Making hardware secure is more difficult than you might think, which is the reason I was confident that Raspberry Pi would have to pay out its $20,000 bounty offered to anyone who could break the security on the RP2350 - the heart of the Pico.

The reason you might think that hardware is easier to secure than software, is that it is hardware. Software is easy to change, but hardware need a soldering iron or something similar. But the key ways of making hardware secure are very limited. You can burn code into OTP (One-Time Programmable) memory and that stops someone from changing it, but you need to allow for authorised changes and this is usually done by only running code signed with a private key which can be verified using a public key burned into the OTP memory.

In the case of the RP2350, the OTP is the base of the security. It is used to configure the ARM TrustZone. The usual attack methods involve perturbing the system in some way to see if it can be glitched into an unsafe state. Raspberry Pi has included glitch detectors and a Redundancy Coprocessor RCP whch validates the execution of the initial boot code.

All-in-all it appears to be very secure, but past experience suggests that there will be cracks and indeed the first was found by Aedan Cullen who guessed that a voltage glitch at a critical moment in execution might do something. He froze the state machine that was reading the OTP memory so that it returned the guard value on repeated reads and this happened to be 0x333333, which is just the bit pattern needed to allow the RISC-V cores to run with debugging allowed and from here the OTP can be read and all security is gone.As you might expect the fix is probably to change the guard value to something that doesn't disable security, but this isn't possible until a chip update.

The second breach was courtesy of  Marius Muench and was another glitch induced by spiking the chip's supply voltage, which triggered a boot mode to run unsecured software. In principle this can only be triggered from secure software, so there should be no problem - but the glitch bypasses this and lets you run anything. The solution is to this one is easier - set a single OTP configuration flag to disable this particular boot mode.

The third breach was implemented by Kévin Courdesses who exploited the secure book procedure again using a glitch. In this case, it had to be timed so that the code to be verified was loaded and about to be verified. The glitch causes the hash function to work out the hash of another specified block of code and to treat the result as applying to the loaded code. If the second block is valid then the loaded code is executed, ever though it hasn't been validated. Of course, in principle, the chip's built-in glitch detectors should have spotted the attack, but the glitch wasn't introduced via the supply line but via a light pulse. The back of the package was ground away to reveal the back of the chip and then a laser was used to administer a flash of light that disturbed the electronics. 

As you can also guess there is no obvious fix for this attack until the chip can be modified to stop it working.

These three attacks are proven to work, but a more worrying theoretical attack was also proposed. In principle, OTP memories are hard to read using external probing, but researchers at IOActive suggest that you can read the state of the OTP using chip processing equipment and an ion beam. This is not a fault specific to the RP2350 and if it works provides a way to access the secure data on any system that uses OTP memory.

The fifth attack doesn't qualify for a prize because it was done in collaboration with Raspberry Pi. In this case radio waves were used to create a fault that corrupts the OTP.

Although there was only a single $20,000 prize offered the quality of the work was deemed so good that each winner will receive the full amount.

So what are we to make of these results?

The first is that hardware is always vulnerable, but it still takes a lot of effort to subvert it. I think that this means that you probably shouldn't rely on it to protect your crown jewels, but for many, if not all, uses it isn't problem. For one thing, getting in requires physical access to the chip and most such devices are going to be in a physically secure environment - first steal your chip, then spend weeks working on it.

Interestingly Raspberry Pi does not seem to be put off by the results and plan more such challenges:

"And while this hacking challenge is over, another one is about to start. As a component of the broader RP2350 security architecture, we’ve been working to develop an implementation of AES which is hardened against side-channel attacks (notably differential power analysis), and we’ll be challenging you to defeat it."

• Harry Fairhead, I-Programmer's hardware guru, is the author of books about many popular IoT devices including Programming The ESP32 In C Using The Espressif IDF, Programming the ESP32 in MicroPython, Programming the Raspberry Pi Pico/W in C  and  in MicroPython and Master the Raspberry Pi Pico in C: WiFi with lwIP & mbedtls. His earlier books, Raspberry Pi IOT in C, Raspberry Pi IoT in C with Linux Drivers,  Raspberry Pi IOT in Python with GPIO Zero,  Raspberry Pi IoT In Python Using Linux Drivers and Micro:bit IoT in C have all been updated to the most recent hardware.

More Information

Security through transparency: RP2350 Hacking Challenge results are in

Related Articles

Pico 2W Announced But There Is A Surprise!

Raspberry Pi Beaten To It With Pico Plus 2

Pico 2 Faster With More Memory And RISCier

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info

<ASIN:1871962919>

<ASIN:187196282X>

<ASIN:187196279X> 

<ASIN:1871962803>

<ASIN:1871962811>

<ASIN:B0CK3X93KF>