back to article Ex-Army man cracks popular security chip

Hardware hacker Christopher Tarnovsky just wanted to break Microsoft's grip on peripherals for its Xbox 360 game console. In the process, he cracked one of the most heavily fortified chips ever put into a consumer device. The attack by the former US Army computer-security specialist is notable because it goes where no hacker …

COMMENTS

This topic is closed for new posts.
  1. Steve Evans

    Errrr

    "They have a right to do it, but I have a right to break it too."

    I have a nagging suspicion that the DMCA specifically says you *don't* have the right to break it!

    1. Anonymous Coward
      Anonymous Coward

      I

      expect he means a moral right.

      1. Unus Radix
        Megaphone

        indentically true ?

        moral != law && moral > law

    2. J 3
      Terminator

      @Errrr

      I thought that too when I read that line in the article. But then, thinking about it a little more, and not having read the DMCA legislation, I wonder: does it also apply to hardware, or is it just software?

      Either way, cool stuff the guy has done there, legally or not.

    3. Ken Hagan Gold badge

      Re: Er

      (Palindromic titles, eh?)

      The DMCA is a copyright act, so unless you are breaking the chip to make an illegal copy, it probably doesn't apply.

    4. copsewood
      Big Brother

      US law != world law

      The DMCA only applies to those willing to risk travel to the US or indigenous serfs of the corporations there who buy such laws from US Congress inc.

  2. Anonymous Coward
    Anonymous Coward

    Okay, I have my focused ion beam workstation on order

    just how microscopic are those needles?

    1. Anonymous Coward
      Anonymous Coward

      Bugger!

      Dropped them....

  3. milo42
    Thumb Up

    Amazed

    I am amazed by this crack using an electron microscope to work out the inner workings of a chip, amazing. Just goes to show how hard secure is to create, there is always a way around if you are determined enough.

  4. Anonymous Coward
    Go

    Obscurity?

    "This device should not have been readily available for a researcher like me."

    Not only it should, but it proved invaluable to Infineon, which will probably not make the same mistakes twice. But the day Infineon blocks anyone of having their chips is the day they'll be less and less secure.

    1. BristolBachelor Gold badge
      Pint

      There are some problems with your post.

      "But the day Infineon blocks anyone of having their chips is the day they'll be less and less secure."

      The only way that Infineon can stop anyone getting their chips is to stop making them and selling them. However that makes no money for the shareholders.

      If Infineon sell them to anyone, people can get them. After all, that is how people reverse engineer SKY TV cards; they get a sky box and look at the chip.

      Then if they are not used in anything, there is no reason for anyone to need to break^H^H^H^H^H "fix" them :)

      A beer for persistance, but I think just buying a controller for his XBox would have been cheaper!

    2. John Browne

      hmm...

      I'd be pretty sure infineon knew what they were doing and knew exactly how the chip could be broken but just figured no hacker would go to the trouble of doing it. (The equipment is very very expensive)

      Infineons competitors in STM, Atmel, TI etc would have all the equipment and expertise to break the chip. They would even have a head start over Tarnovsky as they would know how the general architecture of the chip. I'd be very surprised if they hadn't "broken" the chip ages ago. they just wouldn't tell anyone about it.

      1. I. Aproveofitspendingonspecificprojects 1
        Boffin

        Market farces

        "I'd be pretty sure Infineon knew what they were doing and knew exactly how the chip could be broken but just figured no hacker would go to the trouble of doing it. (The equipment is very very expensive)"

        Equiptment like desk top computers and mobile phones were very expensive at one time. I don't think anyone would be interested in a microscope that can only focus on a silicon chip but the possibility exist of making an imager that will do the job just that job and someone could in theory churn them out wholesale.

        As for rights to analyse equiptment, this has always been the case. Guilds have been formed to protect marketable systems since the year dot and hacks are as old as cave drawings.

        What will be has been and ever shall.

  5. Anonymous Coward
    Thumb Up

    Security everywhere?

    Is this level of security really required everywhere. To stop cloned ink cartridges just so that the printer manufacturer can charge prices higher than gold for replacement ones? Why not try a different business model, one where you get money for adding value rather than fleecing your customers.

    1. Anonymous Coward
      Thumb Up

      Better product evaluations would help - some

      If those who review printers and such gizmos would do more critical analyses - including cost-per-page with warnings of proprietary consumables - instead of just regurgitating marketing pap - it would go a long way toward informing potential purchasers of the "real" price. Maybe a web-site evaluating the evaluators would help too.

      1. Bill Fresher

        Which

        Which magazine are very good at providing running costs in their product evaluations... whether they're looking at printers or fridge freezers.

    2. Apocalypse Later

      anti-sales technique

      I for one simply won't buy one of those printers that locks you into expensive proprietary ink cartridge systems. That anyone would do so is a source of amazement to me. Would you buy a car that could only be refueled at a Shell station?

      Naming names, I have never bought Epson and will never again buy Lexmark (different issue). I am currently using a Brother and refilling the cartridges.

    3. Usko Kyykka
      FAIL

      Isn't this just ...

      another example of how the ultimate business model is not competing with anyone, while the chief moral (?) justification of existing as a business is being part of the free market ? [Doesn't compute: logic fail.]

  6. Anonymous Coward
    Flame

    "money for adding value"

    Trouble is, that doesn't really work if you're a lazy, near-incompetent has-been who were once able to Invent but have long since lost the plot and are now relying purely on market muscle for continued success. HP printers and Microsoft software being two obvious examples.

    1. Tom 35

      lazy, near-incompetent HP

      I think you have the wrong angle here. I don't think it because they are lazy, it's more execs who look at the engineers scientists, and labs and say they are not doing anything to help the size of my bonus or the value of my stock options TODAY so kill them off, or outsource them to China. By the time we fall behind my bank account will be nice and fat and I can move on.

    2. John Tserkezis

      It's all about the bottom line.

      They're protecting their bottom line. They have the right to do that.

      If you're fed up with high prices on a monopolised ink market, change. You have the right to do that.

      1. A J Stiles
        FAIL

        The right yes; the ability no

        What good is the right to do something in theory, without the ability to do it in practice?

        If you know of somebody who is selling printers that are designed to use cheap, generic bulk ink, then please enlighten us all. Otherwise, talk of rights is just sophistry.

    3. Anonymous Coward
      FAIL

      Panasonic's another; and others have gone further

      Panasonic's firmware change to stop their cameras working with third-party batteries is another.

      I once worked on the software inside laser printers, and we sometimes got prototype / early production models. One (I can't remember which make) had what appeared to be a fuse-like mechanism on the waste toner bucket, designed to blow when the bucket was full, so the consumer would have to buy a new empty container rather than simply emptying the old one.

  7. Anonymous Coward
    FAIL

    Follow the money!

    "The requirement offended his sense of fair play, so he put his reverse engineering muscle to breaking it."

    Nope don't buy that. He and his company just wanted to publicise their security business.

    1. Spanners Silver badge

      Innefective

      If that was all there was behind it, it was a very poor use of money. They must have some other uses in mind for this information.

    2. Anonymous Coward
      Anonymous Coward

      Sometimes it's justified!

      And maybe a strong sense of right and wrong is part of the package of someone so unusually determined? Which isn't to say his sense of right and wrong is right or wrong. But usually the one who actually does the groundbreaking work is doing it for rather more esoteric reasons than you ascribe.

  8. Dazed and Confused

    Re: just how microscopic are those needles?

    I used to work for a chip maker doing testing. We needed to be able to put a probe onto a line to take measurements. Line sizes have shrunk since then but I'm sure the test equipment manufactures have kept pace. The problem isn't just the needles but the micro manipulators to position them. Then you have loads of fun keeping it all still enough.

  9. Just Me
    Pint

    Thats just amazing!

    As a keen electronics enthusiast, I found this article very interesting!!

    Thats just ******* amazing! Both the lengths greedy manufacturers (e.g. Lexmark) go to so they can rip you off and the skill, patience and determination this army bloke had/has!!

  10. Anonymous Coward
    Coat

    Time and Money

    Wish I had the time and resources to do the same thing... it is not rocket science even. Just reasonable skill and a lot of time and money.

    More fascinating would have been a crack of certain organic machinery algorithms... but that requires more skill (and of course time and money). I'd go for it except that its a struggle just to survive on the ever shrinking private sector income... should have taken a fat cushy government job... more pay, less hours, and a retirement inome.

    Ah, mines the tattered jacket with the biohazard symbol on the back. Careful about the flask of powder in the pocket please.

    1. amanfromMars 1 Silver badge

      Keep IT Simple Stupid

      "I'd go for it except that its a struggle just to survive on the ever shrinking private sector income... should have taken a fat cushy government job... more pay, less hours, and a retirement inome." .... Anonymous Coward Posted Thursday 18th February 2010 01:01 GMT

      AC,

      If the private sector, which has suffered massive pension plan losses/criminal fraud and common theft in recent times, simply put their members' contributions in the same funds and with the same fund managers as provide the wizardry which feathers and guarantees the fat cushy government job ... more pay, less hours, and an obscene retirement income, then will all be secured and insured and assured of a cosy future with no income worries.

