MIT Bitcoin Expo 2018 - Hardware Wallets Security
- 1. Ledger SAS 1, rue du Mail 75002 Paris - France Ledger Technologies Inc. 121 2nd Street - Suite 5 94105 San Francisco - USA Hardware Wallets Security 18th of January, 2018 - MIT Bitcoin Expo - Charles GUILLEMET
- 2. ● 10 years Securing and Breaking Hardware based security systems ● Formerly Technical Manager in an ITSEF ● Passionate about Cryptography & Maths, Machine Learning Ledger About Me Charles GUILLEMET CSO at Ledger LinkedIn: charles-guillemet PGP:
- 3. State-of-the-art attacks on Secure Hardware With the development of cryptocurrencies, comes the challenge of security. Hardware based solutions have proven their security resilience in various applications. With higher stakes, it’s expected to see attackers with higher potential. An overview of state-of-the-art hardware attacks is given from an academic perspective. On the field hardware attacks are presented as well. Abstract ● Introduction ● Software attack vectors ● Perturbation attacks ● Side Channel Attacks ● Physical Attacks Examples with a “simple” PIN verification Agenda
- 4. Introduction: Ledger’s Hardware wallets Ledger Nano S is based on a dual chip architecture (ST31/STM32, Certification level: CC EAL5+). Secure Element is a specific form factor of Smartcards. Used for various applications - SIM - Passports - Banking cards - TPM Secure Element PIN Code Malware Proof 4 to 8 digits PIN Code Designed to be secured even on an untrusted computer
- 5. Introduction: Securing systems Securing software is i̶m̶p̶o̶s̶s̶i̶b̶l̶e̶ very difficult Most industries chose hardware based solutions -> put all the security in the smartcard - 35 years of Smartcards legacy: Well organized security industry - Big actors: - IC Designers - Embedded Sofware Developper - Evaluation & Certification process well defined Securing systems: hard task
- 6. Introduction: Smartcard Industry - EAL5+ defines a High Potential attacker - The attacker has a physical access to the Target Of Evaluation - Different kinds of attacks are considered - Software attacks - Physical attacks - Perturbation attacks - Side Channel attacks Legacy of Smartcard industry
- 7. Software attacks on Hardware devices - Hardware designs are used to avoid software attacks - Nevertheless Hardware devices have interfaces - IOs shall be secured against classical attacks - Open platforms => Isolation must be ensured (Javacard Firewall, Custom OS with Isolation using HW) Software Attacks Number of cve by year (source: cvedetails.com)
- 8. Software attacks on Hardware devices - Not that much Software Attacks on PIN Verification - buffer overflow on the digit given by the user - Famous iPhone PIN unlock methods - Overflow on user inputs leads a crash of the screen lock app (lot of videos on YouTube) Software Attacks
- 9. PIN verification - The bad way to implement it A simple example : PIN verification
- 10. Perturbation attacks - Use laser, EMI, Glitches to perturb the normal behavior of the IC - Code rerouting - Attacks on cryptography related computations - RSA (Bellcore’s Attack) - DFA on AES - (Piret & Quisquater) - Very efficient attacks, lot of countermeasures on secure IC - Attack prevention: Shielding the IC (not always possible), packaging, randomizations to make the synchronization more difficult - Attack detection: Light detectors / CRC / double (or more) computations / Control flow - Attack reaction: at fault detection, erase keys, reset, destroy device... Laser, EM injection, Glitches
- 11. Perturbation attacks - A single fault on the if statement breaks the system - The fault can disturb the circuit in many ways - Change PC (Program counter) value - Change the CMP instruction fetch (to almost any instruction) - 1st fault - Authenticates the user without presenting PIN - 2nd fault - Makes PTC == -1 => All the PINs can be tested... Laser, EM injection, Glitches
- 12. Side Channel Attacks on Hardware - Measure the power consumption/EM during cryptographic computations - Record traces - Post processing traces - Conduct Side Channel Analysis - First attacks end 90’s (except national Agencies) - Timing attacks 1996. (P. Kocher) - SPA - DPA 1998 (P. Kocher) - CPA 2004 (Brier) - Template Attacks 2002 (Chari) - Machine Learning based Attacks (2015-2016) Power consumption, ElectroMagnetic emanations
