 Now I would like to introduce you to our two speakers and to a very interesting talk about hardware attacks hacking chips on the very cheap and You know all we all are hackers and we all like to think of it things and when things get tinier Then it's harder and it's gets more and more expensive and hacking chips without taking them apart and destroying them Up until now that cost a lot of money even that came below the 1,000 euro mark Those people made it even cheaper. They want to give you some advice and some help to do it for maybe 30 years Please give a very warm welcome to Ramiro and Rafa Hi, thank you for coming Thank you very much. The next talk is about hardware hacking, but not this kind of hardware hacking and Obviously not like this one It's more about this about hardware hacking hacking chips We have a microcontroller microprocessor with some security features like keys, secret keys, secret passwords or Yeah, something to hide so we want to talk about how to extract these secrets how to extract the keys the secrets keys the secret passwords or How to bypass them how to affect the behavior of the chip so we just disable these security features So who we are This is my my friend Rafa. Say hello. Hi, and he's awesome Hey, and I Am Ramiro and of course and also awesome and we both work in a company A security analyst breaking into chips the security of chips That's our job But We do this with a very expensive tools Of course is awesome. We have very expensive tools. Even we have lasers for breaking chips Of course, that's very expensive. It's not something that you can afford So this talk is not about how we break chips in the as professionals This is more about how you can try to break chips Well, they said are double awesome by the way. Oh, this is low Yeah, so this is how to do these kind of things chip So if you try to break a chip using professional tools, you probably have to spend more than 5,000 euros Probably much more If you try to do it cheap, you can buy something like cheap whisper Maybe you can buy scopes that you can buy some second hand equipment But still it's like a 1000 euros But we will try to show you how it's possible still to do it like almost with not Almost like for free. So more or less the price of five years and if you don't ring a call five matters So by the way, this talk is hacking hardware on the chip And this is awesome The toll was Prepared for one hour, but we have to squeeze in 30 minutes. We are not going to talk about Very technical details so you are interested in the technical details place come later to the Spanish village and look for us So we are going to be as fast as possible on this First of all disclaimer what we are going to sew is two demos We could choose a lot of demos about how to hack things on the chip and we could choose a lot Well, we could choose a lot of chips to break But we decided to go for these two just because they are very Able they are cheap they are viable So you probably can try to do this at home But the things that we are going to do here, they will probably Work also in different manufacturers like microchip or an XP or whatever. So please After this talk, I don't want you to think that Atmail or ST are vulnerable is something that is general in all these microcontrollers microprocessors because these are general ports microcontrollers and Those are insecure manufacturers have a secure version of processors and those are Harder or impossible to break with these techniques, but regular processors are easy to hack this way So let's start with the first demo We are going to try to break challenge response scheme This is for sample use in your car when you try to Start your car the gene of the car. You have the key fob the key fob has RFID chip That has some kind of a well this challenge response scheme The car generates a random number and this random number is called challenge and is sent to the RFID chip in the in the key or the key fob this key Take the random number the challenge encrypt with Secret key and not a key that they know and then the response So the different test is what we call the response is sent back to the car and the car is doing the same thing at the same time it's just using the random number the challenge encrypting with the same key and This way it gets a reference and then it compares the reference the number it Generated the car generated and the number that it caused from the from the Chip sorry from the key fob if the number is the same that means that both devices are using the same key So the car will start the gene will start. So how to break into this scheme? We can try to retrieve the key. Normally this is done using side channel attacks But we are not going to talk about this today The other way to break this challenge response system is trying to break The comparison the moment that the processor or the car compares The reference that it generated with the reference or the response it caused from the key fob So what we are going to try is Modify the behavior of the chip affect the yeah, how the chip works so in the moment it is going to compare this These two numbers it will fail and then if we are lucky we will make the car Believe that the number is the correct the key is the correct and then start it in the engine This is called for injecting by the way We are going to do the demo with Arduino just because you can try this at home You probably have one of these at home What we are going to use is voltage glitching is a technique to modify the voltage That is powering the Arduino So we modify the voltage in the morning we want in the moment that this comparison is being done So this comparison will fail and if we are lucky they are doing it will think that the number is correct But to explain how the voltage glitz is working. Let's make a yeah kind of Comparison of kind of yeah Imagine and in four years the CC come The organization decides to put the CC come close to the club matter factory so they Creates some artificial rivers to make the matter flowing from the factory to the different ends So everybody's happy the party is running all the night so That's an able hacker Get into the scala system in the factory hack the factory and then the matter stop to flow through the river What is going on is that? Without the river of matter The tens of the billets start to use their own supply of metal in bottles to continue the party So they continue drinking their bottles drink drink and at some point One of the billets will run out of matter of group matter and when you don't have caffeine what happens to hackers They go to sleep So the party in the rest of the tens continue But one of the billets because has no more caffeine no more club come at it is not working anymore in the moment that the matter the