Skip to content

Latest commit

 

History

History
441 lines (334 loc) · 9.55 KB

presentation.md

File metadata and controls

441 lines (334 loc) · 9.55 KB
marp class paginate header footer theme
true
invert
true
Enter The Donjon: A practical laser attack on the go - Grehack 24
donjon
<style scoped> img { vertical-align: middle; padding: 0.5cm; } footer { right: 50px; height: 20px; bottom: 100px; } </style>

Enter The Donjon

A practical laser attack on the go

Workshop 06 - Grehack 24

Agenda

Fault injection principles

Attack of the OneKey Mini

Live execution

Workarounds and questions

<style scoped> img { vertical-align: middle; } span.emoji { font-size: 2cm; vertical-align: middle; line-height: 1; } </style>

Fault Injection? What is it?

width:2.2cm height:2cm Hardware

⚡️Physical perturbation

width:2.2cm height:2cm Process deflection

Unauthorized access

<style scoped> table, th, td, tr { border-color: transparent; margin: 2cm auto 0 auto; padding:0; text-align:center; line-height:1; } section tr:nth-child(even) {background-color: transparent;} section tt { background-color:transparent; padding:0; } </style>
------------------->
^
|		 |
|
|
<-------------------------+

Unauthorized access - Faulted

<style scoped> table, th, td, tr { border-color: transparent; margin: 2cm auto 0 auto; padding:0; text-align:center; line-height:1; } section tr:nth-child(even) {background-color: transparent;} section code, section tt { background-color:transparent; padding:0; } span.emoji { font-size: 2cm; vertical-align: middle; line-height: 1; } </style>
⚡️
------------------->
^
|		 |
|
|
<-------------------------+
<style scoped> section th { font-size: 35px } section td { color: gray; background-color: #ffffff22; } section tr:nth-child(even) { background-color: #ffffff22; } </style>

⚡️ Physical perturbation types

Power glitch  FBBI  EMFI  Laser
Power cut Voltage on the die EM field  Illumination

Attack of the OneKey Mini

Laser on ATECC

The Target Of Evaluation

ATECC608A
ATECC608A
OneKey OneKey
One Key Mini

The Bench

Laser Bench
Laser Bench
Daughter Board
Daughter Board

The Attack

# Authorized request
atecc.nonce()
atecc.gen_dig(1, atecc.KEY_SLOT1)
atecc.read(slot=6) ^ atecc.temp_key
# SUCCESS
# Unauthorized request
atecc.nonce()
atecc.gen_dig(14, atecc.KEY_SLOT14)
atecc.read(slot=6) ^ atecc.temp_key 
# EXECUTION_ERROR
# Faulted request
atecc.nonce()
atecc.gen_dig(14, atecc.KEY_SLOT14)
atecc.read(slot=6, trigger=I2CTrigger.END.value) ^ atecc.temp_key
# EXECUTION_ERROR / TIMEOUT / SUCCESS / ...

The Attack

Unauthorized access

Unauthorized accessAuthorized access
<style scoped> section p { margin:0 auto; } </style>

The Attack

height:12cm

https://hardwear.io/archives/usa-2023/

Let's do it!

<style scoped> section figure { margin: 3mm auto; display: flex; flex-flow: row; align-items: center; } section figcaption { font-size: 0.7em; text-align: center; font: smaller sans-serif; padding-left:1em; text-align: center; } section img { width:16cm } </style>

Perturbed executions

No perturbation

One perturbation

Two perturbations

Scan Result ~1 day execution

height:10cm Scan Result

No effect: Transparent SUCCESS I2C Nack Timeout ECC_FAULT AFTER_WAKE HEALTH_TEST_ERROR PARSE_ERROR

Scan Result ATECC608B / AES

height:12cm

Scan Result ATECC508A

height:13cm

height:9cm

Corrections and countermeasures

From the chip provider

Physical countermeasures

  • Jitter
  • Laser detectors
  • Fault counting...

From the constructor

Implement a good configuration

  • Lock all unecessary slots
  • Use convenient features
<style scoped> section h1, section h2, section p { margin:0 auto; } </style>

Thank you for your attention

Questions?


height:7cm

https://donjon.ledger.com/enter-the-donjon-grehack24