Skip to main content
SpringerLink
Log in

On the Susceptibility of Texas Instruments SimpleLink Platform Microcontrollers to Non-invasive Physical Attacks

  • Conference paper
  • First Online:
Constructive Side-Channel Analysis and Secure Design (COSADE 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13211))

  • 723 Accesses

Abstract

We investigate the susceptibility of the Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks. We extracted the ROM bootloader of these microcontrollers and then analysed it using static analysis augmented with information obtained through emulation. We demonstrate a voltage fault injection attack targeting the ROM bootloader that allows to enable debug access on a previously locked microcontroller within seconds. Information provided by Texas Instruments reveals that one of our voltage fault injection attacks abuses functionality that is left over from the integrated circuit manufacturing process. The demonstrated physical attack allows an adversary to extract the firmware (i.e. intellectual property) and to bypass secure boot. Additionally, we mount side-channel attacks and differential fault analysis attacks on the hardware AES co-processor. To demonstrate the practical applicability of these attacks we extract the firmware from a Tesla Model 3 key fob.

This paper describes a case study covering Texas Instruments SimpleLink microcontrollers. Similar attack techniques can be, and have been, applied to microcontrollers from other manufacturers. The goal of our work is to document our analysis methodology and to ensure that system designers are aware of these vulnerabilities. They will then be able to take these into account during the product design phase. All identified vulnerabilities were responsibly disclosed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/KULeuven-COSIC/SimpleLink-FI.

  2. 2.

    Instructions to report security vulnerabilities can be found at https://www.ti.com/security.

  3. 3.

    The advisory can be found online at https://www.ti.com/lit/pdf/swra739.

  4. 4.

    Instructions to report security vulnerabilities can be found at https://www.tesla.com/legal/security?redirect=no.

References

  1. Agoyan, M., Dutertre, J.-M., Naccache, D., Robisson, B., Tria, A.: When clocks fail: on critical paths and clock faults. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 182–193. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12510-2_13

    Chapter  Google Scholar 

  2. Anderson, R., Kuhn, M.: Tamper resistance-a cautionary note. In: Proceedings of the Second USENIX Workshop on Electronic Commerce, vol. 2, pp. 1–11 (1996)

    Google Scholar 

  3. Anderson, R., Kuhn, M.: Low cost attacks on tamper resistant devices. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0028165

    Chapter  Google Scholar 

  4. Balasch, J., Gierlichs, B., Verdult, R., Batina, L., Verbauwhede, I.: Power analysis of Atmel CryptoMemory – recovering keys from secure EEPROMs. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 19–34. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27954-6_2

    Chapter  Google Scholar 

  5. Bozzato, C., Focardi, R., Palmarini, F.: Shaping the glitch: optimizing voltage fault injection attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst.2019(2), 199–224 (2019). https://doi.org/10.13154/tches.v2019.i2.199-224

  6. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28632-5_2

    Chapter  Google Scholar 

  7. Carpi, R.B., Picek, S., Batina, L., Menarini, F., Jakobovic, D., Golub, M.: Glitch it if you can: parameter search strategies for successful fault injection. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 236–252. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08302-5_16

    Chapter  Google Scholar 

  8. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_3

    Chapter  Google Scholar 

  9. Cui, A., Housley, R.: BADFET: defeating modern secure boot using second-order pulsed electromagnetic fault injection. In: Enck, W., Mulliner, C. (eds.) 11th USENIX Workshop on Offensive Technologies, WOOT 2017, Vancouver, BC, Canada, August 14–15, 2017. USENIX Association (2017). https://www.usenix.org/conference/woot17/workshop-program/presentation/cui

  10. Dehbaoui, A., Dutertre, J., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of AES. In: Bertoni, G., Gierlichs, B. (eds.) 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, Leuven, Belgium, September 9, 2012. pp. 7–15. IEEE Computer Society (2012). https://doi.org/10.1109/FDTC.2012.15

  11. Doget, J., Prouff, E., Rivain, M., Standaert, F.: Univariate side channel attacks and leakage modeling. J. Cryptogr. Eng. 1(2), 123–144 (2011)

    Article  Google Scholar 

  12. Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on A.E.S. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 293–306. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45203-4_23

    Chapter  Google Scholar 

  13. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., Shalmani, M.T.M.: On the power of power analysis in the real world: a complete break of the KeeLoq code hopping scheme. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 203–220. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_12

    Chapter  MATH  Google Scholar 

  14. Ferrigno, J., Hlavác, M.: When AES blinks: introducing optical side channel. IET Inf. Secur. 2(3), 94–98 (2008)

    Article  Google Scholar 

  15. Fioraldi, A., Maier, D., Eißfeldt, H., Heuse, M.: AFL++ : Combining incremental steps of fuzzing research. In: Yarom, Y., Zennou, S. (eds.) 14th USENIX Workshop on Offensive Technologies, WOOT 2020, August 11, 2020. USENIX Association (2020), https://www.usenix.org/conference/woot20/presentation/fioraldi

  16. Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_21

    Chapter  Google Scholar 

  17. Garbelini, M.E., Wang, C., Chattopadhyay, S., Sun, S., Kurniawan, E.: SweynTooth: unleashing mayhem over bluetooth low energy. In: Gavrilovska, A., Zadok, E. (eds.) 2020 USENIX Annual Technical Conference, USENIX ATC 2020, July 15–17, 2020. pp. 911–925. USENIX Association (2020). https://www.usenix.org/conference/atc20/presentation/garbelini

  18. Gerlinksy, C.: Breaking code read protection on the NXP LPC-family microcontrollers. In: RECON, Brussels, Belgium (2017)

    Google Scholar 

  19. Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005). https://doi.org/10.1007/11506447_4

    Chapter  Google Scholar 

  20. Goodspeed, T.: Practical attacks against the MSP430 BSL. In: Twenty-Fifth Chaos Communications Congress. Berlin, Germany (2008)

    Google Scholar 

  21. Goodspeed, T.: A side-channel timing attack of the MSP430 BSL. Black Hat USA (2008)

    Google Scholar 

  22. den Herrewegen, J.V., Oswald, D.F., Garcia, F.D., Temeiza, Q.: Fill your boots: enhanced embedded bootloader exploits via fault injection and binary analysis. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(1), 56–81 (2021). https://doi.org/10.46586/tches.v2021.i1.56-81

  23. Hospodar, G., Gierlichs, B., Mulder, E.D., Verbauwhede, I., Vandewalle, J.: Machine learning in side-channel analysis: a first study. J. Cryptogr. Eng. 1(4), 293–302 (2011)

    Article  Google Scholar 

  24. Kartal, O.: Dragon Dance (2020). https://github.com/0ffffffffh/dragondance

  25. Kasper, M., Kasper, T., Moradi, A., Paar, C.: Breaking KeeLoq in a flash: on extracting keys at lightning speed. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 403–420. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_25

    Chapter  Google Scholar 

  26. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9

    Chapter  Google Scholar 

  27. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  28. Kocher, P.C., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. J. Cryptogr. Eng. 1(1), 5–27 (2011)

    Article  Google Scholar 

  29. Kömmerling, O., Kuhn, M.G.: Design principles for tamper-resistant smartcard processors. In: Guthery, S.B., Honeyman, P. (eds.) Proceedings of the 1st Workshop on Smartcard Technology, Smartcard 1999, Chicago, Illinois, USA, May 10–11, 1999. USENIX Association (1999). https://www.usenix.org/conference/usenix-workshop-smartcard-technology/design-principles-tamper-resistant-smartcard

  30. Ledger-Donjon: Rainbow (2021). https://github.com/Ledger-Donjon/rainbow

  31. LimitedResults: nRF52 Debug Resurrection (APPROTECT Bypass) (2020). https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/ Accessed 9 Dec 2021

  32. Lu, Y.: Attacking Hardware AES with DFA (2019). https://yifan.lu/2019/02/22/attacking-hardware-aes-with-dfa/ Accessed 9 Dec 2021

  33. Maurine, P.: Techniques for EM fault injection: Equipments and experimental results. In: Bertoni, G., Gierlichs, B. (eds.) 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, Leuven, Belgium, September 9, 2012. pp. 3–4. IEEE Computer Society (2012). https://doi.org/10.1109/FDTC.2012.21

  34. Meriac, M.: Heart of darkness-exploring the uncharted backwaters of hid iclass (tm) security. In: 24th Chaos Communication Congress (2010)

    Google Scholar 

  35. Moradi, A., Schneider, T.: Improved side-channel analysis attacks on xilinx bitstream encryption of 5, 6, and 7 series. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 71–87. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43283-0_5

    Chapter  MATH  Google Scholar 

  36. Moustafa, M.: Emerald (2021). https://github.com/reb311ion/emerald

  37. Obermaier, J., Schink, M., Moczek, K.: One exploit to rule them all? on the security of drop-in replacement and counterfeit microcontrollers. In: Yarom, Y., Zennou, S. (eds.) 14th USENIX Workshop on Offensive Technologies, WOOT 2020, August 11, 2020. USENIX Association (2020). https://www.usenix.org/conference/woot20/presentation/obermaier

  38. Obermaier, J., Tatschner, S.: Shedding too much light on a microcontroller’s firmware protection. In: 11th USENIX Workshop on Offensive Technologies (WOOT 17). USENIX Association, Vancouver, BC (Aug 2017). https://www.usenix.org/conference/woot17/workshop-program/presentation/obermaier

  39. O’Flynn, C.: Fault injection using crowbars on embedded systems. IACR Cryptol. ePrint Arch. p. 810 (2016). http://eprint.iacr.org/2016/810

  40. O’Flynn, C.: Low-cost body biasing injection (BBI) attacks on WLCSP devices. In: Liardet, P.-Y., Mentens, N. (eds.) CARDIS 2020. LNCS, vol. 12609, pp. 166–180. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68487-7_11

    Chapter  Google Scholar 

  41. O’Flynn, C., Chen, Z.D.: Chipwhisperer: an open-source platform for hardware embedded security research. In: Constructive Side-Channel Analysis and Secure Design - 5th International Workshop, COSADE 2014, Paris, France, April 13–15, 2014. Revised Selected Papers. pp. 243–260 (2014). https://doi.org/10.1007/978-3-319-10175-0_17

  42. O’Flynn, C.: d’Eon Greg: I, for One. Welcome Our New Power Analysis Overlords - An Introduction to ChipWhisperer-Lint, Black Hat USA (2018)

    Google Scholar 

  43. Quisquater, J.-J., Samyde, D.: ElectroMagnetic analysis (EMA): measures and counter-measures for smart cards. In: Attali, I., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45418-7_17

    Chapter  MATH  Google Scholar 

  44. Roche, T., Lomné, V., Mutschler, C., Imbert, L.: A Side Journey To Titan. In: Bailey, M., Greenstadt, R. (eds.) 30th USENIX Security Symposium, USENIX Security 2021, August 11–13, 2021. pp. 231–248. USENIX Association (2021). https://www.usenix.org/conference/usenixsecurity21/presentation/roche

  45. Ronen, E., Shamir, A., Weingarten, A., O’Flynn, C.: IoT goes nuclear: creating a ZigBee chain reaction. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22–26, 2017. pp. 195–212. IEEE Computer Society (2017). https://doi.org/10.1109/SP.2017.14

  46. Roth, T.: SVD-Loader for Ghidra (2019). https://github.com/leveldown-security/SVD-Loader-Ghidra

  47. Roth, T., Nedospasov, D., Josh, D.: wallet.fail - hacking the most popular cryptocurrency hardware wallets. In: Thirty-Fifth Chaos Communications Congress. Berlin, Germany (2018)

    Google Scholar 

  48. Seri, B., Vishnepolsky, G., Zusman, D.: BLEEDINGBIT: The Hidden Attack Surface Within BLE Chips (2018). https://info.armis.com/rs/645-PDC-047/images/Armis-BLEEDINGBIT-Technical-White-Paper-WP.pdf. Accessed 12 Apr 2021

  49. Shepherd, C., Markantonakis, K., van Heijningen, N., Aboulkassimi, D., Gaine, C., Heckmann, T., Naccache, D.: Physical fault injection and side-channel attacks on mobile devices: a comprehensive survey. CoRR abs/2105.04454 https://arxiv.org/abs/2105.04454 (2021)

  50. Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_2

    Chapter  Google Scholar 

  51. Teuwen, P.: SideChannelMarvels - PhoenixAES (2021). https://github.com/SideChannelMarvels/JeanGrey

  52. Texas Instruments: understanding security features for SimpleLink™Bluetooth® low energy CC2640R2F MCUs (2017). https://www.ti.com/lit/ml/swpb016a/swpb016a.pdf. Accessed 9 Dec 2021

  53. Texas Instruments: Secure Boot in SimpleLink™CC13x2/CC26x2 Wireless MCUs (2019). https://www.ti.com/lit/an/swra651/swra651.pdf. Accessed 9 Dec 2021

  54. Texas Instruments: CC13x0, CC26x0 SimpleLink™Wireless MCU Technical Reference Manual (2020). https://www.ti.com/lit/ug/swcu117i/swcu117i.pdf. Accessed 9 Dec 2021

  55. Texas Instruments: CC13xx/CC26xx Hardware Configuration and PCB Design Considerations (2020). https://www.ti.com/lit/an/swra640e/swra640e.pdf. Accessed 9 Dec 2021

  56. Texas Instruments: Applications for the SimpleLink™platform (2021). https://www.ti.com/wireless-connectivity/applications.html. Accessed 9 Dec 2021

  57. Timon, B.: Non-profiled deep learning-based side-channel attacks with sensitivity analysis. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(2), 107–131 (2019). https://doi.org/10.13154/tches.v2019.i2.107-131

  58. Wouters, L., Gierlichs, B., Preneel, B.: My other car is your car: compromising the Tesla Model X keyless entry system. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(4), 149–172 (2021). https://doi.org/10.46586/tches.v2021.i4.149-172

  59. Wouters, L., den Herrewegen, J.V., Garcia, F.D., Oswald, D.F., Gierlichs, B., Preneel, B.: Dismantling DST80-based immobiliser systems. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(2), 99–127 (2020). https://doi.org/10.13154/tches.v2020.i2.99-127

Download references

Acknowledgements

We want to thank the Texas Instruments and Tesla product security incident response teams for their responsiveness. This work was supported in part by CyberSecurity Research Flanders with reference number VR20192203. In part by the Research Council KU Leuven C1 on Security and Privacy for Cyber-Physical Systems and the Internet of Things with contract number C16/15/058. In addition, this work was supported by the European Commission through the Horizon 2020 research and innovation programme under grant agreement Cathedral ERC Advanced Grant 695305, under grant agreement H2020-FETFLAG-2018-03-820405 QRANGE and under grant agreement H2020-DS-LEIT-2017-780108 FENTEC.

Author information

Authors and Affiliations

  1. imec-COSIC, KU Leuven, Kasteelpark Arenberg 10, 3001, Heverlee, Belgium

    Lennert Wouters, Benedikt Gierlichs & Bart Preneel

Authors
  1. Lennert Wouters
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benedikt Gierlichs
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bart Preneel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lennert Wouters .

Editor information

Editors and Affiliations

  1. KU Leuven, Leuven, Belgium

    Josep Balasch

  2. Dalhousie University, Halifax, NS, Canada

    Colin O’Flynn

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wouters, L., Gierlichs, B., Preneel, B. (2022). On the Susceptibility of Texas Instruments SimpleLink Platform Microcontrollers to Non-invasive Physical Attacks. In: Balasch, J., O’Flynn, C. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2022. Lecture Notes in Computer Science, vol 13211. Springer, Cham. https://doi.org/10.1007/978-3-030-99766-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-99766-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-99765-6

  • Online ISBN: 978-3-030-99766-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation