Errrr
"They have a right to do it, but I have a right to break it too."
I have a nagging suspicion that the DMCA specifically says you *don't* have the right to break it!
Hardware hacker Christopher Tarnovsky just wanted to break Microsoft's grip on peripherals for its Xbox 360 game console. In the process, he cracked one of the most heavily fortified chips ever put into a consumer device. The attack by the former US Army computer-security specialist is notable because it goes where no hacker …
"This device should not have been readily available for a researcher like me."
Not only it should, but it proved invaluable to Infineon, which will probably not make the same mistakes twice. But the day Infineon blocks anyone of having their chips is the day they'll be less and less secure.
"But the day Infineon blocks anyone of having their chips is the day they'll be less and less secure."
The only way that Infineon can stop anyone getting their chips is to stop making them and selling them. However that makes no money for the shareholders.
If Infineon sell them to anyone, people can get them. After all, that is how people reverse engineer SKY TV cards; they get a sky box and look at the chip.
Then if they are not used in anything, there is no reason for anyone to need to break^H^H^H^H^H "fix" them :)
A beer for persistance, but I think just buying a controller for his XBox would have been cheaper!
I'd be pretty sure infineon knew what they were doing and knew exactly how the chip could be broken but just figured no hacker would go to the trouble of doing it. (The equipment is very very expensive)
Infineons competitors in STM, Atmel, TI etc would have all the equipment and expertise to break the chip. They would even have a head start over Tarnovsky as they would know how the general architecture of the chip. I'd be very surprised if they hadn't "broken" the chip ages ago. they just wouldn't tell anyone about it.
"I'd be pretty sure Infineon knew what they were doing and knew exactly how the chip could be broken but just figured no hacker would go to the trouble of doing it. (The equipment is very very expensive)"
Equiptment like desk top computers and mobile phones were very expensive at one time. I don't think anyone would be interested in a microscope that can only focus on a silicon chip but the possibility exist of making an imager that will do the job just that job and someone could in theory churn them out wholesale.
As for rights to analyse equiptment, this has always been the case. Guilds have been formed to protect marketable systems since the year dot and hacks are as old as cave drawings.
What will be has been and ever shall.
Is this level of security really required everywhere. To stop cloned ink cartridges just so that the printer manufacturer can charge prices higher than gold for replacement ones? Why not try a different business model, one where you get money for adding value rather than fleecing your customers.
If those who review printers and such gizmos would do more critical analyses - including cost-per-page with warnings of proprietary consumables - instead of just regurgitating marketing pap - it would go a long way toward informing potential purchasers of the "real" price. Maybe a web-site evaluating the evaluators would help too.
I for one simply won't buy one of those printers that locks you into expensive proprietary ink cartridge systems. That anyone would do so is a source of amazement to me. Would you buy a car that could only be refueled at a Shell station?
Naming names, I have never bought Epson and will never again buy Lexmark (different issue). I am currently using a Brother and refilling the cartridges.
Trouble is, that doesn't really work if you're a lazy, near-incompetent has-been who were once able to Invent but have long since lost the plot and are now relying purely on market muscle for continued success. HP printers and Microsoft software being two obvious examples.
I think you have the wrong angle here. I don't think it because they are lazy, it's more execs who look at the engineers scientists, and labs and say they are not doing anything to help the size of my bonus or the value of my stock options TODAY so kill them off, or outsource them to China. By the time we fall behind my bank account will be nice and fat and I can move on.
Panasonic's firmware change to stop their cameras working with third-party batteries is another.
I once worked on the software inside laser printers, and we sometimes got prototype / early production models. One (I can't remember which make) had what appeared to be a fuse-like mechanism on the waste toner bucket, designed to blow when the bucket was full, so the consumer would have to buy a new empty container rather than simply emptying the old one.
And maybe a strong sense of right and wrong is part of the package of someone so unusually determined? Which isn't to say his sense of right and wrong is right or wrong. But usually the one who actually does the groundbreaking work is doing it for rather more esoteric reasons than you ascribe.
I used to work for a chip maker doing testing. We needed to be able to put a probe onto a line to take measurements. Line sizes have shrunk since then but I'm sure the test equipment manufactures have kept pace. The problem isn't just the needles but the micro manipulators to position them. Then you have loads of fun keeping it all still enough.
Wish I had the time and resources to do the same thing... it is not rocket science even. Just reasonable skill and a lot of time and money.
More fascinating would have been a crack of certain organic machinery algorithms... but that requires more skill (and of course time and money). I'd go for it except that its a struggle just to survive on the ever shrinking private sector income... should have taken a fat cushy government job... more pay, less hours, and a retirement inome.
Ah, mines the tattered jacket with the biohazard symbol on the back. Careful about the flask of powder in the pocket please.
