Off subject but related to security of microcontrollers

Go To Last Post
10 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I was messing around with a Scenix (Ubicom) SX28 device. They were the last of the common micro's I have yet to really mess with (no desire to use them really).

Guess what! I was messing around trying to figure out which output of their configuration fuse array was the lockbit wire output and I noticed that the chip was sometimes saying, "unlocked' when I locked it with test code inside! I then came to realize that just the low halogen light coming through the objective focused in that area alone is enough to mess the output of the security fuse up! I read the device a bunch of times and in testing found that 3 of 5 reads under low halogen light in the area let me read the chip out without physically touching!

This is really scary! I can now say Atmel really is the most secure microcontroller on the market and has been for well over 2 years!

Congratulations Atmel! Learn from Ubicoms carelessness (Actually, I don't think Ubicom cares at all).

Fyi.. Many of you use various chips and not just AVR's so this is enlightening for some.

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

10? years ago, while playing with windowed H8s, I found that the xtal oscillator did not start unless I put a label (or my finger) over the window - It was ok once it had started. This was with normal office (fluro) lighting.
In the SGS (now ST) version of the Z8, the fuses were clearly visible through the window and focused (masked) UV could clear them.
We (the firm I work for) get asked to add security to other people's products, and they get quite upset when we tell them that security has to be included from (or before) the start of the design process.
C.H.

C. H.
-------------------------------------------------------------------
It's only waste if you don't use it!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Back in the dim and distant I failed to initialize some registers on a windowed PIC and the prog worked, When transfered to a plastic part it did not! Guess what; covered the window and it also failed to function.

Keep it simple it will not bite as hard

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

This is a serious flaw in their architecture. It appears to only apply to silicon dated 1998 to present. No other microcontroller in the history of electronics has ever been compromised by simply exposing the die!

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I'm pretty sure that you'd be able to do the same trick with any other micro that are intended for development use and has a programming window. It has nothing to do with a flaw in the architecture.
No-one in their right mind would ever use such a device for a product, not only because of the security problems, but because of the price !
Picking the "lid" off a regular chip may allow you to do the same stunt.

/Jesper
http://www.yampp.com
The quick black AVR jumped over the lazy PIC.
What boots up, must come down.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Jesper,

This chip does not have a window. Even if it did, light should not effect the state of being locked since this is hidden under metal layer 3 on the die. There is a serious flaw in the silicon!

No other chip I know of has this effect or I would have my work cut out for me and not have to try to figure these devices out!

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

While not disagreeing that there's a serious security problem, the presence or absence of a window means nothing. Anyone trying to crack a chip starts by removing the lid, if ceramic, or the plastic.

Even with 3 metal layers, the top of any die is mostly glass, with plenty of ways for light to get in, and it doesn't have to make it to the base die either. The good ol' photoelectric effect works on the Flash memory insulated gates and it only needs to stir up a few electrons - a countable number - on small geometry parts to change the state.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I always used to wonder how long a 2764 would last in the sun. I mean some of those boogers took a half hour to erase in a purple light that would peel paint. Someone computed it would take weeks in full sun to get the same level of UV. I used the sticker over the window anyway.

Imagecraft compiler user

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

2764s had relatively big gates with high capacitance - I mean, you could count them with a magnifying glass. They held a lot of charge that took a long time to photo away. The data sheets always warned about direct sunlight, but said it would take weeks. The photo effect on other circuits was more of a problem. I remember years ago we had some mechanism controlled by an 8748 or such, and Marketing decided to make a movie of it, but whenever the movie lights turned on the thing went haywire. That's how I first learned to cover the window :oops:

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

In the days before CCD cameras, while I was still playing with plumbicons, there was a windowed SRAM like device that you focused an image on the die, wrote all zeroes and then read repeatedly untill they went to ones. The time to erase was proportional to to the light intensity. I don't know if anyone seriously used it.
C.H.

C. H.
-------------------------------------------------------------------
It's only waste if you don't use it!