Nearly every week I read in the popular press another story of a major company being hacked: Twitter, Slack, LastPass, GitHub, Uber, Medibank, Microsoft, American Airlines. What is less reported, yet still important are hardware-oriented hacking attempts at the board-level to target a specific chip, using voltage Side-Channel Attacks (SCA). To delve deeper into this topic I read a white paper from Agile Analog, and they provide IP to detect when a voltage side-channel attack is happening, so that the SoC logic can take appropriate security counter-measures.
Agile Analog has created a rather crafty IP block that plays the role of security sensor by measuring critical parameters like voltage, clock and temperature. Here’s the block diagram of the agileGLITCH monitor, comprised of several components:
The Bandgap component ensures a voltage reference, and operates across a wider voltage span to provide glitch monitoring. You may increase accuracy optionally using production trimming.
Each reference selector has a configurable input voltage to the programmable comparators, allowing you to adjust the glitch side. You would adjust the thresholds if your core is using Dynamic Voltage Frequency Scaling (DVFS).
There are two programmable comparators, one for positive voltage glitches, and the other for negative glitch detection. You get to configure the thresholds for glitch detection, and the level-shifters enable the IOs to use the core supply.
The logic following each comparator provides control of enables based on the digital inputs, latching momentary events on the output of comparators, disabling outputs while testing, and 3-way majority voting on the latched outputs.
Not shown in the block diagram is an optional ADC component to measure the supply value, something useful for lifetime issues, or measuring performance degradation.
Consider an IOT security device like a wireless door lock to a home, where a malicious person gains access to the lock and uses voltage SCA to enter debug mode of the device, reading all of the authorized keys for the lock. With agileGLITCH embedded, the IOT device detects and records the voltage glitch, alerting the cloud system of an attack, noting the date and time.
A security camera has been compromised using voltage SCA to get around the boot-signing sequence, allowing agents to reflash using hacked firmware. This kind of exploit lets the hacker view the video and audio stream, violating privacy and setting up a blackmail scenario. Using the agileGLITCH counter-measure, the camera system detects voltage glitch events, then stops any unknown code to be flashed, plus it could report to the consumer that the device was compromised before they purchased it.
An automotive supply regulator tests OK at the factory, however over time, during high load conditions, the voltage degrades and eventually fails. The agileGLITCH sensor is a key component of a system that could measure voltage degradation over time (using an ADC and digital data monitor), and report back to the automotive vendor so that they can issue a recall in order to repair or replace the supply regulator. The trend is to provide remote automotive fixes, over the air.
A hacker wants to remove Digital Rights Management (DRM) from a satellite system, installing a voltage glitcher on the HDMI controller supply to reset the HDMI output to be non-HDCP validated. Counter-measures in agileGLITCH detect voltage glitching, safeguarding the HDMI controller from tampering.
Hacking is happening every day, all around the world, and the exploits continue to grow in complexity and penetration. Voltage SCA is a hacking technique used when the bad actors have physical access to the electronics and they use supply glitching techniques to put the system into a vulnerable state, but this approach only works if there are no built-in counter-measures. With an approach like agileGLITCH embedded inside an electronic device, then these voltage SCA hacking attempts can be identified and thwarted, before any unwanted changes are made. An ounce of prevention is worth a pound of cure, and that applies to SCA mitigation.
To download and read the entire white paper, visit the Agile Analog site and complete a short registration process.
Share this post via: