Podcast: Play in new window | Download
Subscribe: Apple Podcasts | RSS
Welcome, Colin O’Flynn creator of the ChipWhisperer!
- The ChipWhisperer won 2nd place in the Hackaday Prize.
- There is a new version called the ChipWhisperer lite, currently on Kickstarter. It’s also capable of breaking security, it can do a side channel attack on AES256. This is called sidechannel analysis using power analysis.
- Smart cards are credit cards with chip and pin security.
- Colin got started designing gimbaled cameras. He also worked at Atmel low power wireless division.
- Currently, Colin is a PhD candidate at Dalhousie University in the EE program (specializing on cyber security). He received some funding from the Canadian research council.
- The AES algorithm encryption works 8 bits at a time.
- The ChipWhisperer is capable of cracking an encrypted bootloader. It could also send messages to an IoT device that only accept encrypted packets.
- This was initially used for stealing satellite tv and other content plays.
- Chris thinks it would be easier to detect stealing by Statistical Process Control.
- Colin did some manufacturing in China. Because they were manufactured by hand, making 5-10 was a good deal.
- For high frequency stuff, users can use a downconverter to measure GHz clocks (only need MHz of bandwidth).
- The full ChipWhisperer has a PLL on board.
- Dave suggests using spread spectrum to further confuse someone trying to hack a device.
- The target market for the CW is hobbyists up to people that are creating embedded devices.
- The HW has a Spartan6 (for ADC handling) and a SAM3 (for USB handling).
- Colin does training at Black Hat.
If you’re designing embedded devices, you should definitely have the ChipWhisperer Lite in your toolbox, support the Kickstarter today!
Great interview. Thank you for releasing your tools completely openly. I am curious which presentation you saw that inspired you to take this path.
If any listeners would like to learn more about these and related techniques I highly recommend watching presentations by chris tarnovsky, travis goodspeed and deadhacker.
ru4mj12 (@ru4mj12) says
I’ve always wanted to visit Prince Edward Island.. and now Nova Scotia!
As far as ‘use-cases’, I’d like to clone my car (rfid) keys. The dealer asks for $250 per key, so I’d love to be able to do it myself even if the equipment to do it costs more, just on principal!
Speaking of side-channel-attack RFID tools (Chameleon, OpenPICC, Proxmark, OpenPCD Reader).. was Colin able to leverage anything from these? Any overlap?
David Oswald from Ruhr University Bochum gave a great talk on the Chameleon:
Bishofox’s Tastic RFID Thief (125/134khz)?
Colin O'Flynn says
Thanks for your kind comments! To answer some questions…
@defaultham – it was a presentation by Paul Kocher (one of the people who discovered this field). It was purely coincidental… I was at a conference that only touched on some security stuff (also dealt with wireless networking and smart energy I think), and they happened to have him as a speaker. I was blown away that I hadn’t heard of this before.
@ru4mj12 – The car key thing is a great example, my car keys are the same (very expensive to replace). And they actually use a KeeLoq chip in them which I know has been broken, and you can buy the chip and program it. So it’s entirely possible to clone one. Luckily I’ve still got both remotes though so haven’t had the need to dive into that.
I’m familiar with David’s work and some of the other tools. But to be honest I haven’t played with RFID stuff much. The ChipWhisperer is fairly close to a lot of tools, but the synchronous clock system is what really differentiates it. I designed it specifically because I couldn’t find anything that performed this clock synchronization, which allows you to attack hardware-based targets. These targets otherwise require > 1GS/s scopes, which only recently have become reasonably-priced.
If you are attacking RFID those other tools do a better job, as they are designed ‘out-of-the-box’ for working with those protocols, in particular doing the demodulation of protocols. Of course it’s possible to program such demodulation in software into the ChipWhisperer, but I’m very lazy and if there is a tool that already does the job, I’ll just use that 😉