Extracting a Bootloader’s AES Key via a Power Analysis Side Channel Attack
As manufacturers fortify their IOT devices, security validation from a third party has become difficult. Encrypted updates on secure devices makes firmware extraction close to impossible on many microcontrollers. A researcher may spend months hacking the interfaces, trying to find a software vulnerability without success. Power Analysis based Side Channel Attacks (SCA) follow a systematic approach to recover the bootloader’s keys without relying on the device to have a vulnerability.
This talk will summarize the technique we used to extract a secure Microchip ATSAMD21 bootloader key via a Power Analysis based SCA. I will be going over the broad details of my article, “A Practical Guide for Cracking AES-128 Firmware Updates,*” which will provide attendees the steps needed to perform a SCA on our target. Fortunately for a researcher, this flow can be used to extract keys from most secure microcontrollers.
Mark Kirschenbaum owns and operates Hypoxic, an action sports electronics company. Primarily developing camera controllers, Mark has continuously reverse engineered products to add hardware and software functionality for his clients. Prior to Hypoxic, Mark developed programmers and debuggers for a leading embedded microcontroller company. Side Channel Attacks have become Mark’s area of interest and he looks forward to sharing his real world experiences with other like minded hackers.