CHIP.FAIL

Glitching the silicon of the Internet-of-Things.

Interested in learning more about IoT & embedded security? Join our IoT hacking training in October in Berlin!

Learn more

Introduction

Most modern connected devices are based around microcontrollers. Often, the security of those microcontrollers is not part of the threat model of the device: The inherent trust in the microcontroller just working correctly is huge. This can be seen for example on research such as wallet.fail, where a boot-ROM vulnerability in the STM32F2 microcontrollers was used to steal cryptocurrency funds from a hardware wallet.

With chip.fail, we attempt to bring fault-injection (aka glitching) attacks to the masses by providing a very affordable, off-the-shelf toolkit for conducting FI-susceptibility testing in-situ.

chip.fail was first presented at Black Hat USA 2019 - the slides can be found here.

The targets we were able to glitch during our research include, but are not limited to:

  • STMicroelectronics STM32F2 (incl. a vulnerability that allows downgrading the read-out protection)
  • Espressif ESP32
  • Microchip SAM L11 Secure Microcontroller
  • Microchip SAM D21
  • Nordic Semiconductor nRF52840

The goal of chip.fail is to provide hardware developers and hardware auditors with an easy-to-use framework for testing the susceptability of chips for glitching.

Who are we?

Thomas Roth

Thomas Roth

Thomas Roth is an embedded and IoT security researcher and founder of leveldown security. Thomas was named as one of the 30 under 30 in Technology by the Forbes Magazine. His main focus is on IoT, automotive and embedded security, with published research on topics such as ARM TrustZone, payment terminals, hardware wallet security and industrial security.
Josh Datko

Josh Datko

Josh Datko is an embedded systems engineer, security researcher and former submarine officer. He’s been glitching hardware wallets since 2017, running Cryptotronix since 2013, operating ham radio since 2007, and telling amazing sea stories since birth.
Dmitry Nedospasov

Dmitry Nedospasov

Dmitry Nedospasov is a hardware design and security engineer, security researcher, trainer, speaker and reverse-engineerer. In 2014 Dmitry completed his PhD (Dr-Ing.) in hardware security at TU Berlin.

Getting started

We are currently working on a getting started guide. Follow the Github repository for news!

Equipment needed

The chip.fail glitcher is based on an FPGA module produced by Digilent:

As multiplexer for providing interruptable power and for controlling the glitch-pulse, we use the Maxim MAX4619 Multiplexer, for which we have designed a custom PCB that plugs right into the Cmod A7. Feel free to ask us (in person or by e-mail) for a PCB, the schematic & design files can also be found here:

A power-supply is used to feed in the core voltage to the CPU. In our case, we used the DSP3003/DPS3005/DPS5005 power supplyes that can be found for cheap on sites like Amazon, Alibaba etc.

Source-code

The source-code for FPGA can be found here, it also includes the Jupyter Notebooks used to control the glitcher: