This week starts off with examinations of a couple hardware attacks that you might have considered impractical. Take a Ball Grid Array (BGA) NAND removal attack, for instance. The idea is that a NAND chip might contain useful information in the form of firmware or hard-coded secrets.
The question is whether a BGA desolder job puts this sort of approach out of the reach of most attackers. Now, this is Hackaday. We regularly cover how our readers do BGA solder jobs, so it should come as no surprise to us that less than two-hundred Euro worth of tools, and a little know-how and bravery, was all it took to extract this chip. Plop it onto a pogo-pin equipped reader, use some sketchy Windows software, and boom you’ve got firmware.
What exactly to do with that firmware access is a little less straightforward. If the firmware is unencrypted and there’s not a cryptographic signature, then you can just modify the firmware. Many devices include signature checking at boot, so that limits the attack to finding vulnerabilities and searching for embedded secrets. And then worst case, some platforms use entirely encrypted firmware. That means there’s another challenge, of either recovering the key, or finding a weakness in the encryption scheme.
Glitches to the Rescue
Speaking of looking for those vulnerabilities, let’s talk about glitching. We’ve talked about some interesting techniques in the past, like using a peizo element from a lighter. This coverage takes the opposite technique, shorting pins to ground during code runtime. [Maurizio Agazzini] takes a look at glitching technique on the ESP32.
The ..
Support the originator by clicking the read the rest link below.
