Defeating a Secure Element with Multiple Laser Fault Injections

Conference:  BlackHat USA 2021



In 2020, we evaluated the Microchip ATECC508A Secure Memory circuit. We identified a vulnerability allowing an attacker to read a secret data slot using Single Laser Fault Injection. This was presented during Black Hat USA. Subsequently, the product life cycle of this chip turned to be deprecated, and the circuit has been superseded by the ATECC608A, supposedly more secure. We present a new attack allowing retrieval of the same data slot secret for this new chip, using this time a double Laser Fault Injection to bypass two security tests during a single command execution. The method is different from our previous paper and the attack path more complex.This work was conducted in a black box approach. We explained the attack path identification process, using help from power trace analysis and up to 4 faults in a single command, during an intermediate testing campaign. We constructed a firmware implementation hypothesis based on our results to explain how the security and one double-check counter-measure were bypassed. This work highlights how Microchip hardened the circuit, and the effort to hack the chip is much higher.The work was conducted for the analysis of a particular hardware wallet using this secure element, but this chip is also widely used in IoT applications, and therefore it is possible that other attack paths exploiting the same fault effect might exist.