9. 9. Classification: Public 9 Hardware Security Non-Invasive Attacks SBA Research gGmbH, 2020
  10. 10. Classification: Public 10 A bad password check SBA Research gGmbH, 2020 bool check_password(char *passwd) { for (int i=0; i<pass_len; i++) { if (passwd[i] != stored_passwd[i]) return false; } return true; }
  11. 11. Classification: Public 11 A bad password check SBA Research gGmbH, 2020 bool check_password(char *passwd) { for (int i=0; i<pass_len; i++) { if (passwd[i] != stored_passwd[i]) return false; } return true; } Terminates as soon a byte is wrong Based on timing information, it’s is easy to guess the password
  12. 12. Classification: Public 12 A better password check SBA Research gGmbH, 2020 bool check_password(char *passwd) { int err=0; for (int i=0; i<pass_len; i++) { err |= passwd[i] ^ stored_passwd[i]; } if (err != 0) return false; return true; } Constant time
  13. 13. Classification: Public 13 Simple Power Analysis • The power consumption of a processor depends on the instruction executed • Security analyst / attacker closely monitors the power consumption during clock cycles (i.e. time domain) • For a given instruction, the power consumption also depends on the data processed SBA Research gGmbH, 2020
  14. 14. Classification: Public 14 Simple Power Analysis SBA Research gGmbH, 2020
  15. 15. Classification: Public 15 Vulnerable RSA exponentiation • Example: • Using SPA, it’s possible to completely recover the RSA secret key during the exponentiation of large integers! SBA Research gGmbH, 2020 [Cryptography Research, Inc.]
  16. 16. Classification: Public 16 Side Channel Countermeasures • Use secure components (e.g. microcontroller with implemented countermeasures) • Leakage reduction (e.g. through balancing) • Noise introduction • Masking (e.g. through insertion of random dummy cycles) • Obfuscation SBA Research gGmbH, 2020
  17. 17. Classification: Public 17 Clock Glitching • For a short time, the IC receives a clock pulse that is too fast for the IC to fully process: • Some of the IC operations will work as intended (e.g. increase program counter), others will not finish and get interrupted • Can be used to skip code (e.g. conditional jump in password check) SBA Research gGmbH, 2020
  18. 18. Classification: Public 18 Voltage Glitching SBA Research gGmbH, 2020
  19. 19. Classification: Public 19 Practical Example • Bozzato, Claudio, Riccardo Focardi, and Francesco Palmarini. "Shaping the Glitch: Optimizing Voltage Fault Injection Attacks." IACR Transactions on Cryptographic Hardware and Embedded Systems (2019) • Firmware extraction via fault injection o STMicroelectronics: STM32 F1, STM32 F3 o Texas Instruments: MSP430 F5xx o Renesas Electronics: 78K family (e.g. 78K0/Kx2) SBA Research gGmbH, 2020
  20. 20. Classification: Public 20 Fault Injection Countermeasures • Use secure components (e.g. microcontroller with implemented countermeasures) • Environmental sensors • Tamper sensors • Internal filtering • Shielding SBA Research gGmbH, 2020
  21. 21. Classification: Public 21 Cold Boot Stepping • Obermaier, Johannes, and Stefan Tatschner. "Shedding too much light on a microcontroller's firmware protection." 11th USENIX Workshop on Offensive Technologies (WOOT 17). 2017 • Analysis of the STMicroelectronics STM32 F0 security concept SBA Research gGmbH, 2020
  22. 22. Classification: Public 22 Hardware Security Semi-Invasive Attacks & Invasive Attacks SBA Research gGmbH, 2020
  23. 23. Classification: Public 23 Wet Chemical Decapsulation • Epoxy package is very resistant • Epoxy can be dissolved in concentrated and heated up acids (usually fuming HNO3, H2SO4 or a combination thereof) • Bonding wires, pads and passivation layer stays intact, copper wires can be an issue • Easy to conduct, but safety equipment necessary SBA Research gGmbH, 2020
  24. 24. Classification: Public 24 Wet Chemical Decapsulation SBA Research gGmbH, 2020 1 – Carefully mill a cavity
  25. 25. Classification: Public 25 Wet Chemical Decapsulation SBA Research gGmbH, 2020 2 – Carefully apply nitric acid (HNO3) / sulfuric acid (H2SO4) on hot plate Safety equipment & fume hood
  26. 26. Classification: Public 26 Wet Chemical Decapsulation SBA Research gGmbH, 2020 3 – Rinse in Acetone
  27. 27. Classification: Public 27 Wet Chemical Decapsulation SBA Research gGmbH, 2020 4 – Repeat etch & rinse until die fully exposed
  28. 28. Classification: Public 28 Wet Chemical Decapsulation SBA Research gGmbH, 2020 5 – Clean in Acetone in ultrasonic cleaner to remove remaining residue
  29. 29. Classification: Public 29 Wet Chemical Decapsulation SBA Research gGmbH, 2020 6 – Chip ready for further analysis and/or attack Chip is still functional
  30. 30. Classification: Public 30 Optical Microscopy SBA Research gGmbH, 2020
  31. 31. Classification: Public 31 Scanning Electron Microscope SBA Research gGmbH, 2020
  32. 32. Classification: Public 32 Plasma Deprocessing • Principle of plasma etching already covered (i.e., plasma decapsulation) • Advantage: o Very clean results o strong selectivity o passivation removal • Disadvantages: o Metal etching requires highly toxic Chlorine based gases o Formation of “RIE grass” SBA Research gGmbH, 2020
  33. 33. Classification: Public 33 Polishing • Use slurry with silica crystals for polishing • Die is mounted with special wax • Alignment is key to get planar polishing results • Disadvantage: o Uneven results o Material dependent removal rates SBA Research gGmbH, 2020
  34. 34. Classification: Public 34 Example: Metal Layer Removal SBA Research gGmbH, 2020 Top metal layer Below interconnect layer exposed
  35. 35. Classification: Public 35 Example: Via Imaging SBA Research gGmbH, 2020
  36. 36. Classification: Public 36 Automated Gate Recognition • Using pattern recognition, security analyst / attacker can identify the standard cells and how they are interconnected • It’s possible to reconstruct the implemented logic SBA Research gGmbH, 2020
  37. 37. Classification: Public 37 Focused Ion Beam (FIB) SBA Research gGmbH, 2020
  38. 38. Classification: Public 38 Summary & Takeaway • Physical attacks are a serious threat for the IoT and embedded devices o Know the risks and consider them in a threat analysis • Use secure components if necessary o Be aware that an attacker may still be able to extract the firmware or particular secrets SBA Research gGmbH, 2020
  39. 39. Classification: Public 39 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org
  40. 40. Classification: Public 40 #bleibdaheim #remotelearning Coming up @ SBA Live Academy 05.05.2020, 13.00 Uhr, live: „Threat Modeling 101 – eine kurze jedoch praxisnahe Einführung“ by Daniel Schwarz Join our MeetUp Group! https://www.meetup.com/Security-Meetup-by-SBA-Research/
  41. 41. Classification: Public 41 Christian Kudera SBA Research gGmbH Floragasse 7, 1040 Vienna ckudera@sba-research.org SBA Research gGmbH, 2019

×