Falk Schellenberg

Fuming Acid and Cryptanalysis: Handy Tools for Overcoming a Digital Locking and Access Control System

We examine the widespread SimonsVoss digital locking system 3060 G2 that relies on an undisclosed, proprietary protocol to mutually authenticate transponders and locks. For assessing the security of the system, several tasks have to be performed: By decapsulating the used microcontrollers with acid and circumventing their read-out protection with UV-C light, the complete program code and data contained in door lock and transponder are extracted. As a second major step, the multi-pass challenge-response protocol and corresponding cryptographic primitives are recovered via low-level reverse-engineering. The primitives turn out to be based on DES in combination with a proprietary construction.

Microcontrollers as (In)Security Devices for Pervasive Computing Applications

Often overlooked, microcontrollers are the central component in embedded systems which drive the evolution toward the Internet of Things (IoT). They are small, easy to handle, low cost, and with myriads of pervasive applications. An increasing number of microcontroller-equipped systems are security and safety critical. In this tutorial, we take a critical look at the security aspects of todays microcontrollers. We demonstrate why the implementation of sensitive applications on a standard microcontroller can lead to severe security problems. To this end, we summarize various threats to microcontroller-based systems, including side-channel analysis and different methods for extracting embedded code. In two case studies, we demonstrate the relevance of these techniques in real-world applications: Both analyzed systems, a widely used digital locking system and the YubiKey 2 onetime password generator, turned out to be susceptible to attacks against the actual implementations, allowing an adversary to extract the cryptographic keys which, in turn, leads to a total collapse of the system security.

Scandalee: a side-channel-based disassembler using local electromagnetic emanations

Side-channel analysis has become a well-established topic in the scientific community and industry over the last one and a half decade. Somewhat surprisingly, the vast majority of work on side-channel analysis has been restricted to the “use case” of attacking cryptographic implementations through the recovery of keys. In this contribution, we show how side-channel analysis can be used for extracting code from embedded systems based on a CPUs electromagnetic emanation. There are many applications within and outside the security community where this is desirable. In cryptography, it can, e.g., be used for recovering proprietary ciphers and security protocols. Another broad application field is general security and reverse engineering, e.g., for detecting IP violations of firmware or for debugging embedded systems when there is no debug interface or it is proprietary. A core feature of our approach is that we take localized electromagnetic measurements that are spatially distributed over the IC being analyzed. Given these multiple inputs, we model code extraction as a classification problem that we solve with supervised learning algorithms. We apply a variant of linear discriminant analysis to distinguish between the multiple classes. In contrast to previous approaches, which reported instruction recognition rates between 40-70%, our approach detects more than 95% of all instructions for test code, and close to 90% for real-world code. The methods are thus very relevant for use in practice. Our method performs dynamic code recognition, which has both advantages (only the program parts that are actually executed are observed) but also limitations (rare code executions are difficult to observe).

When Reverse-Engineering Meets Side-Channel Analysis --- Digital Lockpicking in Practice

In the past years, various electronic access control systems have been found to be insecure. In consequence, attacks have emerged that permit unauthorized access to secured objects. One of the few remaining, allegedly secure digital locking systems--the system 3060 manufactured and marketed by SimonsVoss--is employed in numerous objects worldwide. Following the trend to analyze the susceptibility of real-world products towards implementation attacks, we illustrate our approach to understand the unknown embedded system and its components. Detailed investigations are performed in a step-by-step process, including the analysis of the communication between transponder and lock, reverse-engineering of the hardware, bypassing the read-out protection of a microcontroller, and reverse-engineering the extracted program code. Piecing all parts together, the security mechanisms of the system can be completely circumvented by means of implementation attacks. We present an EM side-channel attack for extracting the secret system key from a door lock. This ultimately gives access to all doors of an entire installation. Our technique targets a proprietary function used in combination with a DES for key derivation, probably originally implemented as an obscurity-based countermeasure to prevent attacks.

