Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

From the article, "The low-cost, low-complexity attack works by placing a small piece of hardware between a single physical memory chip and the motherboard slot it plugs into. It also requires the attacker to compromise the operating system kernel". "Low-complexity" requires physical access and an OS compromise? What the hell would high complexity be?


Focused Ion Beam workstation, decap the relevant IC & probe its internal connections directly. If protected by a mesh, also use the FIB to deposit extra metal to bypass the mesh to make the probe holes. If protected by light sensors, also bypass them. Create glitches by shining highly focused lasers onto specific transistors at specific times. Etc. The sorts of attacks Christopher Tarnovsky did on a bunch of TPMs & talked about at DEFCON.


I was looking for the old CCC talk about this stuff, but I ended up finding out about a project called RayV Lite which seeks to democratize this hardware

https://www.netspi.com/blog/executive-blog/hardware-and-embe...

https://github.com/ProjectLOREM/RayVLite


I found it!

https://media.ccc.de/v/25c3-2896-en-chip_reverse_engineering

https://www.youtube.com/watch?v=Pp4TPQVbxCQ


Could not find the CCC talk but here is a netspi presentation at this years BlackHat: https://youtu.be/Wyv3pSQopp0?si=dyVaYYlwkkXkkO8r


I thought the point of secure enclaves is to protect against attacks by someone with access to the hardware.

Therefore requiring physical assess is still low complexity in context.


Isn't one of the point of a secure enclave that it does not need to trust the rest of the computer it is running on?


And the images also show that "small piece of hardware" is connected to lots of chonky ribbon connectors that make IDE cables look slim.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: