Author Topic: Micro controller security  (Read 518 times)

0 Members and 1 Guest are viewing this topic.

Offline IconicPCB

  • Super Contributor
  • ***
  • Posts: 1372
  • Country: au
Micro controller security
« on: July 16, 2019, 11:47:00 pm »
How does the protection fuse / bit work on modern microcontrollers and is there a way of defeating them other than chaving the top off the package and directly inspecting the dice.
 

Online blueskull

  • Supporter
  • ****
  • Posts: 14005
  • Country: cn
  • Power Electronics Guy
Re: Micro controller security
« Reply #1 on: July 17, 2019, 12:04:55 am »
Yes. Not reliable, but sometimes power supply analysis (DPA) can reveal execution state, which can be used to guess passwords of bootloader key.
Some chips (early ones) can have some bits reset by giving it a surge voltage, which can be used to temporarily reset bootloader fuse.
Besides power, there are other side channels to attack, such as EMI. One of our three lab locations on campus is shared with a group doing side channel attack research.
 

Offline ejeffrey

  • Super Contributor
  • ***
  • Posts: 2190
  • Country: us
Re: Micro controller security
« Reply #2 on: July 17, 2019, 12:28:29 am »
Also if your code has a bug the user might be able to exploit that to dump some or all of the protected memory.

What are you trying to protect (or attack,depending on which side of the lock bit you are on)?  Encryption keys are extremely vulnerable to DPA.  If you actually need secure key storage you should be using a dedicated security processor that has mitigations against DPA and other side channel attacks. 
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 6698
  • Country: us
    • Personal site
Re: Micro controller security
« Reply #3 on: July 17, 2019, 02:09:32 am »
Inspection will not do you any good. Typically security fuse is covered under a metal layer. But depending on the device, other attacks are possible.
Alex
 

Offline NiHaoMike

  • Super Contributor
  • ***
  • Posts: 6526
  • Country: us
  • "Don't turn it on - Take it apart!"
    • Facebook Page
Re: Micro controller security
« Reply #4 on: July 17, 2019, 02:54:37 am »
Also if your code has a bug the user might be able to exploit that to dump some or all of the protected memory.
Or glitch out the CPU with a voltage dip to get it to say more than it should.
Cryptocurrency has taught me to love math and at the same time be baffled by it.

Cryptocurrency lesson 0: Altcoins and Bitcoin are not the same thing.
 

Offline woofy

  • Contributor
  • Posts: 14
  • Country: gb
Re: Micro controller security
« Reply #5 on: July 17, 2019, 08:50:54 am »

Given enough effort, possibly nothing is secure. Take a look at the work of Dr Sergei Skorobogatov at Cambridge University.
https://www.cl.cam.ac.uk/~sps32/

 

Offline Rerouter

  • Super Contributor
  • ***
  • Posts: 4640
  • Country: au
  • Question Everything... Except This Statement
Re: Micro controller security
« Reply #6 on: July 17, 2019, 09:08:17 am »
Most security is just about making things awquard enough that most people give up at a glance, if someone really wants to break in to it, its only a matter of time and resources,

For a starting point, have a look at the chinese websites offering you to post in a chip and they will return the firmware, avoid those models,

E.g. ATM terminals have multiple security systems all made to throw away the key at a moments notice, but people just collected enough of them to bypass all these security features,
Things I'm aware they had to bypass:
multiple case open detection switches
multiple light sensors on the pcb when the case was opened in light, it drops the key
secure area had a wiring security mesh covering the key store, if a trace was broken or shorted it would drop the key

and many others

These all just take time, e.g. a dremel tool, some reverse engineering and a color of light that the sensor is not able to respond to,

Most microcontrollers are beaten and dumped by power glitch techniques and a number of others are simply beaten by out of order programming methods, where you dont erase the flash, but write a tiny boot loader to dump the rest of the memory to the first block, reverse what you have jumped, find a call you could use and then on a second device write that block to dump the start of the code,

If you use the fuses to disable serial programming, most of the time high voltage parrellel programming can get around it with similar methods to above

Only after all of this easy stuff is ruled out would the microcontroller die attacks possibly begin, and they are way more capable than you could imagine, able to selectivly remove or add insulators and conductors bit by bit to carve holes through all types of security features in microchips, these people cost really money, but there is almost nothing you can hide from them short of burying the secure areas under so much critical hardware that they run out of routing space,

There is even things like cold boot attacks, your volitile memory is temperature dependand, what is stored in RAM doesnt get erased if the chip is cooled to -20C, same for NVRAM and others the data can remain there for literally hours, so most of the kill power to erase keys methods can be defeated by a night in a lab fridge.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf