INSIGHTS | January 20, 2025

Threat Brief: Low-level Hardware Attacks

Low-level Hardware Attacks: No Longer an Emerging Threat

As organizations have improved their cybersecurity posture, motivated attackers compensate by looking for other attack vectors to continue to achieve their objectives. Efforts to improve system and device security have produced a greater availability and reliance on hardware security features, and as component and device designers continue to innovate with new security features, attackers continue to innovate and share new tools and attack techniques. Increasingly, this means that to provide solid security posture for a component, device, or system, a full-stack perspective on security is mandatory.

More effort from developers is required to understand and increase resistance to low-level hardware attacks, including:

  • Manufacturers of typical microchips and embedded devices that require features such as secure boot and resistance to firmware extraction
  • Manufacturers of specialty microchips and integrated circuits (ICs) with security features such as secure elements, secure enclaves, encrypted read only memory (ROMs), hardware root of trust, etc.
  • Product manufacturers who depend on microchips with key security features as a core control of their overall product or ecosystem security model

Defending against low-level hardware attacks is critical for most every organization today, but the topic remains largely inaccessible to the key stakeholders who can act to improve security posture to better resist and defend against these attacks. To support improved security posture on these critical components, IOActive is making new materials available to the community to aid in understanding the attack vectors and threats.

IOActive is very pleased to announce the release of our eGuide titled “The State of Silicon Chip Hacking,” which is intended to make the very opaque topic of low-level attacks on microchips and ICs more accessible to security team members, business leaders, semiconductor engineers, and even laypersons.

Furthermore, in the coming months, we will publish some original cybersecurity research related to low-level attacks on specialized memory in microchips and integrated circuits (ICs), and formerly proprietary intelligence (PROPINT) about the capabilities of malicious threat actors targeting microchips and ICs.

BACKGROUND

Evolving Security Posture and Attack Vectors

Within the last decade, low-level hardware attacks at the microchip and IC level have become more appealing to attackers as many organizations have become much better at the fundamentals of cybersecurity that include cyber hygiene, vulnerability management, secure development,[1][2][3] and the many other components in a modern cybersecurity program or framework such as NIST’s CSF. As organizations became more mature in their cybersecurity capabilities, including sophisticated response and threat hunting capabilities offered for their traditional information technology (IT) and operational technology (OT) environments either by an internal security operation center (SOC) or a trusted third-party service provider, threat actors have shifted their focus to other areas of opportunity where less defensive effort had been expended to date, such as supply chain[4][5] and hardware attack vectors.

A recent example of this is the high-impact supply chain attack by Salt Typhoon, a People’s Republic of China (PRC) Ministry of State Security (MSS) affiliated threat actor. This attacker compromised the major U.S. mobile network operators to enable espionage and counterintelligence operations, hyper-targeted cyber operations against high value targets, and the circumvention of the ridiculously weak short message system (SMS) multi-factor authentication (MFA) implementations used far too frequently today.

The more secure an organization itself, the more attractive that organization’s upstream supply chain becomes as an attack vector to a dedicated attacker. A sophisticated threat actor seeks the easiest and least attributable pathway into a target; today the path of least resistance and risk for an attacker is often one of the target’s Tier 1 or Tier 2 suppliers who have an exploitable vulnerability that can provide full access into the target’s network. Other times, the actor has chosen an attack vector of a software library or hardware component. For example, we have recently seen an attacker attempt to compromise the XZ Utils compression library in an effort to subvert the effectiveness of OpenSSH.[6][7]

Greater Reliance on Hardware Security

One outcome of these efforts to improve security is a greater reliance on hardware components and devices to improve the overall system’s security, especially when an attacker has physical access through the protection of key data such as cryptographic keys, whose compromise would result in the compromise of the device or all devices. Key hardware technologies and implementations such as secure boot (e.g., UEFI), trusted execution environments (TEEs), and hardware roots of trust have been created and refined to reduce the likelihood of a software compromise. Many of these key hardware security measures are standardized for the industry or a manufacturer to reuse on multiple products and devices. Perhaps most attractive to device developers, these components are frequently integrated into system-on-a-chip (SOC) components that provide a broad set of features, including hardware security capabilities, into a single package.

This greater availability, utilization, and criticality of hardware security has pushed threat actors to develop new tooling, tactics, techniques, and procedures to achieve their operational or strategic objectives.

Full-stack Perspective

Today’s sophisticated threat actors are capable of successfully attacking at any level of the technology and operational stack including hardware, software, people, processes, and the supply chain. This necessitates much more thoughtful risk management and defense. Moreover, the advanced, low-level hardware attack techniques outlined in our eGuide have become much more democratized and accessible to many of today’s threat actors. There is no expectation that this trend will abate. A successful, low-level hardware attack can compromise an entire organization, its customers, and even its suppliers.

Globalization Consequences

With the admission of the PRC to the World Trade Organization (WTO) in December 2001, the world experienced an extremely rapid period of globalization, which transformed the global economy and its supply chains. This supply chain globalization has actually made our supply chains longer, more geographically dispersed, much more complex and less resilient. Today, a product may have to go through multiple countries and hundreds of suppliers before it’s complete, offering more opportunities for things to go wrong from a supply chain risk perspective, whether accidental or intentional. Within the last several years we have seen numerous high-impact supply chain disruptions.

The 2020 pandemic painfully illustrated the vulnerabilities of the global supply chain to disruption from a virus and the associated government response. Significant microchip shortages beginning in 2021 deeply impacted the automotive industry on a global basis with an estimated impact of a more than 10% reduction in global light-vehicle production in 2021. In March 2021, the container ship Ever Given was grounded in the Suez Canal, causing significant disruptions to shipping and canal transits. In late 2023, we saw huge disruptions to the transit of the Red Sea and Suez Canal, which forms a key link between Asia and Europe, from kinetic attacks by the Houthis, an Iranian proxy group based in Yemen. Arguably, the consequences of the Ever Given incident gave the Houthi strategists a model with which to understand the consequences of severing the link between Europe and the Indo-Pacific through piracy and kinetic strikes.

Perhaps most concerning is the fact that these long, complex supply chains frequently have key nodes in locations under the control of unfriendly, malign,  or adversarial countries who are seeking to penetrate, compromise, and hold at risk critical infrastructure and information of their perceived adversaries.

THREATSCAPE: INCREASING RISKS

The confluence of the above trends has created significantly greater risks that as previously favored attack vectors become more challenging, costly, or attributable, organizations almost certainly will be targeted through low-level hardware attacks. There are many more threat actors today capable of launching low-level hardware attacks. The nature of the global semiconductor supply chain gives the most motivated and well-funded threat actors excellent opportunities to compromise microchips, ICs, and digital devices before they make it to the end user. Increasingly, these threat actors will require low-level hardware attack techniques to continue to meet their operational and strategic objectives.

To support improved security posture on these critical components, we are making new materials available to the community to aid in understanding the attack vectors and threats.

Upcoming Research Publications

In the coming months, we will publish some original cybersecurity research related to low-level attacks on specialized memory in microchips and ICs after completion of our responsible disclosure process. In addition, we will publish some previous work we had performed by a third party to help us assess and develop PROPINT about the capabilities of malicious threat actors to reverse engineer microchips and ICs for the purpose of intellectual property theft.

The State of Silicon Chip Hacking

IOActive is pleased to announce the release of eGuide titled “The State of Silicon Chip Hacking,” which is intended to make the very opaque topic of low-level attacks on microchips and ICs more accessible to security team members, business leaders, semiconductor engineers, and even laypersons. This eGuide is meant to be clear, concise, and accessible to anyone interested in the topic of low-level hardware attacks with an emphasis on invasive attacks using specialized equipment. To increase the accessibility of the eGuide to all readers, we made an effort to include high quality graphics to illustrate the key concepts related to these attacks.


[1] https://www.sei.cmu.edu/our-work/secure-development/

[2] https://www.microsoft.com/en-us/securityengineering/sdl/practices

[3] https://www.ncsc.gov.uk/collection/developers-collection/principles

[4] https://www.ncsc.gov.uk/collection/supply-chain-security/supply-chain-attack-examples

[5] https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/README.md

[6] https://www.darkreading.com/cyber-risk/xz-utils-backdoor-implanted-in-intricate-multi-year-supply-chain-attack

[7] https://nvd.nist.gov/vuln/detail/CVE-2024-3094

INSIGHTS, RESEARCH | January 14, 2025

Novel Invasive Attack on One-Time-Programmable Antifuse Memory

Antifuse-based OTP Memory Attack May Compromise Cryptographic Secrets

Complementary metal-oxide semiconductor (CMOS) one-time programmable (OTP) memories based on antifuses are widely used for storing small amounts of data (such as serial numbers, keys, and factory trimming) in integrated circuits (ICs) because they are inexpensive and require no additional mask steps to fabricate. The RP2350 uses an off-the-shelf Synopsys antifuse memory block for storing secure boot keys and other sensitive configuration data.