      1. TeeCee Gold badge
        FAIL

        Shurely shome mishtake?

        That would be true were the Public sector to actually have funds, managers et. al. They do it by paying their pensioners out of current tax revenues, there's no investment of contributions to provide a pension later going on here. This works by having an infinite supply of money that's scalped from the taxpayer rolling in.

        You don't have to be a financial genius to figure out why this is unsustainable long term and why there's such a drive to raise public sector retirement ages.....

      2. Number6

        Not going to work

        If it's the UK, the public sector gets its money from the taxpayers to pay for pensions. I don't quite see the private sector managing to tap that source.

        1. fajensen
          Grenade

          Whoot?

          You have to be both blind and dyslexic to have missed the bailouts of the favoured private business: The Banks!

    2. I. Aproveofitspendingonspecificprojects 1
      Alien

      Sterp over and help us

      I am working on some earth science cuting edge stuff and would welcome any input. It doesn't cost anything once you have an internet connection.

      Take a look at the storm reports page of the USA's NWS and compare the days for tornado activity with the North Atlantic sea level pressure charts from the previous day.

      Ditto for days when there were severe earthquakes.

      Some people can get it and some can't. If you think you are a scientist a real one that is not a paid professor of doublespeak, get out of your bed and follow me.

      Anyone know anything about Euler geometry?

      <Nerd Wanted icon wanted>

  11. Anonymous Coward
    Anonymous Coward

    Anti-trust

    They don't have the right... if they don't server the consumer, and benefit the economy as a whole, they don't have the right... break them up.

    1. Anonymous Coward
      Thumb Up

      Do I hear an AMEN?

      Right! It's a pity that a security hacker has to be the one to reveal the lengths and depths that monopolists and oligopolists will go to in order to eliminate competition - the only thing that justifies market economies. It should be resolvable in anti-trust litigation - if only successive administrations and congresses had not been bought off by the very corporations and conglomerates that they are supposed to be regulating. I'd go into the recent SCOTUS decision on election funding, but it's too nauseating.

  12. Anonymous Coward
    Anonymous Coward

    Targets for the Electron Microscope

    Instead of wasting time on games. Point that electron microscope at electronic vote tabulation devices. There could be bad logic in there too, and it could undermine government itself.

    1. Steve X
      Unhappy

      bad logic?

      You don't need microscopic needles to find the flaws in electronic vote-tabluating machines. There are plenty of expert published papers around explaining how they should work, and none is implemented accordingly.

      Then again, until politicians actually do something sufficiently worthwhile and different to get more than 25% or so of people to actually bother to vote it hardly seems to matter, does it.

  13. Charles 9

    One question...

    How does Infineon believe going to a full cryptoprocessor will help them against a pure physical attack where someone has raw access to the internal wirings of a processor? After all, even in a cryptoprocessor either the cipherkey or the means to produce it must exist on the processor SOMEWHERE.

    As for Tarnovsky's comment about the availability of the chips, it's really quite simple. It's impossible to limit the sale of a commodity part (a part meant to be everywhere). It's like trying to restrict the flow of grains. More than likely the Hong Kong places simply got the chips from foundries in nearby China that turn them out in massive lots (most chips are made this way now).

    1. Geoff Smith
      FAIL

      availability of copies on international surplus markets

      This is a side effect of the exportation of chip manufacturing technology by the US semiconductor industry during the 1970's and 1980's, which continues to this day, because they've forced themselves into their current situation. Create a new chip die today, and there are lots now lots of people out there who can clone it - and build it more cheaply than you can.

      The US semi-conductor industry literally committed a form of slow industrial suicide back in the '70's and 80's, by outsourcing all of the manufacturing. To this day, our corporate titans are still too dense to realize that you can't offshore the manufacturing without also offshoring nearly all of the engineering expertise required to design and manufacture the device in the first place.

      So no, nothing in this article surprises me.

      Bleah!

      1. AlistairJ
        Boffin

        A title

        Well for a start, Infineon are a German company, not a US one. And cloning the IP of the world's most popular security chip is not a simple matter.

        Secondly, you can design a chip anywhere in the world, but to manufacture them cost effectively, you need a massive big facility. This is a billion dollar investment so you need a big flat area of land that is also free of earthquakes. Then you need access to a well-trained but not especially academic workforce, to wear the bunny suits. finally of course you need to do this in a country that has relatively lax laws regarding the use of lots of nasty chemicals.

        1. asdf
          Terminator

          some clarifications from an insider

          Infineon's memory spinoff Qimonda already went tits up and Infineon is struggling bad these days. Much of the reason is because European labor is too expensive compared to asian labor and thus the outsourcing. Free of earthquakes is nice but it seems actually most of the worlds fabs are built very close to faultlines (Silicon valley, Japan, etc) and they have strategies to deal with all but a massive earthquake. In addition to a flat area of land an obvious economic requirement is the land should be very cheap and yet near an airport (fabs needs lots of materials and equipment from all over the world to operate). Also actually with modern almost lights out fabs, bunny suit operators are less important than finding educated people willing to work hard and fairly cheap and be willing to live near the fab (cheap land above means usually not in real nice area). Yes the chemicals are nasty but fabs tend to be some of the safest manufacturing plants there is (in developed world). I have heard horror stories in Asia though of disabling gas alarms because they kept going off and the product is much more valuable than the serfs working in the fab. Still what is really hurting the industry in the developed world is very few college grads want to pidgeon hole themselves in manufacturing and soon all the baby boomers will retire.

    2. John Browne

      Interesting Question

      Moving to a full crypto core will make it far more difficult for this kind of hack.

      The physical penetration of the chip was only the first step. After he ahd circumvented the wire mesh and the optical sensors he used the mirco needles to probe the data bus.

      The data is stored on the chip encrypted in the Flash memory. There is a dedicated circuit on the chip that decrypts the data and sends it to the processor. so the data is sent in the "clear". It was these unencrypted lines that he probed and knowing how this type of processor core works he was able to interpret this data and "break" the chip.

      Going with a fully encrypted core means that finding the block of logic that does the encryption will be all but impossible. Have you seen what a block of logic at 90nm looks like?

      Tarnovsky did a presentation on this attack at black hat in DC a few weeks ago.

      The presentation is available on line. It's very top level and not very technical. He tends to ramble though so it's about 40mins long.

      1. Martin Smith 2

        Link?

        I'd be interested to see this presentation but Google isn't coming up trumps at the moment.

  14. Trevor Pott o_O Gold badge
    Pint

    DMCA

    I really hope they buy his "researcher" take on this, otherwise as quick as you can say DMCA, he's off to jail.

    Regardless of the legal outcome, this dude is no officially my hero.

    It’s not a beer, is the contents of the can of pure awesome this dude opened up.

    1. Anonymous Coward
      Thumb Down

      not necessarily

      Yeah - if he's American. DMCA don't apply to the other 6 billion of the world's citizens outside the land of the free

      1. Trevor Pott o_O Gold badge

        DMCA and the rest of the world...

        "DMCA don't apply to the other 6 billion of the world's citizens outside the land of the free"

        6.5ish Billion. And you just wait until ACTA is ratified.

  15. Eddy Ito

    Just wondering

    Did Apple do the same thing in the iPad's A4 proc?

  16. Fran Taylor

    DMCA? Maybe not so much

    Check out their web site. This is what they do. For all we know Infineon paid them to do this, allowed them to publish the results but not disclose their funding source. Note the timing of the new chip, this could be a trick to boost its sales.

    1. I didn't do IT.
      Alert

      Very Astute...

      It is quite odd, isn't it, that he publishes his results at the same time a new chip is being announced that "denies" this attack... when there isn't any real demand for a new chip?

      After all, why would you buy the new, higher priced chip if you can get the one everyone else is relying on for only $0.15 a pop, eh?

  17. Anonymous Coward
    Stop

    Next app - voting machines

    To those who believe that digital voting machines can be made impervious to mischief, they should read this article. Eventually, they'll harden the systems to the point where it will be impossible for an outsider, even one of the author's motivation and ability, to know what's going on inside the chips.

  18. Anonymous Coward
    Terminator

    Microsoft

    "It's very monopolistic what they've done."

    You don't say.

    Not only that but to anyone who complains about Apple, Sony et al being harsh (Apple for only allowing certain apps in their store for example) well - MS only allow certain controllers on their 360! What next? Sending your children off to Redmond to make them 360 compatible?

  19. Steven Cuthbertson
    Unhappy

    Cracking the code...

    I wish I could do this sort of thing, but the Times' crossword is beyond me, and with my aging synapses I don't expect it will get any better...

  20. Ken Hagan Gold badge

    Missing the point

    "In a statement sent to Infineon customers last week, the company noted the time and expense required for Tarnovsky to crack the chip."

    Infineon's own engineers are surely well aware that they are playing a game with rules of "crack once and its cracked everywhere". Infineon's PR has probably been told as much, but (on the above evidence) don't want to admit it to customers.

