In 2020, we evaluated the Microchip ATECC508A Secure Element and managed to read a secret data slot using a single laser fault injection attack. In 2021, we managed to find a similar attack on a hardened version of this circuit, the ATECC608A, using this time a double laser fault injection to bypass a double security check. Those two attacks were presented respectively during BlackHat USA 2020 and BlackHat USA 2021.
As a consequence, Microchip deprecated those devices and released the ATECC608B circuit with more countermeasures to thwart our attacks. We evaluated this new revision and found out the attack paths previously identified are no more possible, thanks to added counter-measures.
However, we identified a new vulnerability allowing an attacker to extract internal EEPROM masking keys using a very long laser pulse while the circuit is running. The knowledge of those keys leverage two new attacks that we also identified during this work, which are authentication and session key derivation hijacking. To achieve this, EEPROM data readout by the processor is overridden using laser illumination. By chaining all three attacks, we were able to access a protected secret key. This was applied to a real device, a hardware wallet for which we managed to extract the seed, but this chip is also widely used in many IoT applications. This attack may be applicable to the previous revisions as well.
This work was conducted in a black box approach, with background experience of previous attacks on less secure devices from this family. Due to the very high number of faults required to retrieve the secret key, it is to this day the most complex multiple laser fault injection attack ever presented.
Finally, to prove that we were able to perform this attack, the hardware wallet manufacturer using this secure element sent us three devices to break as a challenge. Sample preparation was risky, and we broke two wallets when trying to desolder the circuits or decapsulate the packages to access the silicon. We will, in addition to the laser attack, present hints and tricks we developed to overcome these practical difficulties, resulting in the successful wallet seed recovery of the last remaining challenge wallet !
Olivier Heriveaux is a hardware security expert specialized in fault injection, with 14 years experience in the field.