Despite antifuses being widely considered a ”high security” memory—which means they are significantly more difficult for an attacker to extract data from than other types of memory, such as flash or mask ROM—IOActive has demonstrated that data bits stored in the example antifuse memory can be extracted using a well-known semiconductor failure analysis technique: passive voltage contrast (PVC) with a focused ion beam (FIB).

The simple form of the attack demonstrated here recovers the bitwise OR of two physically adjacent memory bitcell rows sharing common metal 1 contacts, however, we believe it is possible for an attacker to separate the even/odd row values with additional effort.

Furthermore, it is highly likely that all products using the Synopsys dwc_nvm_ts40* family of memory IPs on the TSMC 40nm node are vulnerable to the same attack, since the attack is not specific to the RP2350 but rather against the memory itself.

IOActive has not yet tested our technique against other vendors’ antifuse intellectual property (IP) blocks or on other process nodes. Nonetheless, IOActive assessed it to have broad applicability to antifuse-based memories.

Security models which mandate a per-device cryptographic secret are not exposed to significant additional risk, but products which have a shared cryptographic secret stored in the antifuse-based OTP memory are at substantial additional risk from the compromise of a shared secret through this invasive attack.

BACKGROUND

IOActive’s Advanced Low-level Hardware Attacks

IOActive has been building out the depth and coverage of our full-stack cybersecurity assessment capabilities for decades. In recent years, we have been developing exciting new capabilities to dive deeper into the lowest levels of the technology stack using non-invasive, semi-invasive, and fully invasive hardware attack techniques. The key areas of recent focus have been on side channel analysis, fault injection, and fully invasive microchip and IC attacks.

We’ve published original research on side channel analysis on electromechanical locks and fault injection attacks on uncrewed aerial systems (UAS) to demonstrate our capabilities and bring attention to these impactful attack vectors. We’ve been looking for some research projects to demonstrate our fully invasive attack techniques and an industry leader gave us a great opportunity.

IOActive will be sharing more materials in the coming months about advanced, low-level hardware attacks.

Raspberry Pi

Raspberry Pi has an excellent record of producing innovative low-cost, high-value computing hardware that is a favorite of hobbyists, hackers, product designers, and engineers. IOActive has used numerous Raspberry Pi products in our research projects and specialized internal tools to support our commercial cybersecurity engagements. One of the more recent IOActive uses of Raspberry Pi hardware was to build an upgraded remote testing device (RTD) that allowed us to continue delivering our cybersecurity assessments during the pandemic that previously required our consultants to be on site at a client’s facility. The RTD allowed us to continue operating during the lockdowns and Raspberry Pi allowed us to do so with a high-performance, low-cost device. It’s fair to say we’re fans.

RP2350

The RP2350 microcontroller is a unique dual-core, dual-architecture with a pair of industry-standard Arm Cortex-M33 cores and a pair of open-hardware Hazard3 RISC-V cores. It was used as a key component in the DEF CON 2024 (DEF CON 32) Human badge. IOActive sponsored the 2024 car hacking badge for DEF CON’s Car Hacking Village. IOActive has participated in DEF CON since our founding. Companies who participate in DEF CON demonstrate an above average commitment to cybersecurity and the security of their products.

The RP2350 datasheet and product brief highlight the significant effort that Raspberry Pi made into democratizing the availability of modern security features in the RP2350. The RP2350 provides support for Arm TrustZone for Cortex-M, signed boot, 8-KB of antifuse OTP memory for cryptographic key storage, SHA-256 acceleration, a hardware true random number generator (TRNG), and fast glitch detectors.

IOActive strongly recommends that users of the RP2350 employ these advanced security features.

RP2350 Security Challenge

Building on their commitment to product security, the Raspberry Pi team, in addition to participating in DEF CON, also sponsored a Hacking Challenge using the RP2350 with a bug bounty. The objective or “flag” of this challenge was to “find an attack that lets you dump a secret hidden in OTP ROW 0xc08 – the secret is 128-bit long and protected by OTP_DATA_PAGE48_LOCK1 and RP2350’s secure boot!”

This challenge was designed to provide independent validation and verification that the security features present in the RP2350 were properly designed and implemented. In particular, the challenge was focused on determining the resistance of the product to fault injection, specifically glitching attacks.

Companies, like Raspberry Pi, who understand that no designer can completely check their own work and therefore leverage security consultants and researchers to independently assess the security of product designs and implementations, ship more secure products.

Raspberry Pi has a blog post covering the RP2350 Hacking Challenge here.

INVASIVE READING OF ANTIFUSE-BASED OTP MEMORY

Attack Overview

An attacker in possession of an RP2350 device, as well as access to semiconductor deprocessing equipment and a focused ion beam (FIB) system, could extract the contents of the antifuse bit cells as plaintext in a matter of days. While a FIB system is a very expensive scientific instrument (costing several hundred thousand USD, plus ongoing operating expenses in the tens of thousands per year), it is possible to rent time on one at a university lab. These costs are low enough to be well within the realm of feasibility in many scenarios given the potential value of the keys in the device.

The attack can theoretically be performed with only a single device and would take a skilled attacker approximately 1-2 weeks of work to perform the initial reverse engineering and process development on blank or attacker-programmed test chips. Actual target devices would take 1-2 days per chip to prepare the sample and extract a small amount of data such as a key; a full fuse dump might require an additional day of machine time for imaging of the entire array.

As with any invasive attack, there is a small chance of the device being damaged during handling and deprocessing, so a real-world attacker would likely procure several samples to ensure a successful extraction.

The attack is based on established semiconductor failure analysis techniques and is not specific to the RP2350; it is likely that similar techniques can be used to extract data from other devices with antifuse-based memory.

Suggested User Mitigation

Users of the RP2350 can mitigate the basic form of the attack by using a “chaffing” technique taking advantage of the paired nature of the bit cells. By using only the low half (words 0-31) or high half (words 32-63) of a page to store cryptographic keys, and storing the complement of the key in the opposite half of the page, each pair of bit cells will have exactly one programmed and one unprogrammed bit. Since the basic passive voltage contrast (PVC) technique cannot distinguish between the two bits sharing the common via, the attacker will see the entire page as being all 1s.

This mitigation does not provide complete protection, however: by taking advantage of the circuit-edit capabilities of a FIB, an attacker could likely cut or ground the word lines being used for chaffing and then use PVC to read only the key bits. We intend to explore this extended attack in the future but have not yet tested it.

Consequences

This novel attack technique of using PVC to invasively read out data from antifuse-based OTP memory calls into question the security model of any device or system, which assumes that the OTP memory cannot be read by an attacker with physical control of the device. Security models which mandate a per-device cryptographic secret are not exposed to significant additional risk, but products which have a shared cryptographic secret stored in the antifuse-based OTP memory are at substantial additional risk from the compromise of a shared secret through this invasive attack.

The simple form of the attack demonstrated here recovers the bitwise OR of two physically adjacent memory bitcell rows sharing common metal 1 contacts, however, we believe it is possible for an attacker to separate the even/odd row values with additional effort.

Furthermore, it is highly likely that all products using the Synopsys dwc_nvm_ts40* family of memory IPs on the TSMC 40nm node are vulnerable to the same attack, since the attack is not specific to the RP2350 but rather against the memory itself.

IOActive has not yet tested our technique against other vendors’ antifuse IP blocks or on other process nodes. Nonetheless, IOActive assessed it to have broad applicability to antifuse-based memories.

Additional Information

IOActive’s full disclosure report is available here. When available, a preprint paper, which has been submitted to an academic conference will be shared on the IOActive website.

Dr. Andrew Zonenberg is a keynote speaker on this topic at the Hardware Reverse Engineering Workshop (HARRIS 2025) held on 17 and 18 March 2025 in Bochum, Germany.

ACKNOWLEDGEMENTS

IOActive would like to thank the Raspberry Pi team for the excellent coordination and communication during the disclosure process.