Summerschool Aachen 2004/Hardware Hacking Presentation

From C4 Wiki
Jump to: navigation, search

Presentation Summary

Introduction

  • Security by using obscure screws, non public systems
  • Security by obscurity

Locks

  • LINK MIT Lockpicking Guide
  • Keys can be memorized
  • Master keys possible because of "spacer pins"
  • Lockpicking, types of tools
    • picks: spanner, snake
    • pull the mechanism directly, evading the lock
    • automated equipment, using vibrating pins
    • magnetic fields, used against locks which hold their pins with magnets
  • High Security Locks, 15 pin positions (slits) in a row, 3 pins at a given position
  • Master keys may be "bruteforced" by elevating single pins consecutively, if you have a working single key
  • Circular locks defeated by empty pen casing

Tampering - opening things you shouldn't

  • LINK presentations from "kingpin" by the l0pht - http://www.grandideastudio.com/portfolio
  • glue melts faster than casing
  • PAPERS Chrysalis (Steven J. Murdoch)
  • logic analyzers (used to watch i.e. 16 wires)
  • hardware gets obfuscated on a regular basis
  • protection against tempering by adding plastic framing to chips, etc.
  • jtag interface to hardware devices for "debugging"
    • show supported flash
    • re flash
  • PAPER Keeping Secrets: Opening the XBOX (Andrew Huang)
  • PAPER Low Cost Attacks on Tamper Resistant Devices (Ross Anderson, Markus G. Kuhn)
  • PAPER Design Principles for Tamper-Resistant Smartcards (Oliver K)
  • Chip layout rendered by 3d microscope imaging
  • test circuits protected by fuses, burnt upon delivery

Tempest

  • Electromagnetic emanations
  • Use tinfold to protect your thoughts whenever possible
  • Tempest attacks against svga are not simple
  • PAPER Soft Tempest (Ross Anderson, Markus G. Kuhn)
  • Tempest for Eliza, plays music on a radio by drawing patterns on a monitor
  • Optical Tempest, samples brightness changes in the room, effective
  • watch leds to capture bits from data lines, which are connected directly to the led, not working on ethernet

Side Channels

  • used on smart cards
  • Simple Power Analysis
  • Timing Analysis
  • Differential Power Analysis
  • PAPER Power Analysis Tutorial (Manfred Aigner, Elisabeth Oswald)
  • PAPER Physical Side-Channel Attacks on Cryptographic Systems (N.P.Smart)

Fault Injection

  • changing power, frequency, temperature, light
  • skip unwanted functions/control statements