Beaumont describes the RayV Lite as part of a larger trend she calls the “domestication of tooling”: Devices like the ChipWhisperer and HackRF have made electromagnetic or radio-based hacking techniques vastly cheaper and more accessible. The RayV Lite, she hopes, will do the same for lasers. “It’s significant,” says Adam Laurie, a longtime hardware hacker and current head of product security at electric vehicle charging firm Alpitronic, who reviewed Beaumont and Trowell’s laser hacking work. “It moves the tools from the super-expensive academic or state-actor platform to the garage, where the really inventive stuff happens.”
As they built the RayV Lite, Beaumont and Trowell focused on two distinct laser hacking methods. One is laser fault injection, or LFI, which uses a brief blast of light to mess with the charges of a processor’s transistors, “flipping bits” from 1 to 0 or vice versa. In some cases, carefully triggering those bit flips can cause far larger effects. For one automotive chip that Beaumont tested, for instance, glitching the chip with a laser at a certain moment can prevent a security check that puts the chip’s firmware in a protected state, thus leaving it unprotected and letting her scan through its otherwise obfuscated code to find vulnerabilities.
Many cryptocurrency wallets, too, are vulnerable to forms of LFI, Beaumont and Trowell say, such as glitching the chip at the moment it’s asking for a PIN to unlock the cryptographic key to access the owner’s funds. “You take the chip off the crypto wallet, hit it with a laser at the right time, and it will just assume you have the PIN,” says Trowel. “It just jumps through the instructions and gives the key back.”
A second laser-hacking technique, known as laser logic state imaging, focuses instead on surveilling a chip’s architecture and activity in real time, bouncing laser light off of it, and capturing the results (much like a camera or microscope), and then analyzing them—in Beaumont and Trowell’s work, this was often done with the help of machine learning tools. Because a laser’s light bounces off silicon differently based on its electrical charge, that trick allows hackers to map out not only the physical layout of a processor but also the data its transistors store, essentially vivisecting the chip to pull out hints about the data and code it’s handling, which could include sensitive secrets.
In the first iteration of RayV Lite, Beaumont and Trowell are building designs for the tool in two different versions, one for each of those two laser hacking techniques. They’re releasing only the laser fault injection model for now, and hope to debut the laser logic state imaging version in a matter of months. Both will use the same fundamental components and the same DIY cost-cutting tricks. The body of the tool, for instance, is ba
sed on an open source 3D-printable microscope model called OpenFlexure, which uses the flexibility of 3D-printable PLA plastic to achieve precise aiming of the laser. The target chip is mounted on a chassis fixed to printed plastic levers that are bent to small degrees by stepper motors, allowing tiny, precise movements in three dimensions. With that plastic bending trick and a laser focused through a lens, Beaumont and Trowell say, the RayV can target transistors—or rather, groups of them—down to the nanometer scale. (PLA plastic does wear out, Beaumont admits. But she also notes that the entire body of the RayV Lite can simply be printed again for a few dollars.)
+ There are no comments
Add yours