Summerschool Aachen 2004/Hardware Hacking Presentation

From C4 Wiki
Jump to: navigation, search

Presentation Summary


  • Security by using obscure screws, non public systems
  • Security by obscurity


  • LINK MIT Lockpicking Guide
  • Keys can be memorized
  • Master keys possible because of "spacer pins"
  • Lockpicking, types of tools
    • picks: spanner, snake
    • pull the mechanism directly, evading the lock
    • automated equipment, using vibrating pins
    • magnetic fields, used against locks which hold their pins with magnets
  • High Security Locks, 15 pin positions (slits) in a row, 3 pins at a given position
  • Master keys may be "bruteforced" by elevating single pins consecutively, if you have a working single key
  • Circular locks defeated by empty pen casing

Tampering - opening things you shouldn't

  • LINK presentations from "kingpin" by the l0pht -
  • glue melts faster than casing
  • PAPERS Chrysalis (Steven J. Murdoch)
  • logic analyzers (used to watch i.e. 16 wires)
  • hardware gets obfuscated on a regular basis
  • protection against tempering by adding plastic framing to chips, etc.
  • jtag interface to hardware devices for "debugging"
    • show supported flash
    • re flash
  • PAPER Keeping Secrets: Opening the XBOX (Andrew Huang)
  • PAPER Low Cost Attacks on Tamper Resistant Devices (Ross Anderson, Markus G. Kuhn)
  • PAPER Design Principles for Tamper-Resistant Smartcards (Oliver K)
  • Chip layout rendered by 3d microscope imaging
  • test circuits protected by fuses, burnt upon delivery


  • Electromagnetic emanations
  • Use tinfold to protect your thoughts whenever possible
  • Tempest attacks against svga are not simple
  • PAPER Soft Tempest (Ross Anderson, Markus G. Kuhn)
  • Tempest for Eliza, plays music on a radio by drawing patterns on a monitor
  • Optical Tempest, samples brightness changes in the room, effective
  • watch leds to capture bits from data lines, which are connected directly to the led, not working on ethernet

Side Channels

  • used on smart cards
  • Simple Power Analysis
  • Timing Analysis
  • Differential Power Analysis
  • PAPER Power Analysis Tutorial (Manfred Aigner, Elisabeth Oswald)
  • PAPER Physical Side-Channel Attacks on Cryptographic Systems (N.P.Smart)

Fault Injection

  • changing power, frequency, temperature, light
  • skip unwanted functions/control statements

Notes from Presentations


For those interested in TEMPEST attacks and defences, including both radio and optical based techniques, Markus Kuhn's PhD thesis covers this area well, but is long. If you don't want to read all of it, there are shorter papers on Optical TEMPEST and Radio TEMPEST on LCD screens (which also mentions the anti-TEMPEST fonts). There is also an FAQ on Optical TEMPEST.

-- Steven Murdoch


If you are interested in lock picking the MIT Guide to Lock Picking is a good start.

One of my friends works in Belmarsh high security prison. They apparently use keys which have a magnetic combination, since there was a problem where inmates would look at the shape of the original key held by a prison officer and make replacement keys by hand.

-- Steven Murdoch


At Cambridge, the TAMPER Lab does most of the work investigating hardware security. In particular Sergei Skorobogatov's website is worth looking at.

-- Steven Murdoch