Black Hat 2018: Mixed Signal Microcontrollers Open to Side-Channel Attacks

In mixed-design radio chips the processor’s activity leaks into the analog portion of the chip – and is broadcast as output.

LAS VEGAS – Mixed signal circuits – in which chips isolate digital and analog components – are opening chips up to novel side-channel attacks, researchers said at Black Hat 2018 today.

As chip manufacturers search for smaller and cheaper microelectronics components, they have adopted a mixed-signal approach to circuits, where analog and digital circuits reside on the same silicon die, in close physical proximity. For instance, a microcontroller, representing digital logic, would be on the same die as a radio transceiver, which uses analog logic.

While these mixed circuits lead to smaller components, due to improper separation of the digital and analog aspects, some of the CPU’s operations can leak to the radio transmitter – which enabled a group of researchers from Eurecom’s Software and Systems Security group to extract cryptokeys from the chips’ radio signals, from at least 10 meters away.

“While processing data, the digital circuits on these chips generate noise, which can be picked up by noise-sensitive analog radio components, ultimately leading to leakage of sensitive information,” the researchers explained, speaking at Black Hat this week in Las Vegas. “Screaming channel attacks change the threat models of devices with mixed-signal chips, as those devices are now vulnerable from a distance.”

When the processor’s activity leaks into the analog portion of the chip, it is upconverted, amplified and broadcast as part of the regular radio output.

Researchers stressed that the leakage isn’t due to the design error of an individual vendor, but can instead be chalked up to a fundamental difficulty in designing mixed-signal chips. For instance, in proof-of-concept tests, the researchers were able to perform the attack on a leaky Bluetooth dongle, as well as on Qualcomm and Nordic Semiconductor chips. “Though we mainly investigated Bluetooth chips, mixed-signal designs are very common also for WiFi devices,” they said.

Researchers were able to capture the radio output of mixed-signal chip by first configuring the radio to transmit an arbitrary Bluetooth packet repeatedly, and then extracting a TinyAES 128 key from the devices.

The physical setup consisted of two main components: the target chip and a software-defined radio (SDR) to collect the traces, placed in an anechoic test chamber at a distance of 10 meters from each other.

“While this is similar to electromagnetic (EM) side-channel attacks which can be mounted only in close proximity (millimeters, and in a few cases a few meters), we show that it is possible to recover the original leaked signal over large distances on the radio,” the researchers said. “As a result, variations of known side-channel analysis techniques can be applied, effectively allowing us to retrieve the encryption key by just listening on the air with an SDR.”

Countermeasures

Researchers said that cryptographic countermeasures are possible through a process called “hiding,” which changes the design such that intermediate values of sensitive computations do not leak into observable channels, such as power, EM emissions and radio transmissions.

Another option is for System in Package (SiP) technologies to integrate multiple dies inside one package, enabling them to avoid substrate coupling and to use different semiconductor technologies, researchers said.

“In any case it appears difficult to address the core problem without compromising on other requirements,” researchers said. “Moreover, experience shows that protection mechanisms usually increase the difficulty of attacks but do not prevent them entirely. We therefore expect radio side-channel attacks to be possible for the foreseeable future; they should thus be considered in the threat model of sensitive applications.”

Suggested articles