A presentation at the 2010 BlackHat Conference in Washington D.C. by Christopher Tarnovsky of Flylogic Engineering talked about his 9-month effort to ‘crack’ the Infineon security integrated circuit. A short write-up of the presentation was offered by Dark Reading.
The article discusses generally the methodology used by Tarnovsky to reverse-engineer the security IC. It includes a painstaking electron microscopic examination of the device (presumably with captured images), followed by insertion of micro-probes into the data busses. The probes were small enough to circumvent protective mesh shielding (described in Infineon literature as ‘ActiveShield’).
When you pause to understand the time and resources Tarnovsky put into this research effort, it is not a ground-breaking revelation that an otherwise successful industrial security solution from Infineon has vulnerabilities. Every hardware or software security solution has them. What is most interesting about any Black Hat activity like this is the attack vector chosen and how successful it was. Most objective observers can probably see how this broadens our horizons as security engineers in understanding new ways to protect data, though of course it is easy to say that today only if you don’t work for Infineon.
From my limited understanding of Tarnovsky’s activities, this work does not reflect negatively on Infineon security solutions in any way whatsoever. And he certainly won’t be publishing the inner workings of the device — just the fact of his work, the amount of effort involved, and what can be maliciously done with the information (creating a turn-key chip crack, cloning the device, etc.) Probably the most alarming impact of his work may be the completeness of the design information Tarnovsky has been able to document about the device, its design and manufacture, and detailed accounting of all of the security monitoring built into the device.
What this and many other Black Hat activities today demonstrate is the importance of hardware security design. Infineon is very clear in their literature what kind of attacks they are trying to protect from (“Highest degree of protection from fraudulent attacks”), and their commitment to customers is “Continuous On-going Improvements”. Arguably, 9 months of effort and access to electron microscopes do not represent simple ‘fraudulent attacks’, but Political State or Organized Crime efforts.
CPU Tech is very interested and engaged in both the hardware security design and the Black Hat process. We are committed to filling out a national and international spectrum of security solutions for every class of need — from IP protection to financial transaction to high value communications and national security. Hardware vulnerabilities such as these discussed by Tarnovsky are very real and should be considered when specifying and designing systems with the highest security and IP protection requirements.