- 13. Side Channel Attacks on Hardware - Timing attacks It consists in retrieving sensitive information based on the duration of a computation Timing attacks & SPA - Depending on the value of the correct userPIN, the code will execute more loops - Add a tearing method - Simple Power Analysis Famous example of Sq&Multiply
- 14. Side Channel Attacks on Hardware - DPA attack - First statistical attack (1998) It consists in retrieving sensitive information based on EM/Power consumptions statistics - Targets one intermediate value (bit) which depends on the key - Exploit a statistical difference: - The power consumption/EM of the targeted bit is different if it’s 0 or 1 - CPA attack - assumes a power consumption model - C = a.HW(x) + b DPA, CPA The measured Power Consumption Hamming Weight of the sensitive value x Pearson’s correlation coefficient is computed between the set of traces and this model for each hypothesis of key
- 15. Side Channel Attacks on Hardware - Template attack - Profiled attack Instead of assuming a leakage model, the model is observed on a sample with a known key Template Attacks 1. Traces recorded on a sample with a known key 2. Resynchronization process is applied 3. Dimensionality reduction: POI selection, PCA, LDA 4. Template building - Means by class - Covariance Matrix (Pooled, by class) Profiling Matching 1. Traces recorded on the sample to attack 2. Same resynchronization process applied 3. Same dimensionality reduction 4. Matching is applied computing for each trace the probability to belong in each class + Far more efficient than classical CPA/DPA attacks - A device with a known key is required (not always possible)
- 16. Side Channel Attacks on Hardware Common Criteria & Private certifications scheme in Europe require high level of security against these attacks To be certified, secure products must resist against Template attacks with - Several Million traces for the Profiling phase - Up to 1 Million traces for the Matching phase Secure products (smartards) embedd a lot of countermeasures to prevent these attacks Non secure products don’t resist against these kind of attacks. - Cheap and efficient - FPGA bitstream encryption are all broken - Yubikey also broken - Set Top Box also broken Template Attacks - State of the art
- 17. Side Channel Attacks on Hardware Machine-Learning based Side Channel Attacks Side Channel Analysis aims at solving a classification problem Template Attacks can be considered as a supervised machine learning method CPA, DPA can be considered as unsupervised machine learning technique In this context, using machine learning techniques seems an obvious idea AI and SCA are two distinct fields with very few communication Using Machine Learning techniques for SCA is very recent (2015-2016)
- 18. Physical attacks - FIB (Focalized Ion Beam) circuit edit - Local edit of the circuit - Probe interesting signals - Reverse engineering using SEM and chemicals - X-Ray circuit modification (CHES2017: Nanofocused X-Ray Beam to Reprogram Secure Circuits - Leti ITSEF) Physical Attacks M1 M2 M3 Poly Pictures from Texplained M4
- 19. Physical attacks However on the field attacks still exist - Used to copy a circuit - Counterfeiting industry (video game, Ink cartridge) use these techniques - Ink cartridge: mutual authentication between the printer and the ink cartridge => Market is several billions $ => Broken within few months => It’s possible to buy compatible ink/toner cartridges for any printer For now, on this market, the attackers win Reverse Engineer of IC
- 20. Conclusions Lessons learned from on-the-field attacks If the stakes are high the attackers will have a high potential The piracy is an industry even on Hardware-based systems Crypto-currencies growing industry Here, the stakes are high and will grow the attackers will have a high potential Securing crypto-assets is not an option Take advantage of 35+ years of smartcards legacy Software-based solutions are very hard to secure Dedicated Hardware is a better approach
- 21. Bounty Program & CTF https://www.ledger.fr/ctf2018/ WIN 1.337 BTC & 13 Nano-S Starts on Tuesday the 20th of March When the stakes are high Expect Attackers with high potential