« previous next »
Pages: [1]   Go Down

Author Topic: Tarnovsky does it again; cracks Infineon SLE 66  (Read 2007 times)

0 Members and 1 Guest are viewing this topic.

Offline labud

  • Administrator
  • Hero Member
  • *****
  • Posts: 9026
Tarnovsky does it again; cracks Infineon SLE 66
« on: February 07, 2010, 09:40:38 PM »
 Tarnovsky does it again; cracks Infineon SLE 66

Researcher Cracks Security Of Widely Used Computer Chip
Electron microscopy could enable criminals to develop counterfeit chips, Tarnovsky says at Black Hat DC

Feb 02, 2010 | 08:55 PM
By Tim Wilson
DarkReading

WASHINGTON, D.C. -- Black Hat DC Conference 2010 -- The ultra-secure technology used to protect some of the world's most commonly used microchips might not be so secure, a researcher said here today.

Christopher Tarnovsky, a researcher at Flylogic Engineering who has made a business of hacking "unhackable" chip technology and other hardware, was at it again today with the revelation of vulnerabilities in the Infineon SLE 66 CL PE chip, which is widely used in computers, gaming systems, identity cards, and other electronics.

Tarnovsky offered a step-by-step explanation of his successful efforts to exploit the chip's defenses using electron microscopy. During the course of about nine months, Tarnovsky said he was able to bypass the chip's myriad defenses and tap into its stored information without detection or chip failure.

"I'm not saying it was easy, but this technology is not as secure as some vendors would like you to think," Tarnovsky said.

Using a painstaking process of analyzing the chip, Tarnovsky was able to identify the core and create a "bridge map" that enabled the bypass of its complex web of defenses, which is set up to disable the chip if tampering occurs. After creating the map, he used ultra-small needles to tap into the data bus -- without disturbing the protective mesh -- and essentially "read" all of the chip's stored data, including encryption keys and unique manufacturing information.

Using this data, criminals could potentially re-create the chip in order to develop counterfeit systems or subvert widely used systems, Tarnovsky said. Such exploits could allow criminals to break through the defenses of pay TV services, medical ID systems, or even Microsoft's much-vaunted Xbox license chip, he said.

Tarnovsky said he has informed Infineon of the flaws he has discovered, but so far the company has not responded. "Their initial reaction was to tell me that what I'd done was impossible," he said. "Then when I sent them some video and the code that I just showed [to the Black Hat audience], they went quiet. I have not heard back from anybody."

In addition to Infineon, Tarnovsky said he informed officials at the Trusted Platform Module (TPM) standards organization, which sets security guidelines for the widely used PC chip standard. But he has not heard back from them, either.

Tarnovsksy said he believes similar exploits would be possible with other chips as well as Infineon's, though he has not attempted them yet. The exploits would not be easy to reproduce -- Tarnovsky said he went through many chips and many needles, and electron microscope time costs $350 per hour. "But the reason it took so long was not so much what the vendors have done, but me learning how to do it," he said. "Once you know what to do, it's not incredibly hard."
...




You are not allowed to view links. Register or Login
__________________
Logged
-----------------------------------------------








UNAUTHORIZED DECODING OF ENCRYPTED SIGNALS FROM EITHER DOMESTIC OR FOREIGN PROVIDERS IS AGAINST THE LAW !!!
INFORMATION CONTAINED IN MY POSTS ["C/P FROM ANOTHER SITE"] ARE FOR LEARNING AND EDUCATIONAL PURPOSES ONLY !!!
PLEASE, DO NOT SEND ME PRIVATE MESSAGES WITH TECHNICAL QUESTIONS, USE FORUM FOR IT !!!

Offline labud

  • Administrator
  • Hero Member
  • *****
  • Posts: 9026
Re: Tarnovsky does it again; cracks Infineon SLE 66
« Reply #1 on: February 12, 2010, 05:12:07 AM »
SAN FRANCISCO - Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former US Army computer-security specialist has devised a way to break those locks.

The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google.

The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer.



But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation.

