DeepCover DS28C36: A Hardware Vulnerability Identification and Exploitation Using T-Test and Double Laser Fault Injection

Karim M. Abdellatif and Olivier Hériveaux
Ledger, Donjon
karim.abdellatif@ledger.fr, olivier.heriveaux@ledger.fr

Abstract—DeepCover [6] is a secure authenticator circuit family developed by Analog Devices. It was designed to provide cryptographic functions, true random number generation, and EEPROM secure storage. DS28C36 is one of the DeepCover family, which is widely used in secure boot and secure download for IoT. It has been recently deployed in the Coldcard Mk4 hardware wallet [3] as a second secure element to enhance its security. In this paper, we present for the first time, a detailed evaluation for the DS28C36 secure EEPROM against Laser Fault Injection (LFI). In the context of a black box approach, we prove by experimental results that the chip resists single fault attacks. In order to overcome this, we present the use of leakage detection such as Welch’s T-test to facilitate finding the correct moments for injecting successful faults, which is not common in Fault Injection (FI) as this method has been used only for Side-Channel Attacks (SCAs). By using this knowledge, we found two moments for injecting laser pulses to extract the protected EEPROM user pages with 99% success rate. The attack can be reproduced within a day. The presented attack negatively impacts the users of DS28C36 (including Coldcard Mk4).

Keywords—DeepCover, DS28C36, Laser Fault Injection, Secure EEPROM.

I. INTRODUCTION

Hardware security continues to be a high priority for several embedded systems vendors. Such systems like secure elements rely on high-level hardware security to prevent all sorts of device-level security. Such threats appear at circuit-level, where an attacker can measure or physically influence the computation/operation performed by the circuit. Side-channel attacks (SCAs) exploit additional sources of information (physical observations) such as observing environmental parameters of the device during its operation such as timing information, power consumption, electromagnetic emissions (EM), and sound. Malicious data modifications are caused by fault attacks, which can be performed by injecting faults using laser/optical [15], electromagnetic [5] [1], and glitches (power and clock) [14]. These attacks pose a serious threat to modern chips.

According to Analog Devices, DeepCover secure authenticators [6] integrate advanced physical security to offer a highest level of protection against physical tampering and reverse engineering. The DS28C36 [7] is a DeepCover secure authenticator that has the following features:

- ECC-256 computation engine
- FIPS 180 SHA-256 computation engine
- SHA-256 OTP (One-Time Pad) encrypted R/W of configurable memory through ECDH established key
- RNG with NIST SP 800-90B compliant entropy source with function to read out
- 17-Bit one-time settable, nonvolatile decrement-only counter with authenticated read
- 8Kbits of EEPROM for user data, keys, and certificates

According to the vendor’s short data sheet [7], to provide the most secure key storage, DeepCover embeds security solutions mask sensitive data under multiple layers of advanced security. Invasive and noninvasive countermeasures are implemented including active die shield, encrypted storage of keys, and algorithmic methods to protect against device-level security attacks.

In this work, we deal with LFI, which is considered one of the most efficient and precise fault injection techniques. Skorobogatov et al. [15] proved that laser is well suited for fault attacks. After that, LFI has been considered as a benchmark for fault injection because it allows to inject faults with maximum feasible precision in both timing and location on the chip. Several examples in the literature presented practical attacks using LFI. Viera et al. [16] presented a permanent modification into the flash of an STM32 chip using LFI. Obermaier et al. [13] managed to break the protection mechanism used in STM32F0 by shedding the light on the chip. Another practical example was presented by Hériveaux [10] to break the secure EEPROM of ATECC using LFI.

**Motivations:** Coldcard Mk4 has recently used DS28C36 as a second secure element in addition to Microchip ATECC608B to enhance the product security [4]. This was done after attacking ATECC608B (the only secure element in Mk3 version) using LFI as shown in [11]. In the Mk4 version, the user seed is encrypted and stored in the ATECC608B. The encryption key is shared between the MCU (which was also attacked before in [11]), and user protected EEPROM pages of DS28C36 (pages 14 and 15). So, an attacker must attack three different devices in order to recover the protected master key, which is considered as a hard challenge.

