Talk Title:

Practical Invasive Attacks, How the Hardware is Hacked for Compatible Product Creation?

Abstract:

When speaking about hardware attacks, non- and semi-invasive techniques are always considered when fully invasive attacks are not properly evaluated, often tagged as a residual threat.

In this talk, we will describe the threat model associated with brand protection for consumable electronic devices which can be found in printer cartridges, video games peripherals and many other consumer electronic devices. OEMs are aware of the threat and embeds Secure Elements in their product to limit the competition as they represent the pinnacle in term of security.

Founded organizations on the other side exploit the legality of selling compatible products to take over the market with lower prices. To do so, they often have to uncover the secrets contained within the SE. This is where invasive attacks relying on reverse-engineering the Integrated Circuit and extracting its firmware and data is used the most.

This talk will describe the analysis process of one of these SE. It is very typical in this situation that the analysis is conducted in a black box scenario as the security of the ICs is (at least) partially based on obscurity. As a consequence, the talk will describe the hacker thought process on top of the technical side of the analysis.

The process of extracting the hardware and firmware will be discussed with a focus on the SE ROM which is the primary target for that kind of analysis. Therefore, the talk will illustrate digital netlist extraction but also counter-measure(s) bypass, illustrated with the « protective » mesh/shield full deactivation and ROM extraction & descrambling.

The talk will therefore aim at evaluating the security of SEs when attacked by « cloners » as part of the threat model described in introduction. This will be briefly discussed in the talk conclusion.

Speaker Bio:

Olivier THOMAS studied Electrical Engineering (EE) and subsequently worked for a major semiconductor manufacturer designing analog circuits. Then, Olivier began to work in the field of Integrated Circuit (IC) security as the head of one of the world’s leading IC Analysis Labs. The lab primarily focused on securing future generation devices as well as developing countermeasures for current generation devices to combat piracy and counterfeiting. During this time Olivier helped develop many new and novel techniques for semi- and fully-invasive IC analysis. He has an extensive background in all the Failure Analysis techniques and equipment necessary for accessing vulnerable logic on a target device. Combined with his experience as an IC design engineer, Olivier continues to develop techniques for automating the analysis process. These techniques are not only applicable to lower-complexity devices such as smartcards, which are the traditional targets for IC analysis, but they are applicable to modern semiconductor devices with millions of gates, such as modern System-on-Chips (SoCs). Olivier is the creator of ChipJuice, a software toolchain that efficiently operates the recovery of hardware designs, independently from their technology node and architecture.