Jeff Moss, founder of the Black Hat security conference and a member of the US Department of Homeland Security's advisory council, called Tarnovsky's finding "amazing."

"It's sort of doing the impossible," Moss said. "This is a lock on Pandora's box. And now that he's pried open the lock, it's like, ooh, where does it lead you?"

Tarnovsky figured out a way to break chips that carry a "Trusted Platform Module," or TPM, designation by essentially spying on them like a phone conversation.

Such chips are billed as the industry's most secure and are estimated to be in as many as 100 million personal computers and servers, according to market research firm IDC.

When activated, the chips provide an additional layer of security by encrypting, or scrambling, data to prevent outsiders from viewing information on the machines. An extra password or identification such as a fingerprint is needed when the machine is turned on.

Many computers sold to businesses and consumers have such chips, though users might not turn them on. Users are typically given the choice to turn on a TPM chip when they first use a computer with it.

If they ignore the offer, it's easy to forget the feature exists. However, computers needing the most security typically have TPM chips activated.

"You've trusted this chip to hold your secrets, but your secrets aren't that safe," said Tarnovsky, 38, who runs the Flylogic security consultancy in Vista, California, and demonstrated his hack last week at the Black Hat security conference in Arlington, Virginia.

The chip Tarnovsky hacked is a flagship model from Infineon Technologies AG, the top maker of TPM chips. And Tarnovsky says the technique would work on the entire family of Infineon chips based on the same design. That includes non-TPM chips used in satellite TV equipment, Microsoft's Xbox 360 game console and smart phones.

That means his attack could be used to pirate satellite TV signals or make Xbox peripherals, such as handheld controllers, without paying Microsoft a licensing fee, Tarnovsky said. Microsoft confirmed its Xbox 360 uses Infineon chips, but would only say that "unauthorised accessories that circumvent security protocols are not certified to meet our safety and compliance standards."

The technique can also be used to tap text messages and email belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon.

Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users.

"The risk is manageable, and you are just attacking one computer," said Joerg Borchert, vice president of Infineon's chip card and security division. "Yes, this can be very valuable. It depends on the information that is stored. But that's not our task to manage. This gives a certain strength, and it's better than an unprotected computer without encryption."

The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment." It added that the group has "never claimed that a physical attack - given enough time, specialised equipment, know-how and money - was impossible. No form of security can ever be held to that standard."

It stood by TPM chips as the most cost-effective way to secure a PC.

It's possible for computer users to scramble data in other ways, beyond what the TPM chip does. Tarnovsky's attack would do nothing to unlock those methods. But many computer owners don't bother, figuring the TPM security already protects them.

Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.

Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.

The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory.

Those instructions hold the secrets to the computer's encryption, and he didn't find them encrypted because he was physically inside the chip.

Even once he had done all that, he said he still had to exploit the "huge problem" of figuring out how to avoid traps programmed into the chip's software as an extra layer of defence.

"This chip is mean, man - it's like a ticking time bomb if you don't do something right," Tarnovsky said.

Joe Grand, a hardware hacker and president of product- and security-research firm Grand Idea Studio, saw Tarnovsky's presentation and said it represented a huge advancement that chip companies should take seriously, because it shows that presumptions about security ought to be reconsidered.

"His work is the next generation of hardware hacking," Grand said. im glad hes on our side not theres because we would be in real big trouble if he worked for dn or bev and i am glad hes a friend not a ennemy
__________________
Logged
-----------------------------------------------








UNAUTHORIZED DECODING OF ENCRYPTED SIGNALS FROM EITHER DOMESTIC OR FOREIGN PROVIDERS IS AGAINST THE LAW !!!
INFORMATION CONTAINED IN MY POSTS ["C/P FROM ANOTHER SITE"] ARE FOR LEARNING AND EDUCATIONAL PURPOSES ONLY !!!
PLEASE, DO NOT SEND ME PRIVATE MESSAGES WITH TECHNICAL QUESTIONS, USE FORUM FOR IT !!!
Pages: [1]   Go Up
« previous next »