What do potato chips and lost car keys have in common? On the surface, it would seem not much, unless you somehow managed to lose your keys in a bag of chips, which would be embarrassing enough that you’d likely never speak of it. But there is a surprising link between the two, and Samy Kamkar makes the association in his newly published 2019 Superconference talk, which he called “FPGA Glitching and Side-Channel Attacks.”
Information on the Side
Most of Samy’s talk is devoted to explaining the nature of side-channel attacks, which he defines as “information you’re gathering from an implementation rather than the algorithm or system itself.” I found that to be a particularly instructive way to think about side-channel attacks, since they provide what is often a completely unforeseen way into a system despite there being no direct vulnerabilities of the kind usually associated with exploits, such as software bugs or weaknesses in cryptographic systems.
The world of side-channel attacks that Samy describes is a weird place where attacks can come literally out of the blue. They can squeeze information from the slightest of signals, like snooping into what a user is typing by monitoring the unique mechanical vibrations of each key, either with a microphone or by bouncing a laser off the machine to pick up induced vibrations. Ultrasonic attacks based on electrostrictive vibrations of capacitors that betray the internal state of the target machine are possible, as are attacks based on the slight changes in power usage as a target goes through its paces. And some of these side-channel attacks can even target air-gapped machines, which is nightmare fuel for security pros.
And it’s not even just computers that can be compromised with a side-channel attack. Samy related a story of security researchers who managed to exfiltrate a normal conversation from a sealed, soundproof room simply by pointing a DSLR camera through a window at a potato chip bag on the table. The bag vibrated slightly with the air pressure changes caused by the voices in the room, enough to create a signal in the video captured by the camera. Side-channel attacks seem to be limited only by the imagination of the attacker.
Samy also spent a lot of time talking about fault injection attacks. We’ve featured a few of these recently, including attacks on smart speakers using lasers to induce a signal on the MEMS microphone, making Alexa do your bidding remotely. Samy relates that and similar attacks on drone IMUs with ultrasound, which we found fascinating. Yet wilder are temperature attacks, where memory chips are flash-frozen with a blast of propellant from a gas duster; by cooling down the capacitors in a memory chip, it can extend the discharge time long enough to remove the chip and dump its contents using another device, potentially exposing passwords or other sensitive information.
Perhaps the most interesting technique Samy explained was instruction skipping. Clock glitches are slightly malformed pulses in the normal stream of clock pulses in any computer system. Time a clock glitch just right, and you can force a CPU to skip over parts of the code it’s executing, possibly even the part that checks passwords. Voltage glitches, where the CPU is strategically starved of power, can accomplish much the same thing. Samy even detailed a few examples of glitch attacks that can be performed easily on an Arduino or even on the amazing FPGA-powered Hackaday Supercon badge.
But what about the lost car keys? Where do they fit into all of this? Starting in the early 2000s car manufacturers
invented yet another way to pry money out of customers decided to increase the security of their cars by adding RFID chips to every key. Lose a key and it’ll cost you big bucks to get the security code in a new key programmed into the ignition system of the car and allow you to drive your car again. Unless, of course, you use a side-channel attack to figure out the encryption key and set up something to spoof that code so you can start the car with a plain old key. That’s just one of the many tools Samy’s talk put in everyone’s toolbox with this talk.