factory starts to produce matter and starts to Deliver matter or the river of matter start to flow The tens Continue with the party and the tenant was sleeping just wake up and continue partying out So something similar is what happened when we do a bolted glitching just let's just eat you well Let's just eat you the ccc come with a microprocessor and the billets of the tens are the different parts of microprocessor like the Arithmetic logical unit or the registers the fetch and decode Mobile or whatever The power supply or the factory's a power supply that is power in this microcontroller microprocessor And the river of matter is just the internal internal power lines in the chip The boat also matter is the internal capacitors of the of the of the chip Because the way that the chip are made there they have internal capacitors So they can a storage some amount of energy So if you remove the power supply from the from the chip some of these models will still work but Some of them if you remove the power supply some of them will fail and It will fail when the rest of the models are working. So This is how a power glitz works We try to remove the power in a very short period of time just Removed very very fast. So one of these blocks will fail because it has not enough of internal capacitance It will fail the rest will not and in the moment that the power supply is back This model that was faulty will continue to work normally. So if we are lucky and we do this in the Precise moment that we are looking for we can do things like skipping instructions instructions We can just prevent an instruction to work or we can just Modify the instruction that the processor is running and converting a different one. So that's a voltage glitz So we made a special device or well a very simple device to do this kind of attacks We call it cheapo glitcher and it's as simple as this is just The target the Arduino that we are going to attack The LPC espresso is a developer born for NSP LPC my controller We only have to use a free resistors one transistor and nothing else This is the board we are going to use you can use any other board the thing is that you need to create a very fast pools that is going To close the transistor in a very short period of time. I use it this board But you can use any other board you have if you probably have one of these Yeah, my controller boards. You can probably use this one one of those The cost of all this is up is yeah, probably 20 years old even less At the end we have something like this we will show you how it works This is the result of this device when I run this This device I get this kind of shape in the in the power line So the power line is stable and in the moment I want I can just make a small deep in the power if I make a very big deep What is going to happen is that all the models in the in the tip are going to fail So the tip is going to restart it's going to press it and I only I am interested in making fail only some of the models not all of those So I cannot make a very deep hole in the power supply a very big deep glitch. So Let's make the demo Yeah, because we don't have too much time. I will just run it If you are interested just come later and I will explain all the technical details that Can you put back the screen? Yeah, the screen. Yeah, this is the fear war that I am running in the in the LPC board It's just very simple fear war that I can just tell when I want to make the glitz how long I want to make the glitz and They are doing is running a software that is Generating the number sending the number the number is send like challenge the random number included random number sorry, the random number and then you have to include this number with a private key and Send it back to the Arduino and if the number is in critical encrypted corralty You will get an okay if you Not don't include the number corralty because you don't have the key you will get an error message So I will just run this Sorry Okay, so the software is asking me it's asking how long I want the glitzes When I want them so I just put the default parameters these parameters I know they work you have to tune these parameters try these parameters When to glitz normally is in the moment that you send the response Maybe some micrometer microseconds after it's in the response and The wife of the glitz you have to try until you get a core value And then I start to send the glitzes. I try a glitz I get the Boris getting the response from the Arduino and if Yeah So here you can see It starts to glitz is getting a child. Oh here Is getting a challenge I Unscending just the Boris and in just any response and in the moment it's in the response into the glitz So if I read the response of the Arduino if I get to an error that means that I did English corralty So I restart the board. I try again. I try again at some point I will get an okay. That means that the glitz was successful. So I just bypassed this This Comparison with a challenge and response. So and it's not always working. It's just a matter of luck. So With this setup and this Arduino Do you normally get maybe a 50% of chances or maybe 30% of chances of breaking it? Okay, so Rafa is now going to talk about a different kind of attack Okay, so Can you hear me? I guess. Oh, yep. Okay. Can you switch the computers? So Let me explain how to glitz devices like for example a key for just checking this comparison and then glitch it I'm going to explain a different kind of attack. For example, I'm going to attack in this case Crypto I will choose RSA. Why RSA? Because it's used for everywhere So digital signatures for banking smart cards for PGP when you click your email for SSH logins We have password for a lot of things so If we compare RSA implementations, you will see that RSA. It's very elegant. It's a really nice design But it has a problem which is it's quite slow So in most implementations, they have optimizations and one of the most popular ones is called RSA CRT CRT stands for Chinese Reminder Theorem and it is a special technique to compute RSA, which is something like four times faster As you can see, it's quite different because well This image with the penguins. It's faster, but it does all kind of dangerous. Okay. It's not nice to have a pink guitar rocket so This is the attack I'm going to do. It's called differential fault analysis on RSA CRT Also called velcro attack or the microwave attack here. You can see the maths, but okay. I hate math so How does this work? Okay, I don't want you to go into the full detail of maths. It's only three steps It's a very stupid attack, but you will see how it works So we have to obtain a faulty signature We're going to send a message and if this device will sign it with the secret key I don't know and the nice thing is that we