Security
Headlines
HeadlinesLatestCVEs

Headline

A $500 Open-Source Tool Lets Anyone Hack Computer Chips With Lasers

The RayV Lite will make it hundreds of times cheaper for anyone to carry out physics-bending feats of hardware hacking.

Wired
#vulnerability#mac

In modern microchips, where some transistors have been shrunk to less than a 10th of the size of a Covid-19 virus, it doesn’t take much to mess with the minuscule electrical charges that serve as the 0s and 1s underpinning all computing. A few photons from a stray beam of light can be enough to knock those electrons out of place and glitch a computer’s programming. Or that same optical glitching can be achieved more purposefully—say, with a very precisely targeted and well timed blast from a laser. Now that physics-bending feat of computer exploitation is about to become available to far more hardware hackers than ever before.

At the Black Hat cybersecurity conference in Las Vegas next week, Sam Beaumont and Larry “Patch” Trowell, both hackers at the security firm NetSPI, plan to present a new laser hacking device they’re calling the RayV Lite. Their tool, whose design and component list they plan to release open source, aims to let anyone achieve arcane laser-based tricks to reverse engineer chips, trigger their vulnerabilities, and expose their secrets—methods that have historically only been available to researchers inside of well-funded companies, academic labs, and government agencies.

State-of-the-art commercial tools for light-based hacking techniques, such as the Riscure Laser Station, have typically cost as much as $150,000, and even lower-budget versions cost closer to $10,000. Yet through a combination of 3D printing, commodity component choices, and clever physics tricks, Beaumont and Trowell built theirs for less than $500.

Their goal in creating and releasing the designs for that ultra-cheap chip-hacking gadget, they say, is to make clear that laser-based exploitation techniques (known as laser fault injection or laser logic state imaging) are far more possible than many hardware designers—including clients for whom Beaumont and Trowell sometimes perform security testing at NetSPI—believe them to be. By demonstrating how inexpensively those methods can now be pulled off, they hope to both put a new tool in the hands of DIY hackers and researchers worldwide, and to push hardware manufacturers to secure their products against an obscure but surprisingly practical form of hacking.

“If we come to clients and say, ‘Your chip is vulnerable to laser fault injection,’ they tell us nobody’s going to be able to do that because it’s infeasible and it costs too much. We don’t actually think that’s true. So that got us started tinkering,” Beaumont says. “We’re not discovering anything new, in the sense that other people have used lasers this way before. We’re doing it at a lower cost, so that people can do this in their homes.”

The RayV Lite, shown here with no target chip mounted. Its laser and lens are visible in the circular opening on top.Photograph: Courtesy of NetSPI

Beaumont describes the RayV Lite as part of a larger trend she calls the “domestication of tooling”: Devices like the ChipWhisperer and HackRF have made electromagnetic or radio-based hacking techniques vastly cheaper and more accessible. The RayV Lite, she hopes, will do the same for lasers. “It’s significant,” says Adam Laurie, a longtime hardware hacker and current head of product security at electric vehicle charging firm Alpitronic, who reviewed Beaumont and Trowell’s laser hacking work. “It moves the tools from the super-expensive academic or state-actor platform to the garage, where the really inventive stuff happens.”

As they built the RayV Lite, Beaumont and Trowell focused on two distinct laser hacking methods. One is laser fault injection, or LFI, which uses a brief blast of light to mess with the charges of a processor’s transistors, “flipping bits” from 1 to 0 or vice versa. In some cases, carefully triggering those bit flips can cause far larger effects. For one automotive chip that Beaumont tested, for instance, glitching the chip with a laser at a certain moment can prevent a security check that puts the chip’s firmware in a protected state, thus leaving it unprotected and letting her scan through its otherwise obfuscated code to find vulnerabilities.

Many cryptocurrency wallets, too, are vulnerable to forms of LFI, Beaumont and Trowell say, such as glitching the chip at the moment it’s asking for a PIN to unlock the cryptographic key to access the owner’s funds. “You take the chip off the crypto wallet, hit it with a laser at the right time, and it will just assume you have the PIN,” says Trowel. “It just jumps through the instructions and gives the key back.”

A second laser-hacking technique, known as laser logic state imaging, focuses instead on surveilling a chip’s architecture and activity in real time, bouncing laser light off of it, and capturing the results (much like a camera or microscope), and then analyzing them—in Beaumont and Trowell’s work, this was often done with the help of machine learning tools. Because a laser’s light bounces off silicon differently based on its electrical charge, that trick allows hackers to map out not only the physical layout of a processor but also the data its transistors store, essentially vivisecting the chip to pull out hints about the data and code it’s handling, which could include sensitive secrets.

In the first iteration of RayV Lite, Beaumont and Trowell are building designs for the tool in two different versions, one for each of those two laser hacking techniques. They’re releasing only the laser fault injection model for now, and hope to debut the laser logic state imaging version in a matter of months. Both will use the same fundamental components and the same DIY cost-cutting tricks. The body of the tool, for instance, is ba

sed on an open source 3D-printable microscope model called OpenFlexure, which uses the flexibility of 3D-printable PLA plastic to achieve precise aiming of the laser. The target chip is mounted on a chassis fixed to printed plastic levers that are bent to small degrees by stepper motors, allowing tiny, precise movements in three dimensions. With that plastic bending trick and a laser focused through a lens, Beaumont and Trowell say, the RayV can target transistors—or rather, groups of them—down to the nanometer scale. (PLA plastic does wear out, Beaumont admits. But she also notes that the entire body of the RayV Lite can simply be printed again for a few dollars.)

Another innovation that allowed Beaumont and Trowell to vastly reduce the RayV Lite’s cost, first implemented by a group of academic researchers at Royal Holloway University of London who built their own low-cost laser fault injection tool, was the discovery that laser-based chip hacking can be performed with far cheaper lasers than previously believed. That’s in part because a lower-powered laser fired at a chip for a longer time interval—still so quick as to be measured in milliseconds—can have an equivalent effect to a higher-powered laser fired for a shorter time, just as a traditional camera can expose film to less light for a longer time to achieve the same exposure.

The RayV Lite with a target chip attached to a circuit board mounted on top of its 3D-printed chassis.Photograph: Courtesy of NetSPI

That realization allowed Beaumont and Trowell to use a laser in the RayV Lite that costs less than $20 and also saves enormously on the equipment and electricity used for powering the laser. “People don’t have freaking massive lasers sitting around,” says Beaumont. “But you can do this with a laser pointer, which is actually what we’re doing right now.” (Beaumont and Trowell nonetheless warn that anyone using even lower-powered lasers should be careful to wear eye protection.)

In fact, the most expensive components of the RayV Lite are the lens used for focusing its relatively cheap laser and an FPGA chip that serves as its timing mechanism, each of which costs close to $100, as well as the $68 Raspberry Pi minicomputer that allows it to be controlled and programmed.

Aside from the general sense that “lasers are cool,” as Trowell puts it, it was the growing body of research in more accessible laser hacking techniques that drove her and Trowell to conceive the RayV Lite, as well as what they saw as a disconnect between that accessibility and their clients’ out-of-date perceptions of the difficulty of laser-based hacking. Some highly sensitive devices used in industrial control systems, automobiles, and medical devices will be vulnerable to laser fault injection of laser logic state imaging, they say. And those manufacturers need to understand that the notion of hacking the chips inside those critical devices with lasers isn’t as arcane or out-of-reach as they might believe.

“Security through obfuscation isn’t something we can kind of rely upon over time, especially when we’re working with critical infrastructure, or when we’re working with devices that are literally in our homes and our hearts,” says Beaumont.

More practically, she says, the RayV Lite will make her own job—and no doubt that of many other hardware hackers who will use her optical exploitation toolkit—far easier. “Selfishly, it’s very nice,” she says. “Especially when I have to do expense reports.”

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist