
Security chip that does encryption in PCs hacked - epi0Bauqu
http://news.yahoo.com/s/ap/20100208/ap_on_hi_te/us_tec_crypto_chip_cracked
======
NateLawson
Chris Tarnovsky is amazing, a true prodigy. Unfortunately, he gets bad advice
on how to present his work. TPMs are what the media latched onto but are
almost irrelevant to his advances.

What Chris presented is a full break of the Infineon SLE66PE secure
microcontroller, used in smart cards for applications such as pay TV. This is
one of the best of the current generation of smart cards. All of them have a
layer of metal mesh that allows the chip to detect probing attempts. This
processor also has optical sensors below that mesh (defense in depth?) It has
many other countermeasures to prevent invasive attacks.

Chris's work in this area is astounding. He's now using a FIB whereas before
he was just using microscopes and chemicals. This allows him to burn holes or
deposit metal in the low tens of nanometers range. Combined with his old
skills, this makes for a formiddable platform for defeating chip security
measures.

His work on this chip is not easy, nor is it easily replicated. However, once
someone with the resources and skills performs this kind of attack, it can
enable much cheaper attacks later. For example, using this method to dump the
ROM and then finding a software flaw in it would allow for attacks using
ordinary PCs, no more physical manipulation needed. Or, you can build a jig
("drill here") that lets it be replicated by less skilled people using
microprobing needles and ordinary microscopes. This reduces the cost of
subsequent attacks.

TPMs have a poor security model to begin with. The exposed wires on the LPC
bus (4 x 16 mhz) can be used to MITM it. The entire design is not meant to
resist even board-level attacks, let alone invasive chip work. Claiming his
talk is about TPMs is like saying cryptanalysis of SHA-1 is about breaking
Django authentication. Sure it does, but there are much more important
affected applications.

I actually think this validates the SLE66PE design. The fact that it required
this much work gives me much more confidence about using it. Hopefully
Infineon uses the information from Chris's talk to improve the next
generations.

~~~
ximeng
This video on youtube:

<http://www.youtube.com/watch?v=tnY7UVyaFiQ>

shows Chris analysing a smart card. Clever stuff.

~~~
ximeng
Transcript for video (not sure if this is appropriate for here, please advise
if not, but I thought it would be useful to read alongside the video)

Chris Tarnovsky

Hired by satellite TV industry

Works independently in a San Diego lab

Remove metal smart card

Expose to acids

Remove white epoxy

Plastic breaks down after 10 minutes

Acetone in two beakers

Fuming nitric acid HNO3 applied to chip

Rinsed in one acetone beaker

Transferred to second "clean" beaker

Scrape off the surface

Ultrasound cleans off remaining residue

Checks chip is clean using microscope attached to a computer screen

Puts chip back in the credit card sized smartcard holder

Chip is made up of two layers with a third layer as a security layer on top

Need to burn a hole through the top layer to reach metal on the second layer

Hole is made using a mask (nail polish?)

Mask is left to dry

Micropositioner holds a sewing type needle to scratch a hole

Want to scratch a middle area where the databus is and a control line on the
side

Leave the needle where it is and remove from under the microscrope

Drop of hydrofluoric acid (in "Rust Stain Remover" bottle) for 30 seconds

Hydrofluoric acid is resistant to nail polish and magic marker

Rinsed in water

Then check how deep the acid etched under a microscope

Repeat etching using 15 seconds (rate of etching increases with volume of acid
and temperature)

Rince in acetone

Using UV light expose the lines of the chip (under microscope)

Sit on the data bus with the needle. Yellow line (on oscilloscope) is what the
needle is touching. Blue line represents Chris resetting the card.

Build a log of what the chip does when it powers up

800 hexadecimal samples

Can send management message to the chip and see what is done to decrypt it

Can do anything at this point: read EEPROM, ROM

------
RiderOfGiraffes
Dup: <http://news.ycombinator.com/item?id=1111008>

No comments there, though.

Exactly the same report also available here:
<http://news.ycombinator.com/item?id=1111707>

EDIT: To those who downvote me, that's your privilege, and I have no
complaints. To explain, I do it to try to prevent identical or nearly
identical comments being spread over several submissions. As a
programmer/hacker, I prefer the principle of DRY - don't repeat yourself - and
having comments on the same item in several places just leads to unnecessary
duplication and just seems messy.

I wish there were better duplicate detection, or a way of merging the comments
from multiple items, but there isn't. This is one way I try to add value to HN
- to save time by highlighting these duplications.

If you genuinely think this is damaging behavior then I'd be interested to
hear why.

~~~
eru
Yes, merging would be great!

------
ramchip
_Deep inside millions of computers is a digital Fort Knox, a special chip with
the locks to highly guarded secrets, including classified government reports
and confidential business plans._

How can someone write this without chuckling? A "digital Fort Knox"?
Seriously, this style is getting far too popular recently. Reminds me of
"Hackers Can Blow Your Family to Smithereens!"
[http://1.bp.blogspot.com/_7YnlMQU1TNI/Sw6SxbYzoLI/AAAAAAAADL...](http://1.bp.blogspot.com/_7YnlMQU1TNI/Sw6SxbYzoLI/AAAAAAAADLo/n9BjPgpEL6E/s1600/HomeComputerBomb.jpg)

~~~
bitwize
It reminds me of this:
[http://www.google.com/products/catalog?q=%22digital+fortress...](http://www.google.com/products/catalog?q=%22digital+fortress%22&oe=utf-8&rls=org.mozilla:en-
US:unofficial&client=iceweasel-a&um=1&ie=UTF-8&cid=11855250430855723941&ei=T7dxS5z0CcTO8Qab4_i4Cw&sa=X&oi=product_catalog_result&ct=result&resnum=3&ved=0CBAQ8wIwAg#ps-
sellers)

------
sp332
Here's a link to the Black Hat archive, which has the paper and may eventually
have video and audio of the presentation: [http://www.blackhat.com/html/bh-
dc-08/bh-dc-08-archives.html...](http://www.blackhat.com/html/bh-dc-08/bh-
dc-08-archives.html#Tarnovsky)

~~~
tsally
That's a link to a presentation of his from Blackhat DC 2008, not the one he
just gave at Blackhat DC 2010.

~~~
sp332
Hm, might be time to take my Google-fu in for a tune-up. It's getting rusty.

------
banana
He is using acid to removing layers of the chip and then accessing and reading
the circuits directly.

This approach will work with all chips and not quite something everybody is
able to do.

------
varaon
>"This chip is mean, man — it's like a ticking time bomb if you don't do
something right," Tarnovsky said.

I'd be interested in hearing more about this.

~~~
sp332
It's not the same chip, but you can read about some of the more common high-
end countermeasures on this page:
<http://www.cl.cam.ac.uk/~rnc1/descrack/ibm4758.html>

