At the upcoming Black Hat conference in Las Vegas, NetSPI employees – white hat hackers Sam Beaumont and Larry “Patch” Trowell – will present an inexpensive RayV Lite device for hardware hacking of chips using lasers. The RayV Lite tool is an attempt to create a budget version of the ultra-expensive laser tools used by intelligence agencies for hacking and reverse engineering chips. And this attempt was a success.
According to the developers, with the help of open source RayV Lite, laser (optical) chip hacking will be able to be performed by a wide range of specialists and amateurs. The cost of professional equipment for such purposes reaches $150 thousand, while Beaumont and Trowell invested only $500 in the budget. They say it’s a “domestication” of hacking tools that they hope will improve protection against similar hacking techniques, which are now viewed with indifference by the vast majority of chip designers.
The laser hacking method uses two main approaches: laser fault injection and laser logic state imaging. In the first case, the laser forces the transistors of the chip to switch states by simply hitting the chip body at certain points, and in the second, the laser signal reflected from the bare chip (silicon) is picked up, which behaves differently when reflected from the transistor turned on and off.
An LFI attack can simply disable the security check of the chip, for example, by disabling the PIN code request for logging into a hardware cryptocurrency wallet (as shown in the example). But the LLSI attack is capable of more interesting things, including recreating the chip architecture, which will be used not only for hacking, but also for reverse engineering.
The most expensive components of the RayV Lite tool were the laser lens and the FPGA chip for synchronizing the lasers: both cost $100. The lasers are inexpensive – almost from laser pointers. At the current level of development of the production of microcircuits for hacking tasks, the lack of laser power can be more than compensated for by the duration of the exposure, which is what the developers of the tool took advantage of. The tool is controlled by a regular Raspberry Pi computer costing $68. The software package for RayV Lite is created based on open source and will also be distributed.
The instrument body is 3D printed using an open model for the microscope frame. Stepper motors and special plastic levers allow the chip to be hacked to be moved in space in increments of several nanometers. If necessary, the case can be reprinted if the plastic parts wear out. All together allowed us to stay within the budget of $500. Anyone can replicate the instrument. It looks like instructions for assembling it will be made publicly available. While we are talking about a tool with an LFI attack, a modification with LLSI support will appear later and, probably, over time a universal solution will be released that combines both attacks.
Developers say they are amazed at how unaware chip designers are of laser hacking capabilities. Widespread adoption of RayV Lite will force them to take greater responsibility for their developments. Ultimately, there is a dominance of microcircuits around us, the vast majority of which today cannot resist laser hacking.