Samy Kamkar - FPGA Glitching & Side Channel Attacks
Vložit
- čas přidán 17. 06. 2024
- I will explore some of the incredible work that has been done by researchers, academics, governments, and the nefarious in the realm of side channel analysis. We’ll inspect attacks that were once secret and costly, but now accessible to all of us using low cost hardware such as FPGAs. We’ll learn how to intentionally induce simple yet powerful faults in modern systems such as microcontrollers.
Note: Due to technical difficulties with the live stream, Samy's talk slides are shown for the first portion of the talk, with live video beginning at about the 6:30 mark.
Read the article on Hackaday:
hackaday.com/?p=402241
Follow Samy on Twitter:
/ samykamkar - Věda a technologie
Common problem with Hackaday talk videos: Edited to show the presenter talking and misses lots of slides. Perhaps a picture-in-picture view, or something?
Samy is great! Also loving the sound of "the party van" at 15:20
Nice talk, Thanks for Samy's share.
Very nice work Samy!
Sammy - Hopefully, you’ll see this. @20:30 The “photo-acoustic effect” you’re referring to, works with a special type of microphone, often used in cell phones and IOT interfaces, such as Amazon Alexa and Google Assistant. An audio-modulated laser beam can be directed through glass, hitting the IOT interface microphone, allowing you to issue commands like “Hey Alexa. Open the garage door.” While light doesn’t have mass, it does have energy, which can interact with MEMS microphones. MEMS = Micro-ElectroMechnical System, which are nanoscale moving parts, on a silicon die. In the case of the MEMS microphone, it’s a diaphragm. Source: I’m and EE and also perform IOT hardware security research.
Edit: I just found a good link for this exploit: Destin, from the Smarter Every Day channel, demonstrates the effect and explains it pretty well. czcams.com/video/ozIKwGt38LQ/video.html
relevant slides are not shown in the video... is there a link to the presentation?
Nice talk. Thank you HACKADAY.
Wonderful!!!!!!
Love this bloke ....
Hey haven't seen anything new from this guy in a while
Sammy is my hero!
Chipwhisperer is a great tool. Side Channel Attack and Correlation Power Analyze. Excellent efficiency vs prices...Great video pip...
Some new sort of hack ... Thanks man ...
Correct me if i am wrong but you dont need to erase eeprom for write new info. Erasing means chage all bytes to 0xFF which is actually write operation. And you dont need that. Just put new info.
EEPROM works like UV (EPROM). A "write" operation means that you can only flip a bit from "1" to "0" (not viceversa). You cannot "write" a "1" where there's already a "0". Hence you need to perform an "erase" operation to reset all bits to a known default state (i.e. 0xFF) before the actual "write" operation. In other words you could say that the EEPROM "write" is NOT atomic.
samy is my hero!
your timing hack reminds me of what I tried in minecraft once we figured out remote chunk loading, to see if it was loaded from disk or generated newly or already loaded. We tried using timings but over the network that was too unreliable. Then we tried out to do the timing on the server's side, so you could time the delay between 2 events and inbetween those you do the chunk loading. Didn't find a good second event though.
I remember using some mod that showed whether a chunk was already generated or not and mark the pre generated ones red on screen.
Do the mods these days use the timing hack or something else?
The mods were pretty accurate and we would follow the trails to find people's bases.
@@godfather7339 yeah so how that works is that minecraft generetes chunks in 2 phases but it loads chunks in 1. So when the chunk generation sends an additional large block update packet when loading the chunk, so therefore it must have been newly generated your client assumes. This works most of the time.
The comments under the video say
"Note: Due to technical difficulties with the live stream, Samy's talk slides are shown for the first portion of the talk, with live video beginning at about the @ mark."
I think you are apologizing for the wrong thing. The problem was not that there were slides in the first portion, the problem is that the live video started at 6:30 mark and removed the slides and made it much harder to follow. The people editing talks like this are clearly not among the people watching these talks. In the institute where I did my theoretical physics PhD we had a team hired to record all lectures and talks. But they always insisted on fancy cutting the camera between different angles, showing the speaker speak from different perspectives, while the scientists at the institute just wanted the slides (or sometimes blackboard) + the voice. There is little info in looking at the speaker while he is pointing to slides we can't see.
The best way to record talks like this is to have picture in picture, where the slides are shown in nearly full screen and the speaker in a small picture in the corner.
hey so if a non volatile sram is used it is much more vulnerable to memory imaging?
Link to the slides please? or his email so that I can ask him for them?
Is there a link to the slides?
Why are some of the links redacted?
Tristan smith - They’re from the NSA “Playset”. It’s a catalog of NSA hacking tools, which was leaked by Edward Snowden, exposing what the NSA was doing/capable of. It’s not hard to find. It’s been in the wild for several years now.
@@Willam_J ah, noted thanks
**Wears Tin Foil Hat**
I wish he would hack wms bluebird wms 550 or some slot machines. I'd like to run different roms on mine.