"I'd go for it except that its a struggle just to survive on the ever shrinking private sector income... should have taken a fat cushy government job... more pay, less hours, and a retirement inome." .... Anonymous Coward Posted Thursday 18th February 2010 01:01 GMT
AC,
If the private sector, which has suffered massive pension plan losses/criminal fraud and common theft in recent times, simply put their members' contributions in the same funds and with the same fund managers as provide the wizardry which feathers and guarantees the fat cushy government job ... more pay, less hours, and an obscene retirement income, then will all be secured and insured and assured of a cosy future with no income worries.
That would be true were the Public sector to actually have funds, managers et. al. They do it by paying their pensioners out of current tax revenues, there's no investment of contributions to provide a pension later going on here. This works by having an infinite supply of money that's scalped from the taxpayer rolling in.
You don't have to be a financial genius to figure out why this is unsustainable long term and why there's such a drive to raise public sector retirement ages.....
I am working on some earth science cuting edge stuff and would welcome any input. It doesn't cost anything once you have an internet connection.
Take a look at the storm reports page of the USA's NWS and compare the days for tornado activity with the North Atlantic sea level pressure charts from the previous day.
Ditto for days when there were severe earthquakes.
Some people can get it and some can't. If you think you are a scientist a real one that is not a paid professor of doublespeak, get out of your bed and follow me.
Anyone know anything about Euler geometry?
<Nerd Wanted icon wanted>
Right! It's a pity that a security hacker has to be the one to reveal the lengths and depths that monopolists and oligopolists will go to in order to eliminate competition - the only thing that justifies market economies. It should be resolvable in anti-trust litigation - if only successive administrations and congresses had not been bought off by the very corporations and conglomerates that they are supposed to be regulating. I'd go into the recent SCOTUS decision on election funding, but it's too nauseating.
You don't need microscopic needles to find the flaws in electronic vote-tabluating machines. There are plenty of expert published papers around explaining how they should work, and none is implemented accordingly.
Then again, until politicians actually do something sufficiently worthwhile and different to get more than 25% or so of people to actually bother to vote it hardly seems to matter, does it.
How does Infineon believe going to a full cryptoprocessor will help them against a pure physical attack where someone has raw access to the internal wirings of a processor? After all, even in a cryptoprocessor either the cipherkey or the means to produce it must exist on the processor SOMEWHERE.
As for Tarnovsky's comment about the availability of the chips, it's really quite simple. It's impossible to limit the sale of a commodity part (a part meant to be everywhere). It's like trying to restrict the flow of grains. More than likely the Hong Kong places simply got the chips from foundries in nearby China that turn them out in massive lots (most chips are made this way now).
This is a side effect of the exportation of chip manufacturing technology by the US semiconductor industry during the 1970's and 1980's, which continues to this day, because they've forced themselves into their current situation. Create a new chip die today, and there are lots now lots of people out there who can clone it - and build it more cheaply than you can.
The US semi-conductor industry literally committed a form of slow industrial suicide back in the '70's and 80's, by outsourcing all of the manufacturing. To this day, our corporate titans are still too dense to realize that you can't offshore the manufacturing without also offshoring nearly all of the engineering expertise required to design and manufacture the device in the first place.
So no, nothing in this article surprises me.
Bleah!
Well for a start, Infineon are a German company, not a US one. And cloning the IP of the world's most popular security chip is not a simple matter.
Secondly, you can design a chip anywhere in the world, but to manufacture them cost effectively, you need a massive big facility. This is a billion dollar investment so you need a big flat area of land that is also free of earthquakes. Then you need access to a well-trained but not especially academic workforce, to wear the bunny suits. finally of course you need to do this in a country that has relatively lax laws regarding the use of lots of nasty chemicals.
Infineon's memory spinoff Qimonda already went tits up and Infineon is struggling bad these days. Much of the reason is because European labor is too expensive compared to asian labor and thus the outsourcing. Free of earthquakes is nice but it seems actually most of the worlds fabs are built very close to faultlines (Silicon valley, Japan, etc) and they have strategies to deal with all but a massive earthquake. In addition to a flat area of land an obvious economic requirement is the land should be very cheap and yet near an airport (fabs needs lots of materials and equipment from all over the world to operate). Also actually with modern almost lights out fabs, bunny suit operators are less important than finding educated people willing to work hard and fairly cheap and be willing to live near the fab (cheap land above means usually not in real nice area). Yes the chemicals are nasty but fabs tend to be some of the safest manufacturing plants there is (in developed world). I have heard horror stories in Asia though of disabling gas alarms because they kept going off and the product is much more valuable than the serfs working in the fab. Still what is really hurting the industry in the developed world is very few college grads want to pidgeon hole themselves in manufacturing and soon all the baby boomers will retire.
Moving to a full crypto core will make it far more difficult for this kind of hack.
The physical penetration of the chip was only the first step. After he ahd circumvented the wire mesh and the optical sensors he used the mirco needles to probe the data bus.
The data is stored on the chip encrypted in the Flash memory. There is a dedicated circuit on the chip that decrypts the data and sends it to the processor. so the data is sent in the "clear". It was these unencrypted lines that he probed and knowing how this type of processor core works he was able to interpret this data and "break" the chip.
Going with a fully encrypted core means that finding the block of logic that does the encryption will be all but impossible. Have you seen what a block of logic at 90nm looks like?
Tarnovsky did a presentation on this attack at black hat in DC a few weeks ago.
The presentation is available on line. It's very top level and not very technical. He tends to ramble though so it's about 40mins long.
It is quite odd, isn't it, that he publishes his results at the same time a new chip is being announced that "denies" this attack... when there isn't any real demand for a new chip?
After all, why would you buy the new, higher priced chip if you can get the one everyone else is relying on for only $0.15 a pop, eh?
To those who believe that digital voting machines can be made impervious to mischief, they should read this article. Eventually, they'll harden the systems to the point where it will be impossible for an outsider, even one of the author's motivation and ability, to know what's going on inside the chips.
"It's very monopolistic what they've done."
You don't say.
Not only that but to anyone who complains about Apple, Sony et al being harsh (Apple for only allowing certain apps in their store for example) well - MS only allow certain controllers on their 360! What next? Sending your children off to Redmond to make them 360 compatible?
"In a statement sent to Infineon customers last week, the company noted the time and expense required for Tarnovsky to crack the chip."
Infineon's own engineers are surely well aware that they are playing a game with rules of "crack once and its cracked everywhere". Infineon's PR has probably been told as much, but (on the above evidence) don't want to admit it to customers.
So a qualified bloke had to work on it for some time, and needed a few hundred thousand dollars of kit. THEREFORE, if what you are trying to protect is worth more than (say) half a million, you'd be better off using some other device.
Or maybe change your business model? The real lesson here is for investors and shareholders. If a company uses this sort of technology, then there are real limits to how sucessful that company can be before it is worth someone else's time cracking it open. That someone else needn't be (and for legal reasons probably won't be) an actual competitor. It could be one of the company's customers, disgruntled at having to pay over the odds for a product and willing to publish anonymously in the hope that the competitors act on the info.
"Crack once and its cracked everywhere"
Yes, you can make the same attack against each chip - indeed, he had to fry quite a few to make it work, but he could presumably do it repeatedly now.
BUT the TPM has no global secrets. So for each additional device whose secrets you want to extract/clone, you have to repeat the attack. That means that the bottom hasn't suddenly dropped out of Infineon's market. The TPM design - and sensible systems based on it - always assumed that with "expensive physics lab equipment" you could break one.
Whether or not the XBox relies on any global secrets, though, I have no idea.
The other real casualty of this hack is the very notion of secure hardware. How many people have not bothered to try and crack these devices because they believed the line trotted out by the likes of IBM and the NSA that it was a very high up-front research cost with very low probability of success.
Now everyone *knows* this ain't true. Infineon may find that rather a lot of people have a go at their next offering. Consider what Ross Anderson's group have done with various crypto products over the years. Imagine if similarly motivated and resourced people decide that testing the strength of protected hardware is a legitimate research topic. After all, if these are going to be widely used to protect important secrets, there's a public interest in knowing whether they work.
There is typically one type of organization that is better-funded for such projects than universities. Of course, I'm talking governments. If someone with university funding can achieve this, imagine a state-sponsored effort, particularly the sponsorship of a hostile state.
I suspect similar people had already decided that testing the strength of TPMs is a suitable research topic. Remember, we don't know how many people tried *and failed* to crack this TPM - people don't report on that. We only have the report of one success. There could have been a dozen research teams in organizations both criminal and non-criminal attempting this, who each blew through 10x as much cash as this guy, while still failing. No conclusions can be drawn about success rates without knowing how many people tried.
The claims of high up-front cost and low probability of success seem to me to hold their validity in the light of this story. This was not a simple hack, and it did not seem to reveal any fundamental issues with the implementation (e.g. weak crypto), other than that the chip itself exists in the physical universe and is hence vulnerable to physical attack.
All it takes to 'crack' anything is time and cost plus the will and resolve to do it. Security only has to outlast attack attempts to be effective in most cases.
The more popular a security mechanism is the more the incentive to 'crack' it, so good security will often ultimately be defeated when far weaker security on other products can remain safely in place. The harder a system to 'crack' the more likely someone is to prove they can and show it all to be worthless; this is a fine case in point.
It's therefore a Catch-22; adding security encourages 'cracking'. By making security protection ubiquitous Microsoft and others ultimately undo themselves and everyone else. What they need to protect often falls when what they don't need to protect comes undone.
DMCA and the like are blunt and ultimately ineffective tools. They may discourage and punish but they don't prevent. No different really to security through obscurity. They don't event discourage or prevent if those involved can remain anonymous.
In true Matrix hacker style, Trinity took the cap off a 6801 MCU ROM (using nasty chemicals), photographed the surface using a microscope and decoded it to find the code for running Bubble Bobble, these particular chips have been cloned and bootlegged for years using many methods, imagine if you had governmental resources behind you.
Seriously, good work, but most of this stuff goes on in secret, this is the tip of the iceberg.