Raspberry Pi has introduced the outcomes of its seize the flag competitors, which noticed safety researchers invited to check out the {hardware} protections constructed into its RP2350 microcontroller — and has confirmed 4 winners and 5 independently-discovered vulnerabilities.
“All chips have vulnerabilities, and most distributors’ technique is to not discuss them. We contemplate this to be grossly irresponsible, so as a substitute, we entered into the DEF CON spirit by providing a one-month, $10,000 prize to the primary particular person to retrieve a secret worth from the one-time-programmable (OTP) reminiscence on the gadget,” Raspberry Pi co-founder and chief govt officer Eben Upton explains. “Our intention was to smoke out weaknesses early, in order that we might repair them earlier than RP2350 turned extensively deployed in safe functions. No one claimed the prize by the deadline, so in September we prolonged the deadline to the top of the 12 months and doubled the prize to $20,000.”
Raspberry Pi has introduced the winners of its RP2350 seize the flag contest, together with assaults with no recognized mitigation. (📷: Raspberry Pi)
Now, the outcomes of that prolonged competitors have been printed — and it is information that Upton says he’s solely “happy (ish)” to report: the chip’s safety subsystem, a brand new function of the RP2350 not current on the sooner RP2040, has been defeated by means of no fewer than 5 unbiased assaults, 4 of which have been thought-about legitimate entries to the competitors.
The primary of those was made public earlier this 12 months: a voltage-glitching assault found by engineer Aedan Cullen. “It is not a really troublesome assault in any respect,” Cullen claimed on the time, disclosing a voltage glitch assault which re-enables the microcontroller’s RISC-V cores which ought to be disabled when the safety subsystem is in use. “It is only a regular energy glitch. Simply drop `USB_OTP_VDD` for 50μs or so throughout the `CRIT0` and `CRIT1“OTP PSM` reads, which on my chips are round 220-250μs from the attribute present spike that marks the start of the OTP PSM sequence.”
Confirming the vulnerability and blaming it on a “poor alternative of guard phrase” for the one-time programmable (OTP) reminiscence, Upton states that “no mitigation is at the moment obtainable for this vulnerability, which has been assigned erratum quantity E16” — however that “it’s prone to be addressed in a future stepping of RP2350.”
A second successful entry got here from Marius Muench, who discovered a fault injection vulnerability that may be exploited by means of glitching the chip’s provide voltage. “Whereas this break could seem simple looking back,” Muench says, “actuality is sort of totally different. Figuring out and exploiting these kind of points is much from trivial. General, this hacking problem was a multi-month mission for me, with many dead-ends explored alongside the best way and numerous iterations of assault code and setups to substantiate or refute potential findings.” This, Upton says, is erratum E20 — and has “a number of efficient mitigations,” the advisable one among which is to set the OTP flag BOOT_FLAGS0.DISABLE_WATCHDOG_SCRATCH.
The third successful entry got here courtesy of Kévin Courdesses: a weak spot within the chip’s safe boot path, coming simply after the firmware has been loaded into reminiscence and simply earlier than its hash is computed — exploitable, as soon as once more, by glitching the chip’s provide voltage. “Injecting a single exactly timed fault at this stage may cause the hash perform to be computed over a distinct piece of knowledge,” Upton says, “managed by the attacker. If that knowledge is a legitimate signed firmware, the signature test will go, and the attacker’s unsigned firmware will run!” That is erratum E24, and once more has no recognized mitigation — however ought to be addressed in a future RP2350 chip revision.
The fourth and remaining successful entry comes from the researchers at IOActive, and is the one one requiring a serious funding in superior {hardware} to take advantage of: “An attacker in possession of an RP2350 gadget, in addition to entry to semiconductor deprocessing gear and a targeted ion beam (FIB) system, might extract the contents of the antifuse bit cells as plaintext in a matter of days,” the corporate explains. “Whereas a FIB system is a really costly scientific instrument (costing a number of hundred thousand USD, plus ongoing working bills within the tens of hundreds per 12 months), it’s doable to hire time on one at a college lab for round $200/hour for machine time or round two to a few occasions this for machine time plus a educated operator to run it.”
“The prompt mitigation for this assault is to make use of a ‘chaffing’ method, storing both {0, 1} or {1, 0} in every pair of bit cells, because the assault in its present kind is unable to tell apart between these two states,” Upton notes of the vulnerability, which isn’t believed to be unique to the RP2350 and has not been given an erratum quantity. “To protect in opposition to a hypothetical model of the assault which makes use of circuit modifying to tell apart between these states, it is strongly recommended that keys and different secrets and techniques be saved as bigger blocks of chaffed knowledge, from which the key is recovered by hashing.”
Entry a targeted ion beam (FIB) system supplied a path for IOActive to defeat the RP2350’s safety system. (📷: IOActive)
Lastly, a fifth assault was demonstrated by Thomas Roth at Hextree, in collaboration with Colin O’Flynn at NewAE. Whereas a fee from Raspberry Pi itself and thus not thought-about a legitimate entry to the competitors, the researcher’s work revealed vulnerability to electromagnetic fault injection (EMFI) which might each corrupt the OTP reminiscence and result in potential side-channel timing assaults. Additional investigation revealed a strategy to bypass protections utilizing “precisely-timed faults” utilizing EMFI. The vulnerability, dubbed erratum E21, has what Upton describes as “a number of efficient mitigations” — although one among these comes at the price of dropping the power to flash new firmware over USB.
“Whereas the principles specify a single $20,000 prize for the ‘greatest’ assault,” Upton notes, “we have been so impressed by the standard of the submissions that we’ve chosen to pay the prize in full for every of them. As anticipated, we have discovered loads. Particularly, we have revised downward our estimate of the effectiveness of our glitch detection scheme; the issue of reliably injecting a number of faults even within the presence of timing uncertainty; and the fee and complexity of laser fault injection. We’ll take these classes into consideration as we work to harden future chips, and anticipated future steppings of RP2350.”
Upton has additionally pledged a second seize the flag competitors to observe, this time specializing in an in-house implementation of the AES cryptographic algorithm which is believed to be hardened in opposition to side-channel assaults. Extra data is accessible on the Raspberry Pi web site, together with — the place obtainable — hyperlinks to papers detailing every of the assaults.
