Raspberry Pi has introduced the outcomes of its seize the flag competitors, which noticed safety researchers invited to check out the {hardware} protections constructed into its RP2350 microcontroller — and has confirmed 4 winners and 5 independently-discovered vulnerabilities.
“All chips have vulnerabilities, and most distributors’ technique is to not speak about them. We take into account this to be grossly irresponsible, so as a substitute, we entered into the DEF CON spirit by providing a one-month, $10,000 prize to the primary individual to retrieve a secret worth from the one-time-programmable (OTP) reminiscence on the machine,” Raspberry Pi co-founder and chief government officer Eben Upton explains. “Our goal was to smoke out weaknesses early, in order that we may repair them earlier than RP2350 grew to become extensively deployed in safe purposes. No one claimed the prize by the deadline, so in September we prolonged the deadline to the tip of the 12 months and doubled the prize to $20,000.”
Raspberry Pi has introduced the winners of its RP2350 seize the flag contest, together with assaults with no recognized mitigation. (📷: Raspberry Pi)
Now, the outcomes of that prolonged competitors have been revealed — and it is information that Upton says he’s solely “happy (ish)” to report: the chip’s safety subsystem, a brand new characteristic of the RP2350 not current on the sooner RP2040, has been defeated by means of no fewer than 5 unbiased assaults, 4 of which have been thought-about legitimate entries to the competitors.
The primary of those was made public earlier this 12 months: a voltage-glitching assault found by engineer Aedan Cullen. “It isn’t a really troublesome assault in any respect,” Cullen claimed on the time, disclosing a voltage glitch assault which re-enables the microcontroller’s RISC-V cores which must be disabled when the safety subsystem is in use. “It is only a regular energy glitch. Simply drop `USB_OTP_VDD` for 50μs or so throughout the `CRIT0` and `CRIT1“OTP PSM` reads, which on my chips are round 220-250μs from the attribute present spike that marks the start of the OTP PSM sequence.”
Confirming the vulnerability and blaming it on a “poor selection of guard phrase” for the one-time programmable (OTP) reminiscence, Upton states that “no mitigation is at present out there for this vulnerability, which has been assigned erratum quantity E16” — however that “it’s prone to be addressed in a future stepping of RP2350.”
A second profitable entry got here from Marius Muench, who discovered a fault injection vulnerability that may be exploited by means of glitching the chip’s provide voltage. “Whereas this break could seem easy looking back,” Muench says, “actuality is sort of completely different. Figuring out and exploiting these kind of points is way from trivial. Total, this hacking problem was a multi-month venture for me, with many dead-ends explored alongside the best way and numerous iterations of assault code and setups to substantiate or refute potential findings.” This, Upton says, is erratum E20 — and has “a number of efficient mitigations,” the really useful considered one of which is to set the OTP flag BOOT_FLAGS0.DISABLE_WATCHDOG_SCRATCH.
The third profitable entry got here courtesy of Kévin Courdesses: a weak spot within the chip’s safe boot path, coming simply after the firmware has been loaded into reminiscence and simply earlier than its hash is computed — exploitable, as soon as once more, by glitching the chip’s provide voltage. “Injecting a single exactly timed fault at this stage could cause the hash operate to be computed over a special piece of information,” Upton says, “managed by the attacker. If that knowledge is a legitimate signed firmware, the signature examine will go, and the attacker’s unsigned firmware will run!” That is erratum E24, and once more has no recognized mitigation — however must be addressed in a future RP2350 chip revision.
The fourth and last profitable entry comes from the researchers at IOActive, and is the one one requiring a serious funding in superior {hardware} to use: “An attacker in possession of an RP2350 machine, in addition to entry to semiconductor deprocessing tools and a centered ion beam (FIB) system, may extract the contents of the antifuse bit cells as plaintext in a matter of days,” the corporate explains. “Whereas a FIB system is a really costly scientific instrument (costing a number of hundred thousand USD, plus ongoing working bills within the tens of 1000’s per 12 months), it’s attainable to hire time on one at a college lab for round $200/hour for machine time or round two to 3 occasions this for machine time plus a skilled operator to run it.”
“The advised mitigation for this assault is to make use of a ‘chaffing’ approach, storing both {0, 1} or {1, 0} in every pair of bit cells, because the assault in its present kind is unable to differentiate between these two states,” Upton notes of the vulnerability, which isn’t believed to be unique to the RP2350 and has not been given an erratum quantity. “To protect in opposition to a hypothetical model of the assault which makes use of circuit enhancing to differentiate between these states, it is strongly recommended that keys and different secrets and techniques be saved as bigger blocks of chaffed knowledge, from which the key is recovered by hashing.”
Entry a centered ion beam (FIB) system supplied a path for IOActive to defeat the RP2350’s safety system. (📷: IOActive)
Lastly, a fifth assault was demonstrated by Thomas Roth at Hextree, in collaboration with Colin O’Flynn at NewAE. Whereas a fee from Raspberry Pi itself and thus not thought-about a legitimate entry to the competitors, the researcher’s work revealed vulnerability to electromagnetic fault injection (EMFI) which may each corrupt the OTP reminiscence and result in potential side-channel timing assaults. Additional investigation revealed a strategy to bypass protections utilizing “precisely-timed faults” utilizing EMFI. The vulnerability, dubbed erratum E21, has what Upton describes as “a number of efficient mitigations” — although considered one of these comes at the price of shedding the power to flash new firmware over USB.
“Whereas the principles specify a single $20,000 prize for the ‘greatest’ assault,” Upton notes, “we have been so impressed by the standard of the submissions that we’ve chosen to pay the prize in full for every of them. As anticipated, we have realized so much. Specifically, we have revised downward our estimate of the effectiveness of our glitch detection scheme; the problem of reliably injecting a number of faults even within the presence of timing uncertainty; and the fee and complexity of laser fault injection. We’ll take these classes into consideration as we work to harden future chips, and anticipated future steppings of RP2350.”
Upton has additionally pledged a second seize the flag competitors to observe, this time specializing in an in-house implementation of the AES cryptographic algorithm which is believed to be hardened in opposition to side-channel assaults. Extra data is offered on the Raspberry Pi web site, together with — the place out there — hyperlinks to papers detailing every of the assaults.