**Contributions:** We present for the first time a vulnerability identification and exploitation of the protected user EEPROM...
This paper is organized as follows. Section II describes the experimental setup used in this work. Section III discusses the read page command and the attack scenario. Section IV highlights the use of single laser pulse in characterizing the read page command. Section V proposes using leakage detection for better understanding the read page command. Section VI shows how multiple laser pulses are used to successfully extract the protected user EEPROM pages of DS28C36. Section VII shows our responsible disclosure to the vendor. Section VIII concludes this work.

II. SETUP

A. Sample preparation

In order to perform LFI, backside package decapsulation is needed to access to the silicon substrate of the device. Therefore, we performed this decapsulation and used infrared imaging to capture a detailed picture of the chip and have a look at its internal layout. Fig. 1a shows the chip after being decapped from the backside. Fig. 2 shows the internal structure of the chip resulting from the infrared imaging. According to the short data sheet, we are able to identify three main blocks: EEPROM, RAM, and logic.

B. Our setup

In order to inject laser pulses, we used an infrared pulsed laser source and a microscope for focusing. We used a 10X objective (laser beam is about 5µm diameter). A scaffold board [9] was used to communicate with chip by sending I2C commands and also for controlling the synchronization during the fault injection. Fig. 1b shows the DuT fixed on the scaffold board and also the laser objectives. In addition, a Tektronix MSO44 200 MHz digital oscilloscope with a maximum sampling rate of 6.25 GS/s, was used to measure and capture the instantaneous power consumption of the DUT during the experiment.

III. READ PAGE COMMAND AND ATTACK SCENARIO

A. Read page command

According the open source project of the Coldcard Mk4 version [4], the secure EEPROM of DS28C36 has 32 pages and the page length is 32 bytes. Pages from 0 to 15 are classified as user pages. Pages from 22 to 24 map to private keys over the Nist P-256 curve, and pages 16 to 21 store the X and Y components of the corresponding public keys. Pages from 25 and 26, are marked as secret pages. Pages from 27 to 29 are dedicated to decrement counter, random number, GPIO, respectively. The last two pages are reserved to RAM buffers. Since not all the EEPROM memory bits are visible in this page mapping, we suspect some EEPROM memory to be used for storing the security configuration, such as pages read and write fuses. Note: from [4], the hardware wallet manufacturer uses the protected user pages 14 and 15 to store the secrets.

After the chip preparation, we started to monitor the power consumption of the chip during the read page command. The main idea of this step is to differentiate between the chip behavior when the page is unprotected and after being protected. We selected the user page number 7 as an example.

Fig. 3(a) shows the power consumption of the chip in case of reading this page before enabling the read-protection. Fig. 3(b) presents the power consumption during the read page command of the same page after being protected (locked). From the two figures, we can conclude that the chip executes the same state machine before the red line and the divergence starts at the red line before reading the EEPROM page. Moreover, we observed the absence of any jitter during the command execution.
(a) Read memory command for an unprotected slot

(b) Read memory command for a protected slot

Fig. 3. Power consumption during read memory command

Fig. 4. Zoom on the EEPROM reading

Algorithm 1: Attack methodology

```python
while True do
    PrepareFault();
    ChipRestart();
    ReadPage();
    SaveLog();
    MoveLaser()
```

B. Attack scenario

After the initial study on the read page command, the next step is dedicated to perform the LFI. We use the infra-red pulsed laser source and a microscope for focusing. We used a 10X objective (laser beam is about 5μm diameter). The main idea is to write data to a specific page (a user page for example) and attack this page after activating the read-protect command. The attack scenario is shown in Algorithm 1. `PrepareFault()` prepares the fault parameters such as pulse width, offset, and laser power. Before starting the attack, the chip is restarted and the read page command is executed (`ChipRestart()` and `ReadPage()`). After faulting the read page command, the attack log is saved, including the response of the chip, the laser beam position, the power consumption trace and the fault injection timings. Then, the laser beam moves to another spot to scan another chip location.

