Date : 05 juin 2019 à 12:00 — 15 min.
Side-Channel Analysis (SCA) has become a common practice to stress the security of embedded devices like smartcards or secure controllers. Nowadays, it is more than relevant on mobile and connected devices requiring a high security level. Yet, their applicability to smartphones is not obvious, as the architecture of modern System-on-Chips (SoC) is becoming ever more complex.
This work describes how a secret AES key was retrieved from the hardware cryptoprocessor of a smartphone, as part of an attack scenario targeting the bootloader decryption. The focus is held on practical realization and the challenges it brings. In particular, catching meaningful signals emitted by the cryptoprocessor embedded in the main SoC can be troublesome. Indeed, the Package-on-Package technology makes access to the die problematic and prevent straightforward near-field electromagnetic measurements.
The described scenario can apply to any device whose chain-of-trust fully or partially relies on firmware encryption, such as smartphones or Internet-of-Things nodes.