On the Complexity Reduction of Laser Fault Injection Campaigns Using OBIC Measurements

Laser Fault Injection (LFI) is one of the most powerful methods of inducing a fault as it allows targeting only specific areas down to single transistors. The downside compared to non-invasive methods like introducing clock glitches is the largely increased search space. An exhaustive search through all parameters including dimensions for correct timing, intensity, or length might not be not feasible. Existing solutions to this problem are either not directly applicable to the fault location or require additional device preparation and access to expensive equipment. Our method utilizes measuring the Optical Beam Induced Current (OBIC) as imaging technique to find target areas like flip-flops and thus, reducing the search space drastically. This measurement is possible with existing laser scanning microscopes or well-equipped LFI setups. We provide experimental results targeting the Advanced Encryption Standard (AES) hardware accelerator of an Atmel ATXMega microcontroller.

Large laser spots and fault sensitivity analysis

Laser Fault Injection (LFI) is a powerful method of introducing faults into a specific area of an integrated circuit. Because the minimum spot size of the laser spot is physically bounded, many recent publications investigate down to which technology node individual transistors can be targeted. In contrast, we develop a novel attack that is applicable even when a large number of gates is affected at the smallest feature sizes. To achieve this, we adapt Fault Sensitivity Analysis to the laser setting. Such attacks require reasoning about the critical path of a combinatorial circuit and were previously only considered for clock glitches. Indeed, we show that this prerequisite is available for LFI as well. This leads to a very relaxed fault model, especially in terms of the required laser spot size. We conclude that there is no intrinsic protection for the latest technology nodes and LFI remains a serious threat for embedded devices. Experimental results are provided by targeting the combinatorial AES Sbox of an Atmel ATxmega microcontroller with an artificially large laser spot. Finally, we discuss why this attack is still applicable to the smallest structure sizes.

Optical metrology for the investigation of buried technical structures

Abstract In this paper, we present different optical metrology approaches for the investigation of buried technical structures. Contactless, potentially fast and non-destructive techniques such as optical beam induced current (OBIC), confocal laser scanning microscopy (CLSM) and digital holographic microscopy (DHM) are described. Their properties are illustrated by investigating the buried structures of a microcontroller.

Backside imaging of a microcontroller with common-path digital holography

The investigation of integrated circuits (ICs), such as microcontrollers (MCUs) and system on a chip (SoCs) devices is a topic with growing interests. The need for fast and non-destructive imaging methods is given by the increasing importance of hardware Trojans, reverse engineering and further security related analysis of integrated cryptographic devices. In the field of side-channel attacks, for instance, the precise spot for laser fault attacks is important and could be determined by using modern high resolution microscopy methods. Digital holographic microscopy (DHM) is a promising technique to achieve high resolution phase images of surface structures. These phase images provide information about the change of the refractive index in the media and the topography. For enabling a high phase stability, we use the common-path geometry to create the interference pattern. The interference pattern, or hologram, is captured with a water cooled sCMOS camera. This provides a fast readout while maintaining a low level of noise. A challenge for these types of holograms is the interference of the reflected waves from the different interfaces inside the media. To distinguish between the phase signals from the buried layer and the surface reflection we use specific numeric filters. For demonstrating the performance of our setup we show results with devices under test (DUT), using a 1064 nm laser diode as light source. The DUTs are modern microcontrollers thinned to different levels of thickness of the Si-substrate. The effect of the numeric filter compared to unfiltered images is analyzed.

Common-path depth-filtered digital holography for high resolution imaging of buried semiconductor structures

We investigate digital holographic microscopy (DHM) in reflection geometry for non-destructive 3D imaging of semiconductor devices. This technique provides high resolution information of the inner structure of a sample while maintaining its integrity. To illustrate the performance of the DHM, we use our setup to localize the precise spots for laser fault injection, in the security related field of side-channel attacks. While digital holographic microscopy techniques easily offer high resolution phase images of surface structures in reflection geometry, they are typically incapable to provide high quality phase images of buried structures due to the interference of reflected waves from different interfaces inside the structure. Our setup includes a sCMOS camera for image capture, arranged in a common-path interferometer to provide very high phase stability. As a proof of principle, we show sample images of the inner structure of a modern microcontroller. Finally, we compare our holographic method to classic optical beam induced current (OBIC) imaging to demonstrate its benefits.