INSIGHTS | March 20, 2011

Blackhat TPM Talk Follow-up

Since speaking at BlackHat DC 2009, there have been several inquiries in regards to the security of the SLE66PE series smartcard family.

Here are some issues that should be pointed out:

We have heard, “..it took 6 months to succeed..

The reality is it took 4 months to tackle obsticles found in any <200nm device such as:

  1. Capitance/load of probe needles when chip is running.
  2. Powering the device inside the chamber of a FIB workstation.
  3. Level-shifting a 1.8v core voltage following what we learned in #1 above.
  4. Cutting out metal layers without creating electrical shorts.
  5. Other more minute issues regarding the physical size of the die.

Upon overcoming the points above,  the actual analysis required no more than approximately 2 months time.

In addition, these techniques listed above apply to all devices in the <200nm category (SecureAVR, SmartMX, ST21, ST23).

We have heard, “…you said the Infineon SLE66 was the best device out there in the market…

The Infineon SLE66PE is a very secure device however, it (as do it’s competitors) all have their strengths and weaknesses.

Some examples of weaknesses are

  1. Layout of all Infineon SLE50/66 ‘P’ or ‘PE’ are very modular by design
  2. Lack of penalty if active shield is opened
  3. Begin runtime from a CLEAR (unencrypted) ROM which is ‘invisible’ to the user
  4. CPU core is based on a microcode/PLA type implementation
  5. Power-on-reset always begins running from the externally supplied clock
  6. Current design is based on a previous 600nm version designed around 1998
  7. 3 metal layer design for “areas of interest” (4th layer is the active shield)

Some examples of strengths are:

  1. ‘PE’ family used bond-pads located up the middle of the device.
  2. ROMKey must be loaded before begin attacked (else you just see their clear ROM content).
  3. MED is quite powerful if used properly for EEPROM content.
  4. Mesh is consistent across the device and divided into sections.
  5. Auto-increment of memory base address.
  6. Mixing of physical vs. virtual address space for MED / memory fetch.

No device is perfect.  All devices have room for improvement.  Some things to consider when choosing a smartcard are:

  • Does CPU ever run on external clock?
  • What is the penalty for an active-shield breach?
  • What is the fabrication process geometry?
  • How many metal layers is the device?
  • List of labs who might have evaluated this device and their capabilities.

Lastly, just because the device has been Common Criteria certified does not mean much to an attacker armed with current tools.  This is a common-oversight.

There is an ST23 smartcard device which has recently been certified EAL-6+ and the device has an active-shield with almost 1 micron wide tracks and a 1-2 micron spacing!!!  This makes a person scratch there head and say, “WTH????”

We have some new content to post soon on the blog.  Be sure and tune in for that.  We will tweet an alert as well.

INSIGHTS | August 9, 2010

Atmel ATMEGA2560 Analysis (Blackhat follow-up)

At this years Blackhat USA briefings, the ATMEGA2560 was shown as an example of an unsecure vs. secure device.  We have received a few requests for more information on this research so here it goes…

The device did not even need to be stripped down because of designer lazyness back at Atmel HQ.  All we did was look for the metal plates we detailed back in our ATMEGA88 teardown last year and quickly deduced which outputs were the proper outputs in under 20 minutes.

Atmel likes to cover the AVR ‘important’ fuses with metal plating.  We assume to prevent the floating gate from getting hit with UV however the debunk to this theory is that UV will SET the fuses not clear them!

For those who must absolutely know how to unlock the device, just click on the, “Money Shot!”

INSIGHTS | August 7, 2010

Parallax Propeller P8X32A Quick Teardown

Parallax has a really neat 8 core 32 bit CPU called the ‘Propeller’.  It’s been out for a few years but it is gaining popularity.  There is no security with the device as it boots insecurely via a UART or I2C EEPROM.  None the less, we thought it was interesting to see an 8 core CPU decapsulated!

One can clearly see 8 columns that appear almost symmetric (except in the middle region).  The upper 8 squares are each ‘cogs’ 512 * 32 SRAMs as described in the manual.  The middle left 4 and right 4 squares are the ROM’s Parallax describes.  The 8 rectangular objects are the 32KB SRAM as described.  The 8 cores are basically the 8 columns above the middle ROM’s to include the 512 * 32 SRAMs because they describe each cog as having it’s own 512 * 32 SRAM :).

Last but not least is the logo by Parallax.  Nice job Parallax on this beast!  We have one favor-  implement some flash on the next generation with a security bit ;).