IV. SINGLE FAULT INJECTION

In this section, we will highlight the first experiment using single laser pulse during the execution of read page command. The single fault laser pulse was injected randomly before the divergence which is highlighted by the red line in Fig. 3(b). We scanned the overall chip. We randomized the laser power source between 20% and 80% from its maximum value (2.4W).

We obtained five different responses shown in Table I. The first response is the normal response which is obtained when the page is protected (locked) and starts with `2155`. The second response is obtained when the chip gets crashed. `NACK` means that there is an error during the I²C communication.

We can note that the only interesting results are the last two results. Both start with `21aa` which is the indication of accepting the read page command. Unfortunately, no one of them is equivalent to the stored value. We discovered that third response is the value stored in page 17 (a public key page), and it’s permanently unprotected.

For better understanding, we monitored the power consumption of the chip during the last two responses. The power consumption in case of third response shown in Fig. 5(a), is equivalent to the case when the page is unprotected and confirms our previous finding that indicated the similarity of this value to slot 17. Regarding the 4th response (see Fig. 5(b), the EEPROM reading is not executed as the power consumption looks like the protected case. Therefore, it’s not an interesting fault. We located the last two responses on the layout of the chip as shown in Fig. 6.

According to the data sheet [7], the chip supports encrypted EEPROM storage. This means that the EEPROM data is encrypted. During the successful reading, the chip decrypts the encrypted page content. We can understand that from focusing on the EEPROM reading in case of the unprotected slot as shown in Fig. 4. The red zone indicates the 32-byte reading (32 peaks). Then, there are four identical patterns that indicate the decryption process. There are no details about this process in their short data sheet.
TABLE I
SINGLE FAULT RESPONSES

<table>
<thead>
<tr>
<th>Number</th>
<th>Chip response</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>0155ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff</td>
</tr>
<tr>
<td>1</td>
<td>fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff</td>
</tr>
<tr>
<td>2</td>
<td>NACK</td>
</tr>
<tr>
<td>3</td>
<td>21aab8285b16978a7b25eb1d8a317f6c6a717184d47de4754ac32ad1c5adb7d324</td>
</tr>
<tr>
<td>4</td>
<td>21aa208cfc9a7dc7fcd5437775f6a79aa2c95f5795ed2bfef883082a2ada5f85694f</td>
</tr>
</tbody>
</table>

We spent several weeks scanning the overall chip using the single laser pulse and we always obtained the same outputs (the five different responses shown in Table I). Therefore, we decided to understand deeply the difference between the unprotected and protected page on the level of the power consumption.

V. LEAKAGE DETECTION

In the previous section, we observed by experimental results that using a single laser pulse (single fault) is not efficient against attacking the read page command. As this is a secure chip, we consider it could be protected against single LFI and includes a multiple checking counter-measure.

To solve this challenge, we studied the difference between the unprotected and protected page, statistically. The main idea is to find the timing when the page protection setting (bit/bits) is manipulated. Hence, we decided to focus on using leakage detection techniques used for side-channel attacks (SCAs).

Leakage detection is a methodology to identify leakage moments which contain sensitive information. It is widely used in SCAs to reduce the computation complexity of security evaluations and improve the efficiency of the SCAs. Several methods have been used to identify the amount of leakage such as T-test [8] and NICV [2]. In this paper, we will focus on the T-test. The main idea of using T-test in SCAs is to compare the leakages of sensitive operations such as block cipher, with fixed plaintexts (and key) to the leakages of the same implementation with random plaintexts (and fixed key). If a significant difference of means is observed between the leakages, it is concluded that the device leaks during this operation. The Welch’s T-test is calculated as shown in Eq. 1, where $\mu_0$, $S_0^2$ and $N_0$ are the mean, variance, and number of traces, respectively, for the two sets of data (0 and 1)

$$t = \frac{\mu_0 - \mu_1}{\sqrt{\frac{S_0^2}{N_0} + \frac{S_1^2}{N_1}}}$$

We will apply the T-test, which is always used in SCAs to detect sensitive operations, in fault injection (FI). The main purpose is to detect when sensitive bits are processed. More precisely, we will try to locate on the power consumption trace, the manipulation of the page protection bit/bits.
This can be done by performing the T-test between two sets of data. The first set is collected when the page is unprotected and the second set is collected when the same page is protected. By performing the T-test between the two different sets, we will look for the significant difference, that may guide us to the correct timing for injecting faults. Also, it will indicate if one laser pulse (single fault) or many laser pulses (multiple faults) are needed.