    So a qualified bloke had to work on it for some time, and needed a few hundred thousand dollars of kit. THEREFORE, if what you are trying to protect is worth more than (say) half a million, you'd be better off using some other device.

    Or maybe change your business model? The real lesson here is for investors and shareholders. If a company uses this sort of technology, then there are real limits to how sucessful that company can be before it is worth someone else's time cracking it open. That someone else needn't be (and for legal reasons probably won't be) an actual competitor. It could be one of the company's customers, disgruntled at having to pay over the odds for a product and willing to publish anonymously in the hope that the competitors act on the info.

    1. Anonymous Coward
      Anonymous Coward

      Depends what you mean

      "Crack once and its cracked everywhere"

      Yes, you can make the same attack against each chip - indeed, he had to fry quite a few to make it work, but he could presumably do it repeatedly now.

      BUT the TPM has no global secrets. So for each additional device whose secrets you want to extract/clone, you have to repeat the attack. That means that the bottom hasn't suddenly dropped out of Infineon's market. The TPM design - and sensible systems based on it - always assumed that with "expensive physics lab equipment" you could break one.

      Whether or not the XBox relies on any global secrets, though, I have no idea.

  21. Ken Hagan Gold badge

    Missing the point (2)

    The other real casualty of this hack is the very notion of secure hardware. How many people have not bothered to try and crack these devices because they believed the line trotted out by the likes of IBM and the NSA that it was a very high up-front research cost with very low probability of success.

    Now everyone *knows* this ain't true. Infineon may find that rather a lot of people have a go at their next offering. Consider what Ross Anderson's group have done with various crypto products over the years. Imagine if similarly motivated and resourced people decide that testing the strength of protected hardware is a legitimate research topic. After all, if these are going to be widely used to protect important secrets, there's a public interest in knowing whether they work.

    1. Charles 9

      Also consider this...

      There is typically one type of organization that is better-funded for such projects than universities. Of course, I'm talking governments. If someone with university funding can achieve this, imagine a state-sponsored effort, particularly the sponsorship of a hostile state.

    2. Eddie Edwards
      Thumb Down

      Bad conclusion

      I suspect similar people had already decided that testing the strength of TPMs is a suitable research topic. Remember, we don't know how many people tried *and failed* to crack this TPM - people don't report on that. We only have the report of one success. There could have been a dozen research teams in organizations both criminal and non-criminal attempting this, who each blew through 10x as much cash as this guy, while still failing. No conclusions can be drawn about success rates without knowing how many people tried.

      The claims of high up-front cost and low probability of success seem to me to hold their validity in the light of this story. This was not a simple hack, and it did not seem to reveal any fundamental issues with the implementation (e.g. weak crypto), other than that the chip itself exists in the physical universe and is hence vulnerable to physical attack.

  22. Jason Bloomberg Silver badge
    Thumb Up

    Time and Cost

    All it takes to 'crack' anything is time and cost plus the will and resolve to do it. Security only has to outlast attack attempts to be effective in most cases.

    The more popular a security mechanism is the more the incentive to 'crack' it, so good security will often ultimately be defeated when far weaker security on other products can remain safely in place. The harder a system to 'crack' the more likely someone is to prove they can and show it all to be worthless; this is a fine case in point.

    It's therefore a Catch-22; adding security encourages 'cracking'. By making security protection ubiquitous Microsoft and others ultimately undo themselves and everyone else. What they need to protect often falls when what they don't need to protect comes undone.

    DMCA and the like are blunt and ultimately ineffective tools. They may discourage and punish but they don't prevent. No different really to security through obscurity. They don't event discourage or prevent if those involved can remain anonymous.

  23. ZenCoder

    Wonder who really cracked it first.

    I would be amazed if several governments secret programs that work on hacking things like this. I bet some guy somewhere is really pissed because he hacked this a year ago and can't tell anyone about it.

    1. stu 4
      Black Helicopters

      fah!

      more likely there is a team of 200 people who have worked for the last year in some government department FAILING to crack it with millions of our tax moolla.

      They are probably now trying to spin this into a success story

  24. No, I will not fix your computer
    Black Helicopters

    Good work, but just an extention of known techniques.

    In true Matrix hacker style, Trinity took the cap off a 6801 MCU ROM (using nasty chemicals), photographed the surface using a microscope and decoded it to find the code for running Bubble Bobble, these particular chips have been cloned and bootlegged for years using many methods, imagine if you had governmental resources behind you.

    Seriously, good work, but most of this stuff goes on in secret, this is the tip of the iceberg.

  25. Tom 7

    I just hope the cost in making it secure

    puts these sad deluded idiots out of business.

This topic is closed for new posts.