On the Susceptibility of Texas Instruments SimpleLink Platform Microcontrollers to Non-invasive Physical Attacks View Full Text


Ontology type: schema:Chapter     


Chapter Info

DATE

2022-03-26

AUTHORS

Lennert Wouters , Benedikt Gierlichs , Bart Preneel

ABSTRACT

We investigate the susceptibility of the Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks. We extracted the ROM bootloader of these microcontrollers and then analysed it using static analysis augmented with information obtained through emulation. We demonstrate a voltage fault injection attack targeting the ROM bootloader that allows to enable debug access on a previously locked microcontroller within seconds. Information provided by Texas Instruments reveals that one of our voltage fault injection attacks abuses functionality that is left over from the integrated circuit manufacturing process. The demonstrated physical attack allows an adversary to extract the firmware (i.e. intellectual property) and to bypass secure boot. Additionally, we mount side-channel attacks and differential fault analysis attacks on the hardware AES co-processor. To demonstrate the practical applicability of these attacks we extract the firmware from a Tesla Model 3 key fob.This paper describes a case study covering Texas Instruments SimpleLink microcontrollers. Similar attack techniques can be, and have been, applied to microcontrollers from other manufacturers. The goal of our work is to document our analysis methodology and to ensure that system designers are aware of these vulnerabilities. They will then be able to take these into account during the product design phase. All identified vulnerabilities were responsibly disclosed. More... »

PAGES

143-163

Book

TITLE

Constructive Side-Channel Analysis and Secure Design

ISBN

978-3-030-99765-6
978-3-030-99766-3

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-3-030-99766-3_7

DOI

http://dx.doi.org/10.1007/978-3-030-99766-3_7

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1146561565


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0801", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Artificial Intelligence and Image Processing", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, 3001, Heverlee, Belgium", 
          "id": "http://www.grid.ac/institutes/grid.5596.f", 
          "name": [
            "imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, 3001, Heverlee, Belgium"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Wouters", 
        "givenName": "Lennert", 
        "id": "sg:person.014146440433.96", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014146440433.96"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, 3001, Heverlee, Belgium", 
          "id": "http://www.grid.ac/institutes/grid.5596.f", 
          "name": [
            "imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, 3001, Heverlee, Belgium"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Gierlichs", 
        "givenName": "Benedikt", 
        "id": "sg:person.013777364607.95", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013777364607.95"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, 3001, Heverlee, Belgium", 
          "id": "http://www.grid.ac/institutes/grid.5596.f", 
          "name": [
            "imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, 3001, Heverlee, Belgium"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Preneel", 
        "givenName": "Bart", 
        "id": "sg:person.011115044357.39", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011115044357.39"
        ], 
        "type": "Person"
      }
    ], 
    "datePublished": "2022-03-26", 
    "datePublishedReg": "2022-03-26", 
    "description": "We investigate the susceptibility of the Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks. We extracted the ROM bootloader of these microcontrollers and then analysed it using static analysis augmented with information obtained through emulation. We demonstrate a voltage fault injection attack targeting the ROM bootloader that allows to enable debug access on a previously locked microcontroller within seconds. Information provided by Texas Instruments reveals that one of our voltage fault injection attacks abuses functionality that is left over from the integrated circuit manufacturing process. The demonstrated physical attack allows an adversary to extract the firmware (i.e. intellectual property) and to bypass secure boot. Additionally, we mount side-channel attacks and differential fault analysis attacks on the hardware AES co-processor. To demonstrate the practical applicability of these attacks we extract the firmware from a Tesla Model 3 key fob.This paper describes a case study covering Texas Instruments SimpleLink microcontrollers. Similar attack techniques can be, and have been, applied to microcontrollers from other manufacturers. The goal of our work is to document our analysis methodology and to ensure that system designers are aware of these vulnerabilities. They will then be able to take these into account during the product design phase. All identified vulnerabilities were responsibly disclosed.", 
    "editor": [
      {
        "familyName": "Balasch", 
        "givenName": "Josep", 
        "type": "Person"
      }, 
      {
        "familyName": "O\u2019Flynn", 
        "givenName": "Colin", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-3-030-99766-3_7", 
    "isAccessibleForFree": false, 
    "isPartOf": {
      "isbn": [
        "978-3-030-99765-6", 
        "978-3-030-99766-3"
      ], 
      "name": "Constructive Side-Channel Analysis and Secure Design", 
      "type": "Book"
    }, 
    "keywords": [
      "circuit manufacturing process", 
      "physical attacks", 
      "product design phase", 
      "manufacturing process", 
      "microcontroller", 
      "Texas Instruments", 
      "design phase", 
      "differential fault analysis attacks", 
      "side-channel attacks", 
      "key fob", 
      "fault injection attacks", 
      "fault analysis attacks", 
      "secure boot", 
      "injection attacks", 
      "attack techniques", 
      "static analysis", 
      "analysis attacks", 
      "system designers", 
      "practical applicability", 
      "analysis methodology", 
      "bootloader", 
      "attacks", 
      "firmware", 
      "adversary", 
      "case study", 
      "information", 
      "manufacturers", 
      "emulation", 
      "designers", 
      "phase", 
      "vulnerability", 
      "functionality", 
      "AES", 
      "applicability", 
      "process", 
      "technique", 
      "methodology", 
      "work", 
      "access", 
      "seconds", 
      "account", 
      "goal", 
      "analysis", 
      "boots", 
      "instrument", 
      "study", 
      "FOB", 
      "susceptibility", 
      "paper"
    ], 
    "name": "On the Susceptibility of Texas Instruments SimpleLink Platform Microcontrollers to Non-invasive Physical Attacks", 
    "pagination": "143-163", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1146561565"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-3-030-99766-3_7"
        ]
      }
    ], 
    "publisher": {
      "name": "Springer Nature", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-3-030-99766-3_7", 
      "https://app.dimensions.ai/details/publication/pub.1146561565"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2022-09-02T16:17", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-springernature-scigraph/baseset/20220902/entities/gbq_results/chapter/chapter_397.jsonl", 
    "type": "Chapter", 
    "url": "https://doi.org/10.1007/978-3-030-99766-3_7"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-99766-3_7'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-99766-3_7'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-99766-3_7'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-030-99766-3_7'


 

This table displays all metadata directly associated to this object as RDF triples.

127 TRIPLES      22 PREDICATES      73 URIs      66 LITERALS      7 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-3-030-99766-3_7 schema:about anzsrc-for:08
2 anzsrc-for:0801
3 schema:author N8a1a9ce2e2894c7e93f842cd708dd839
4 schema:datePublished 2022-03-26
5 schema:datePublishedReg 2022-03-26
6 schema:description We investigate the susceptibility of the Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks. We extracted the ROM bootloader of these microcontrollers and then analysed it using static analysis augmented with information obtained through emulation. We demonstrate a voltage fault injection attack targeting the ROM bootloader that allows to enable debug access on a previously locked microcontroller within seconds. Information provided by Texas Instruments reveals that one of our voltage fault injection attacks abuses functionality that is left over from the integrated circuit manufacturing process. The demonstrated physical attack allows an adversary to extract the firmware (i.e. intellectual property) and to bypass secure boot. Additionally, we mount side-channel attacks and differential fault analysis attacks on the hardware AES co-processor. To demonstrate the practical applicability of these attacks we extract the firmware from a Tesla Model 3 key fob.This paper describes a case study covering Texas Instruments SimpleLink microcontrollers. Similar attack techniques can be, and have been, applied to microcontrollers from other manufacturers. The goal of our work is to document our analysis methodology and to ensure that system designers are aware of these vulnerabilities. They will then be able to take these into account during the product design phase. All identified vulnerabilities were responsibly disclosed.
7 schema:editor N5cd6f93ca98f45d9b7ebe13c5f40fa31
8 schema:genre chapter
9 schema:isAccessibleForFree false
10 schema:isPartOf N6233fe9f6c334dfdabe0c2a9ffd5a31f
11 schema:keywords AES
12 FOB
13 Texas Instruments
14 access
15 account
16 adversary
17 analysis
18 analysis attacks
19 analysis methodology
20 applicability
21 attack techniques
22 attacks
23 bootloader
24 boots
25 case study
26 circuit manufacturing process
27 design phase
28 designers
29 differential fault analysis attacks
30 emulation
31 fault analysis attacks
32 fault injection attacks
33 firmware
34 functionality
35 goal
36 information
37 injection attacks
38 instrument
39 key fob
40 manufacturers
41 manufacturing process
42 methodology
43 microcontroller
44 paper
45 phase
46 physical attacks
47 practical applicability
48 process
49 product design phase
50 seconds
51 secure boot
52 side-channel attacks
53 static analysis
54 study
55 susceptibility
56 system designers
57 technique
58 vulnerability
59 work
60 schema:name On the Susceptibility of Texas Instruments SimpleLink Platform Microcontrollers to Non-invasive Physical Attacks
61 schema:pagination 143-163
62 schema:productId N4fac5f832b8146d7aacfb0159e5a0c03
63 N871f8fdb8a6848dead087f6a03ec501f
64 schema:publisher N62405bf584514bd5986493a3c434ed9f
65 schema:sameAs https://app.dimensions.ai/details/publication/pub.1146561565
66 https://doi.org/10.1007/978-3-030-99766-3_7
67 schema:sdDatePublished 2022-09-02T16:17
68 schema:sdLicense https://scigraph.springernature.com/explorer/license/
69 schema:sdPublisher N6397d1e3b7704a81a3fae41458299ae5
70 schema:url https://doi.org/10.1007/978-3-030-99766-3_7
71 sgo:license sg:explorer/license/
72 sgo:sdDataset chapters
73 rdf:type schema:Chapter
74 N08204c082f0d4702b39ed520db15d08c schema:familyName O’Flynn
75 schema:givenName Colin
76 rdf:type schema:Person
77 N1c9797603e614cdcac1a61331848322d rdf:first sg:person.011115044357.39
78 rdf:rest rdf:nil
79 N4fac5f832b8146d7aacfb0159e5a0c03 schema:name doi
80 schema:value 10.1007/978-3-030-99766-3_7
81 rdf:type schema:PropertyValue
82 N5cd6f93ca98f45d9b7ebe13c5f40fa31 rdf:first Ne341ca2075d34acbb5e256bf5233eaed
83 rdf:rest N91383c112cda4326b4a9cdb8bff5307c
84 N6233fe9f6c334dfdabe0c2a9ffd5a31f schema:isbn 978-3-030-99765-6
85 978-3-030-99766-3
86 schema:name Constructive Side-Channel Analysis and Secure Design
87 rdf:type schema:Book
88 N62405bf584514bd5986493a3c434ed9f schema:name Springer Nature
89 rdf:type schema:Organisation
90 N6397d1e3b7704a81a3fae41458299ae5 schema:name Springer Nature - SN SciGraph project
91 rdf:type schema:Organization
92 N871f8fdb8a6848dead087f6a03ec501f schema:name dimensions_id
93 schema:value pub.1146561565
94 rdf:type schema:PropertyValue
95 N8a1a9ce2e2894c7e93f842cd708dd839 rdf:first sg:person.014146440433.96
96 rdf:rest Nc7a0eb99e5b54b1798b5c07564d7e661
97 N91383c112cda4326b4a9cdb8bff5307c rdf:first N08204c082f0d4702b39ed520db15d08c
98 rdf:rest rdf:nil
99 Nc7a0eb99e5b54b1798b5c07564d7e661 rdf:first sg:person.013777364607.95
100 rdf:rest N1c9797603e614cdcac1a61331848322d
101 Ne341ca2075d34acbb5e256bf5233eaed schema:familyName Balasch
102 schema:givenName Josep
103 rdf:type schema:Person
104 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
105 schema:name Information and Computing Sciences
106 rdf:type schema:DefinedTerm
107 anzsrc-for:0801 schema:inDefinedTermSet anzsrc-for:
108 schema:name Artificial Intelligence and Image Processing
109 rdf:type schema:DefinedTerm
110 sg:person.011115044357.39 schema:affiliation grid-institutes:grid.5596.f
111 schema:familyName Preneel
112 schema:givenName Bart
113 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011115044357.39
114 rdf:type schema:Person
115 sg:person.013777364607.95 schema:affiliation grid-institutes:grid.5596.f
116 schema:familyName Gierlichs
117 schema:givenName Benedikt
118 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013777364607.95
119 rdf:type schema:Person
120 sg:person.014146440433.96 schema:affiliation grid-institutes:grid.5596.f
121 schema:familyName Wouters
122 schema:givenName Lennert
123 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014146440433.96
124 rdf:type schema:Person
125 grid-institutes:grid.5596.f schema:alternateName imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, 3001, Heverlee, Belgium
126 schema:name imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, 3001, Heverlee, Belgium
127 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...