only need one faulty signature if I get lucky once I win Then I need to obtain the normal signature. It has a star because this step is typically optional if you have a message and How it works I have to compute the greatest common divisor of this RSA public key modulus Which I have and the difference of this faulty and the normal message Okay, I just subtract them and I compute the gcd between the public key and this thing It's very nice because the result of this attack is the secret key. So with only one fault you win Just a mention that this step the normal signature is not even needed if you have the message So in here, how do we inject the fault? Maybe you have heard about this story about the raspberry pi 2 that it crashed when you take a picture Okay, so the thing is how silicon behaves against light for me it reminds me of the gremlins Okay, so let's put a short video to remind you how gremlins react about this thing So when you take a picture to a gremlin what it does is something like Okay, so they die. So what we're going to do to the chip is something very similar to this Okay, so optical fault injection in 30 seconds because I don't have more time So silicon semiconductor that is used for making the chips it absorbs light And what happens when it absorbs light is that the transistors inside the chip they start conducting you change the status so basically you create a fault and The interesting part here is that we need to open the chip Okay, so here you have a website in which Ramiro made in his home just a setup to open the chip This typically you need some acids. You need a heat cooking Device like a hot plate. You need a acetone to wash. Okay, so if you go there, you can see a video It's not that hard, but important. This is very dangerous I'm not responsible for you burning yourself with acid or anything. I'm not liable for that You're on your own be careful with this. It's very nasty. It can get very wrong But you can do it so How does this attack cost? Okay to open a chip you need just acetone and need to get it for example The glasses you can't borrow it from your kitchen a cooking plate. You can also borrow it from your kitchen We will need a camera with a flash so you can also borrow it and the total cost of this attack is 9 euros Okay, I don't have any fancy hardware. I just need a camera and opening a chip in the case of the Raspberry Pi The package was already open. That's why it bleached Okay, so let's do this demo. Okay So I have here the setup. I'm not sure if you can switch to this thing. I will try to move the tripod a bit Okay, so let's try to move this thing without putting chaos Okay Yeah So here what you see here. This thing is the microcontroller. Okay, it's a Connected to my computer with a serial cable. I have here a tool for resetting it automatically each time I send a message Because now what will happen is that it will crash Okay, so I'm going to start sending messages to these device Okay, and this device is going to sign all the messages. I'm going to send all with the same message Okay, if you can put the video feed of my computer You will see that now here the device is signed in the message I get a really huge response. This device is running RSA 1024 bits And it's getting always the same response. Okay, so disclaimer if somebody has epilepsy, please close your eye now And if you don't know about epilepsy, well, you will figure it out now. Okay So The thing is I have this is a flash from a camera. Okay, so this attack is as stupid as follows when this device is competing RSA I'm just going to shoot a flash Okay, and at this distance the device is just ignoring what I'm doing Okay, if I get too close if I shoot the flash what happens is the following Now you will see here that they get a yellow line. So the device just crushes Why because I induced so much energy that the device just goes crazy and then crushes Okay, so now this device this attack is just as stupid as taking a camera It's computing the thing and now I hope the demo gods, please help me Okay, if I do it right It will not crash too much Okay, and I hope I get a corrupted message but not a crash Okay, let's try Let's hope I can get it still no luck Demo effect demo effect. I will try for three more times if it doesn't work. I have a backup video That's please work Okay, one last time Okay Please work it's so nice when it works Okay, last attempts last two. Yeah, I'm cheating a bit. I know Okay the last one Glitch you Okay, these typically works at the first attempt or the third one attempt the demo gods are not nice to me. Okay Glitch last one, okay Well, it didn't work Okay, so now because the demo gods were not nice to me then this thing only crashed or just reset Or normal behavior what happens is that if this thing I did just before coming here If you start doing this thing It can happen that then you hit it in the right spots in the right moment And what happens is instead of getting these yellow lines with a response of heroes because the device crashes But you get in this case you will see it as a red line in this script that I have And these red line is just a corrupted response is crypto garbage Actually is not crypto garbage is just a special garbage in which you can do this trick of subtracting the normal message and this faulty message You see this red line and that's all you need So you can have RSA with super security if you don't have a special padding or any special technique It's only one fault then what happens is the following you take these computation Then I run I run the mathematics and what happens after that Is well, I take the module. I take the public key I compute the greatest common divisor and then what you get in result is what you see here now in the output I get the whole RSA key Okay, so this is 1024 bits of key in no time I think we have no time for questions You have Unfortunately, we're on a very tight schedule, but for one question. I think we have time So please curve up to the microphones. You got one question. Are there any questions? Yes, one question, please over there Yes, well, you demonstrated the AVR based ATML control are we know I know that a lot of arm cores They having a power brownout detection. This is power brown out detection typically trigger if you flash it with which flasher Okay, so for teaching for example arm cores, this one is an arm core. We can do power glitching in the same Okay, so this in this case you get the chip to one state, which is unknown undefined So sometimes it works and this it doesn't work the trick is to find the correct setting of parameters But even with brown out brown out detection. This glitches still work quite quite, okay okay, so A big applause for Ramiro and Rafa for this very interesting talk. It was really good to see