Introduction
Hardware attacks are a class of exploits that rely on the way that processors act in the real world. They rely on certain non-idealities in how actual hardware operates and can be leveraged to either extract information or perform functions that would be impossible to do from a purely software approach.
Successfully exploiting the hardware can lead to a variety of consequences, from leaking encryption keys that otherwise would be impossible to obtain, to changing the control flow of a program, without ever altering the instructions in memory. This also means that they can be difficult to defend against or even detect from the software side. Because of this, effective defences almost always rely on hardware, and thus are not commonly found outside of high security applications due to the cost of implementing them.
There are two main families of such attacks. The first is passive attacks, where the attacker monitors the hardware whilst it is performing operations of interest, and then using the captured data to deduce internal states of applications and thus potentially extracting secret values such as encryption keys. The most common attack of this kind is power analysis, which is generally very difficult to detect, and relies on custom hardware and statistical analysis, something which is not feasible for many applications.
The second is active attacks, where an attacker directly alters the state of the hardware, in the hope that unintentional behavior occurs. This is the category to which glitching attacks belong in. These attacks generally involve injecting unexpected interference into a circuit, in the hopes that it behaves in an unintended way that is favorable to attackers. This can involve such things as skipping instructions meant to enable or disable functions on a chip. They can be easier to detect, but also generally require hardware to effectively defend against.
These techniques have been used to attack real-world products. The Wii console’s cryptographic keys were famously recovered using the “tweezer attack”. This was a crowbar glitching attack on the memory bus, which exposed sections of the memory that were not intended to be read. Apple airtags were also jailbroken using a fault injection attack. By glitching the micro-controller at the correct moment, it was possible to re-enable a debugging interface, allowing the firmware of the tag to be dumped. Starlink dishes were also defeated in such a manner. By using a voltage glitching attack, it was possible to gain arbitrary code execution on the dishes. Finally, During the Raspberry Pi RP2350 hacking challenge, laser fault injection was used to bypass the security features of the microcontroller, extracting secrets from its OTP store.
This white paper will go over various different hardware attack techniques, as well as some mitigations. It will be covering external hardware attacks only, i.e. ones where an attacker has to be physically present to exploit them. Attacks that rely on non-ideality of hardware, but exploit them purely from software, such as rowhammer which uses electromagnetic interference to flip adjacent RAM bits by repeatedly writing values to RAM, will not be covered.
Passive Attacks
Passive attacks involve the attacker monitoring the device, looking for leakage of useful information. They are generally harder to detect, as they do not necessarily directly affect the hardware
Power Analysis
Power analysis attacks involve monitoring the power usage of a device and using the variations in that usage to extract information from the chip. This is most commonly done by the insertion of a shunt resistor on the supply line of the chip that is being exploited, and using it to monitor the current being fed into the chip at any given time. Using a rearrangement of Ohm’s law, it is possible to obtain the current by measuring the voltage drop across the resistor. It is also useful to remove smoothing capacitors, as those can distort the readings.
Simple Power Analysis
In Simple power analysis, generally a single power trace is analysed. One of the most common algorithms to fall prey to this technique is RSA. Central to its operation is modulo-exponentiation. When signing a message, for example, we perform the following:
where m is the plain text, d is the private exponent, and n is the modulus.
A popular algorithm for implementing modulo-exponentiation is the square, square-multiply operation. The code for such an algorithm could look like this:
Assuming the two branches take the same amount of time, it is likely that the double multiplication is going to take more power than the single one. Thus, we may get the following power trace (simplified for illustration purposes):
From this, we can easily read off the bits of the exponent: 0110100. In the case of a signature, this exponent would be d, the only private component of the private key. Thus, if we attack a chip performing digital signatures, such as some consoles do on save files to prevent their modification, we could trivially extract the private key, thus defeating the signature mechanism entirely.
Differential Power Analysis
Differential power analysis is a more advanced form of power analysis. Instead of looking at a single trace, you collect large amounts of power traces from a device performing cryptographic operations, and then use correlation attacks to extract a secret from a device. This relies on a simple assumption: that power consumed in a chip correlates to the number of ones on the data bus of a processor. To reduce the worst-case voltage swing, micro-controllers often pre-charge the bus lines to a voltage halfway between the high and low state. This results in a voltage trace that could look like so:
This means that we should observe an increase in the amount of power consumed by the chip the more lines that become positive. This can be used to recover secret keys from inside the micro-controller, given sufficient samples.
As an example, take the following cryptographic operation:
Figure 3: Xor-Sbox structure
The input is XORed with an unknown key byte, then put through a known lookup table. The lookup table (S-box) is, in cryptographic structures, an extremely non-linear operation, which eliminates the difficulty of telling apart adjacent XOR values, as the set bits will vary seemingly randomly.
If we collect the power usages for many operations, we may get something like this:
By performing correlational analysis on a large sample of power traces, the key byte can be deduced, as an incorrect guess will mean that the traces do not line up correctly with the expected Hamming weight of the bus value (the number of high bits).
The cryptographic structure described in Figure 3 is used as part of the AES cipher’s first decryption round:
Figure 4: AES decryption diagram
The diagram above illustrates the AddRoundKey, ShiftRows, and SubBytes steps of an AES decryption round. AddRoundKey is the xor, SubBytes the lookup table, and ShiftRows is irrelevant for the purposes, as one XORed byte still maps to a single S-box operation.
Using the technique described, it is possible to extract keys from a micro-controller performing AES decryption, Since the first round key of AES-128 is the input key. The attack can be performed on AES-256, but is more complex due to the inclusion of a MixColumns step. The attack works best when we can force the device to perform many cryptographic operations, as this allows for faster collection of sufficient data to derive the key.
To give a practical example, imagine a micro-controller that can patch its firmware using an encrypted update file. When the upgrade is initiated, the micro-controller will perform a decryption operation on the update data. If it is forced to do this many times, it is possible to extract the AES key, allowing for the decryption of the firmware, thus allowing for its analysis, as well as potentially allowing for the creation of malicious update packages.
Timing Attacks
Timing attacks exploit the fact that different operations may take a CPU different amounts of time to perform, thus leaking information on what operations are happening as well as their order.
Looking at RSA again, another implementation of the square-multiply algorithm may look like this:
The power trace of this code may look like this:
Assuming that the square operation takes less time than the multiply, we can group the peaks into square and square+multiply chunks. From this, it is clear that the bits of the key were 011001. This is another technique to analyse power traces that can leak information such as private keys.
Electromagnetic Attacks
Electromagnetic attacks are a subcategory of power analysis. Instead of making invasive modifications to the board, such as inserting shunt resistors, an EM probe is placed over the chip of interest. As the chip uses more or less power, the magnetic field emitted from it due to current flow will increase or decrease proportionally.
This technique has some advantages. First, it is non-invasive, meaning that no modifications to the target device are necessary. Second, it is easier to target a specific chip. This is possible by placing the EM probe directly over the chip in question, thus getting a readout of that specific chip’s power consumption. Finally, it is more practical to do on systems where modifying the circuitry is very difficult, such as smart cards. The main disadvantage of this technique is that it requires more specialised hardware to implement.
Acoustic Attacks
Whilst they are an outdated technology, dot matrix printers are still used in some applications where their specific qualities are useful. Specifically, their ability to feed using continuous stationery is desirable in tasks that involve logging activity.
It is possible to, in favorable conditions, recover over half of what is printed using such a printer, simply by analysing the sound made by the print head as it is printing out text. The way the technique works is by first dividing the recording into chunks, processing the signal into a set of key features, and then using a database to find candidate words for the given sound. After that, linguistic models are used to refine the guesses, and the text of the print is re-constructed. Experiments were able to achieve a recovery rate of 62.9% over all used texts. If sensitive data were to be printed using such a printer, an acoustic attack would pose a credible threat to the confidentiality of the data. What makes this attack particularly difficult to notice is that the analysis does not need to be done in real time. The attacker can record the sounds and then take the recordings back to their workspace. They can then work on them without threat of discovery.
Active Attacks
Active attacks involve deliberately and precisely degrading the environment in which a device is running in, to cause useful malfunctions in the chip that the attacker can leverage to their advantage. They are generally easier to detect, as they deliberately cause faults in the chip, but some techniques are nevertheless quite hard to identify in real time.
Power Glitching
Power glitching is a technique where the power supply to a chip is abruptly and precisely interrupted. This can cause the processor to behave unpredictably. This is because transistors only behave digitally in specific operating regions. Outside these regions, the transistors behave as analogue devices. This can in turn cause incorrect behaviour in logic circuits, which leads to unintended behaviour
Imagine the following code fragment:
This code checks a one-time programmable e-fuse and uses that to enable or disable debug. From the software side, this check would be almost impossible to circumvent. When compiled, it may look like this:
Using a power glitching attack, however, it may be possible to cause the processor to advance the program counter whilst not executing an instruction, thus causing said instruction to be skipped.
The assembly would then look like so:
By skipping the conditional jump, the debug interfaces were enabled, even though the fuse setting should have disabled them. By exploiting such techniques, we can get access to information or functionality that would be out of reach to a software attack.
There are many techniques for power glitching, but this paper will cover two prominently seen.
Voltage Glitching
Voltage glitching works by inserting a fast switching device, usually a MOSFET, between the chip of interest and its power line:
Figure 5: Voltage glitch setup
By switching off the MOSFET at a precise moment and for a specific time interval, it is possible to interrupt the power to the chip in such a way that causes a favorable glitch, like the one described above. When using this technique, it is important to remove any capacitors from the power lines, as such devices can dampen and otherwise distort the glitch, potentially causing the attack to fail. The advantage of this technique is that it is unlikely to damage something in the event of a misconfigured glitch.
Crowbar Glitching
Crowbar glitching is a modification of the voltage glitching technique. Instead of inserting the switching device between the chip and VCC, you insert it across VCC and ground:
This means that when the glitch occurs, the MOSFET shorts the power and ground rails, causing a rapid drop in supply voltage, thus potentially causing a useful glitch. This technique gives much greater control over the glitch timing, and using some more advanced hardware it is even possible to set an arbitrary voltage curve as the glitch profile, which may help achieve the precise behavior desired. The downside of this technique is that if done incorrectly, it can cause permanent damage to the device and its power supply. The best case of such a glitch going wrong is that the power supply would trip out on an over-current event. In the worst case, components of the device and supply would suffer thermal damage due to the excessive current. Another example of this would be shorting out address lines on a memory bus, causing the wrong chunks of memory to be accessed, potentially leaking application secrets.
Clock Skew Attacks
In a clock skew attack, instead of disrupting the power rail of a chip, noise and unexpected behaviour is injected on the clock input of the chip. These attacks tend to be more difficult to detect, and can still achieve glitching behaviour due to, for example, setup time violations. Due to the non-ideality of transistors, latches and gates have a setup period in which a signal must remain steady to guarantee deterministic behaviour. By providing unexpected clock edges, setup violations can occur, leading to gates and latched producing un-expected output.
Laser Fault Injection
Laser fault injection exploits the fact that all silicon circuits are subject to photovoltaic effects. By shining intense laser light at transistors on a die, electrons within the transistors are excited into the conductance band by the photons. This causes transistors to become conductive when they should not, allowing the attacker to cause precise bugs to occur. The advantage of this technique is precision, as an attacker can target specific transistors, and the detectability of the attack. Since the glitches do not rely on injecting noise onto the clock or power rails, many common detection techniques will fail to register a laser glitching attack. The downside is that it requires exposing the silicon die by de-capping the chip, which is difficult and may damage it, as well as the cost and safety concerns about the lasers required to perform the attack.
Real Life Examples
https://i.blackhat.com/USA-22/Wednesday/US-22-Wouters-Glitched-On-Earth.pdf | starlink dishes routed by voltage glitching attack
https://www.sophos.com/es-es/blog/apple-airtag-jailbroken-already-hacked-in-rickroll-attack | apple airtags jailbroken using voltage glitching
https://wiibrew.org/wiki/Tweezer_Attack | Wii cryptographic keys extracted using a crowbar glitching attack on the RAM address bus
https://courk.cc/rp2350-challenge-laser | RP2350 secret storage exposed using laser fault injection, bypassing the micro-controller’s glitch detector
Sources
https://tches.iacr.org/index.php/TCHES/article/download/7390/6562/2561
https://www.usenix.org/legacy/events/sec10/tech/full_papers/Backes.pdf
https://www.keysight.com/blogs/en/tech/nwvs/2024/07/02/clock-glitching-in-device-security-analysis
https://www.youtube.com/watch?v=OlX-p4AGhWs