Security

Unlocking Hardware Security: Red Team, Blue Team, and Trojan Tales

Ensuring the integrity of Integrated Circuits (ICs) against malicious hardware Trojans is paramount for secure electronic devices. One approach involves imaging the manufactured chips to compare them with their original design files. While such techniques for detecting Trojans are relatively well-known in the industry, there is a notable absence of comprehensive, publicly available case studies. To bridge this gap, we unveil a Red Team vs. Blue Team case study on hardware Trojan detection across four digital ICs in various modern feature sizes. We share our findings, algorithms, and image datasets, shedding light on the efficiency of these techniques, and offer insights into the impact of technology scaling on detection performance.
We love to put microcontrollers, systems-on-a-chip and many other Integrated Circuits (ICs) into all sorts of devices. As hardware backdoors can undermine software security, the integrity of these chips is becoming increasingly important. However, most of these microchips are manufactured in a complex global supply chain where not all parties can necessarily be trusted. Who guarantees that the chip we order is the chip we get delivered? While the European Union wants to ensure digital sovereignty through massive long-term investment in domestic IC production, we need a way to verify the integrity of microchips today. In this talk, we will first briefly cover the basics of the IC design and production process. We will outline common attacks that enable the insertion of subtle malicious manipulations or backdoors, often called hardware Trojans. You don't need to have a hardware background to follow along! We then introduce some techniques we can use to detect hardware manipulations by comparing the circuit within a microchip to its original design files by reverse engineering the chip using open-source image processing. While imaging an IC requires advanced laboratory equipment, commodity hardware is sufficient to analyze the captured images. In the main part of our talk, we will present a case study on Trojan detection based on four different digital ICs using a Red Team vs. Blue Team approach, and give a live demonstration. We will share what manipulations of our Red Team we are already able to find reliably, and where some work is still needed -- and we're calling on you to play with our algorithms and have a go at uncovering the Trojans that are still well-hidden. Of course, we have made our source code and entire image datasets available under a free and open license. We'll conclude with an insight into the working process of our Blue Team -- what we learned, and how we failed -- and give an outlook on how we can lower the entry barrier into IC reverse engineering, unlocking the hardware security field for all.

Additional information

Live Stream https://streaming.media.ccc.de/37c3/zuse
Type lecture
Language English

More sessions

12/27/23
Security
stacksmashing
Saal 1
Hardware hacking tooling for the new iPhone generation If you've followed the iPhone hacking scene you probably heard about cables such as the Kanzi Cable, Kong Cable, Bonobo Cable, and so on: Special cables that allow access to hardware debugging features on Lightning-based iPhones such as UART and JTAG. However with the iPhone 15, all of those tools became basically useless: USB-C is here, and with that we need new hardware and software tooling. This talk gives you a brief history of iPhone ...
12/27/23
Security
Kevin Gomez
Saal Granville
The importance and relevance of vehicles in investigations are increasing. Their digital capabilities are rapidly growing due to the introduction of additional services and features in vehicles and their ecosystem. In this talk on automotive digital forensics, you will embark on a journey through the cutting-edge world of automotive technology and the critical role digital forensics plays in this domain. We will explore the state-of-the-art methods and tools to investigate modern vehicles, ...
12/27/23
Security
Saal Granville
Tesla's driving assistant has been subject to public scrutiny for good and bad: As accidents with its "full self-driving" (FSD) technology keep making headlines, the code and data behind the onboard Autopilot system are well-protected by the car manufacturer. In this talk, we demonstrate our voltage-glitching attack on Tesla Autopilot, enabling us root privileges on the system.
12/27/23
Security
Saal 1
Imagine discovering a zero-click attack targeting Apple mobile devices of your colleagues and managing to capture all the stages of the attack. That’s exactly what happened to us! This led to the fixing of four zero-day vulnerabilities and discovering of a previously unknown and highly sophisticated spyware that had been around for years without anyone noticing. We call it Operation Triangulation. We've been teasing this story for almost six months, while thoroughly analyzing every stage of ...
12/27/23
Security
Saal Zuse
Elektronische Arbeitsunfähigkeitsbescheinigungen (eAU), Arztbriefe, medizinische Diagnosen, all diese sensiblen Daten werden heute mittels KIM – Kommunikation im Gesundheitswesen – über die Telematikinfrastruktur (TI) verschickt. Aber ist der Dienst wirklich sicher? Wer kann die Nachrichten lesen, wo werden die E-Mails entschlüsselt und wie sicher ist die KIM-Software? Im Live-Setup einer Zahnarztpraxis haben wir Antworten auf diese Fragen gesucht.
12/27/23
Security
Saal 1
This talk will present details of the TETRA:BURST vulnerablities - the result of the first public in-depth security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, military, and critical infrastructure relying on secret cryptographic algorithms which we reverse-engineered and published in August 2023. Adding to our initial disclosure, this talk will present new details on our deanonymization attack and provide ...
12/27/23
Security
muelli
Saal Granville
We present an analysis and recovery method for files encrypted by Black Basta, the "second most used ransomware in Germany". We analysed the behaviour of a ransomware encryptor and found that the malware uses their keystream wrongly, rendering the encryption vulnerable to a known-plaintext attack which allows for recovering affected files. We confirmed the finding by implementing tools for recovering encrypted files. We have made our tools for decrypting files without access to the actual key ...