We collected the two sets of traces for page 8 (Note: page 7 was locked previously and can’t be unlocked). The number of collected traces per each set is 100K traces. We limited the number of samples until a slight increase after the red line (see Fig. 3). In addition, we increased the vertical resolution for reducing the measurement noise and improving the statistical result. Prior to performing the T-test, we precisely aligned all the traces using cross-correlation [12]. Fig. 7 shows the average of each data set (upper) and the result T-test is shown below. We can see two zones where there are significant peaks, highlighted in red. Note: we are not interested in the peaks after the divergence because the two sets are already different during these moments. The two highlighted red zones indicates the significant difference between the two sets which indicate the manipulation of the page protection bit/bits.

The obtained results from the T-test confirms what we concluded in Section IV, single laser pulse (single fault) is not sufficient to extract the protected page. In addition, it concludes that the chip is protected against single fault attacks by performing an algorithmic verification in the two red zones highlighted by the T-test.

VI. MULTIPLE LASER PULSES

After finding the correct timing for injecting multiple laser pulses using the T-test as described previously. The next step is to validate this result practically by scanning the overall chip surface with injecting multiple laser pulses in the timing where the T-test showed the significant difference (two red zones in Fig. 7).

We repeated the same attack scenario shown in Algorithm 1 with randomizing the laser power source from 20% to 80% during the chip scan. In order to reduce the search for the fault parameters, we decided to inject a row of multiple faults that cover the two red timing zones highlighted in the T-test result (Fig. 7) and also in between. By this way, we managed to dump the same data stored in page 8 when we inject this row of multiple pulses in the locations shown in Fig. 8. The number of pulses was 11 and the interval between each pulse is 2 $\mu$s. The power consumption in case of the successful fault
is shown in Fig. 9(a). This successful fault was obtained with 55% of the laser power source. After fixing the successful location, we refined again the number of pulses and we found that the attack is also successful with a double fault attack on the same two peaks shown in the T-test result. Fig. 9(b) shows the power consumption of the successful fault in case of injecting only two laser pulses. The success rate of the attack after focusing on the correct location is 99%.

We tried all the user pages (from 0 to 15) and the attack worked successfully. However, in case of permanent-protected pages used for P256 curve private keys, the chip passed a fixed unidentified value for these pages. This means that the presented attack is applicable only to the user protected pages (the case of Coldcard Mk4).

A. Discussion

From the above results, we can conclude that the leakage detection using Welch’s T-test added a significant contribution in finding the correct moments for injection faults and allowed us to perform a successful attack on the protected user pages of the EEPROM, using multiple pulses. Without this method, the time consumed in finding the correct number of faults is very long and it could be difficult to find. Therefore, we advise the vendors to use this technique during the evaluation phase against fault injection to help in having robust designs against fault injection.

VII. DISCLOSURE

The presented attack in this paper has been reported to Analog Devices before any publication. We would like to thank them for their collaboration during the responsibility disclosure. In addition, we also reported this work to the hardware wallet manufacturer CoinKite.

VIII. CONCLUSION

This paper presented for the first time, a black box attack on the user protected EEPROM pages of DS28C36, which is from the DeepCover family developed by Analog Devices. We proved by experimental results that the chip has been protected against single fault attacks. Thanks to leakage detection techniques that helped us to identify the manipulation of the page protection bit/bits during the read page command. With this knowledge, we managed to extract the user protected pages using multiple laser pulses with 99% success rate. Future work includes further research to investigate another attack path to extract the P256 curve private key pages.

REFERENCES