Enter The Donjon

A practical laser attack on the go

Workshop 06 - Grehack 24

Agenda

Agenda

Fault injection principles

Attack of the OneKey Mini

Live execution

Workarounds and questions

Enter The Donjon: A practical laser attack on the go - Grehack 24
Fault injection principles

Fault Injection? What is it?

Hardware

⚡Physical perturbation

Process deflection

Enter The Donjon: A practical laser attack on the go - Grehack 24
Fault injection principles

Unauthorized access

------------------->
^
|		 |
|
|
<-------------------------+
Enter The Donjon: A practical laser attack on the go - Grehack 24
Fault injection principles

Unauthorized access - Faulted

⚡️
------------------->
^
|		 |
|
|
<-------------------------+
Enter The Donjon: A practical laser attack on the go - Grehack 24
Fault injection principles

⚡️ Physical perturbation types

Power glitch FBBI EMFI Laser
Power cut Voltage on the die EM field Illumination
Enter The Donjon: A practical laser attack on the go - Grehack 24

Attack of the OneKey Mini

Laser on ATECC

Attack of the OneKey Mini

The Target Of Evaluation

ATECC608A
ATECC608A
OneKey OneKey
One Key Mini
Enter The Donjon: A practical laser attack on the go - Grehack 24
Attack of the OneKey Mini

The Bench

Laser Bench
Laser Bench
Daughter Board
Daughter Board
Enter The Donjon: A practical laser attack on the go - Grehack 24
Attack of the OneKey Mini

The Attack

# Authorized request
atecc.nonce()
atecc.gen_dig(1, atecc.KEY_SLOT1)
atecc.read(slot=6) ^ atecc.temp_key
# SUCCESS

# Unauthorized request
atecc.nonce()
atecc.gen_dig(14, atecc.KEY_SLOT14)
atecc.read(slot=6) ^ atecc.temp_key 
# EXECUTION_ERROR

# Faulted request
atecc.nonce()
atecc.gen_dig(14, atecc.KEY_SLOT14)
atecc.read(slot=6, trigger=I2CTrigger.END.value) ^ atecc.temp_key
# EXECUTION_ERROR / TIMEOUT / SUCCESS / ...
Enter The Donjon: A practical laser attack on the go - Grehack 24
Attack of the OneKey Mini

The Attack

Unauthorized access
Unauthorized accessAuthorized access
Enter The Donjon: A practical laser attack on the go - Grehack 24
Attack of the OneKey Mini

The Attack

https://hardwear.io/archives/usa-2023/

Enter The Donjon: A practical laser attack on the go - Grehack 24

Let's do it!

Live execution

Perturbed executions

No perturbation
One perturbation
Two perturbations
Enter The Donjon: A practical laser attack on the go - Grehack 24
Live execution

Scan Result ~1 day execution

Scan Result

No effect: Transparent SUCCESS I2C Nack Timeout ECC_FAULT AFTER_WAKE HEALTH_TEST_ERROR PARSE_ERROR
Enter The Donjon: A practical laser attack on the go - Grehack 24
Live execution

Scan Result ATECC608B / AES

Enter The Donjon: A practical laser attack on the go - Grehack 24
Live execution

Scan Result ATECC508A

Enter The Donjon: A practical laser attack on the go - Grehack 24

Corrections and countermeasures

Corrections and countermeasures

From the chip provider

Physical countermeasures

  • Jitter
  • Laser detectors
  • Fault counting...

From the constructor

Implement a good configuration

  • Lock all unecessary slots
  • Use convenient features
Enter The Donjon: A practical laser attack on the go - Grehack 24

Thank you for your attention

Questions?


https://donjon.ledger.com/enter-the-donjon-grehack24