Paper 2022/328

On the susceptibility of Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks

Lennert Wouters, Benedikt Gierlichs, and Bart Preneel

Abstract

We investigate the susceptibility of the Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks. We extracted the ROM bootloader of these microcontrollers and then analysed it using static analysis augmented with information obtained through emulation. We demonstrate a voltage fault injection attack targeting the ROM bootloader that allows to enable debug access on a previously locked microcontroller within seconds. Information provided by Texas Instruments reveals that one of our voltage fault injection attacks abuses functionality that is left over from the integrated circuit manufacturing process. The demonstrated physical attack allows an adversary to extract the firmware (i.e. intellectual property) and to bypass secure boot. Additionally, we mount side-channel attacks and differential fault analysis attacks on the hardware AES co-processor. To demonstrate the practical applicability of these attacks we extract the firmware from a Tesla Model 3 key fob. This paper describes a case study covering Texas Instruments SimpleLink microcontrollers. Similar attack techniques can be, and have been, applied to microcontrollers from other manufacturers. The goal of our work is to document our analysis methodology and to ensure that system designers are aware of these vulnerabilities. They will then be able to take these into account during the product design phase. All identified vulnerabilities were responsibly disclosed.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Minor revision.Workshop on Constructive Side-Channel Analysis and Secure Design 2022
Keywords
SimpleLinkFirmware recoveryFault injectionSide-channel analysis
Contact author(s)
lennert wouters @ esat kuleuven be
benedikt gierlichs @ esat kuleuven be
History
2022-03-14: received
Short URL
https://ia.cr/2022/328
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/328,
      author = {Lennert Wouters and Benedikt Gierlichs and Bart Preneel},
      title = {On the susceptibility of Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks},
      howpublished = {Cryptology ePrint Archive, Paper 2022/328},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/328}},
      url = {https://eprint.iacr.org/2022/328}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.