Raspberry Pi Announces the Winners of Its RP2350 Capture the Flag Contest, Confirms Vulnerabilities

Five successful attacks lead to plans for improvements in future steppings of the in-house microcontroller.

Gareth Halfacree
9 days agoHW101 / Security / Debugging

Raspberry Pi has announced the results of its capture the flag competition, which saw security researchers invited to try out the hardware protections built into its RP2350 microcontroller — and has confirmed four winners and five independently-discovered vulnerabilities.

"All chips have vulnerabilities, and most vendors' strategy is not to talk about them. We consider this to be grossly irresponsible, so instead, we entered into the DEF CON spirit by offering a one-month, $10,000 prize to the first person to retrieve a secret value from the one-time-programmable (OTP) memory on the device," Raspberry Pi co-founder and chief executive officer Eben Upton explains. "Our aim was to smoke out weaknesses early, so that we could fix them before RP2350 became widely deployed in secure applications. Nobody claimed the prize by the deadline, so in September we extended the deadline to the end of the year and doubled the prize to $20,000."

Now, the results of that extended competition have been published — and it's news that Upton says he is only "pleased (ish)" to report: the chip's security subsystem, a new feature of the RP2350 not present on the earlier RP2040, has been defeated through no fewer than five independent attacks, four of which were considered valid entries to the competition.

The first of these was made public earlier this year: a voltage-glitching attack discovered by engineer Aedan Cullen. "It's not a very difficult attack at all," Cullen claimed at the time, disclosing a voltage glitch attack which re-enables the microcontroller's RISC-V cores which should be disabled when the security subsystem is in use. "It's just a normal power glitch. Just drop `USB_OTP_VDD` for 50μs or so across the `CRIT0` and `CRIT1``OTP PSM` reads, which on my chips are around 220-250μs from the characteristic current spike that marks the beginning of the OTP PSM sequence."

Confirming the vulnerability and blaming it on a "poor choice of guard word" for the one-time programmable (OTP) memory, Upton states that "no mitigation is currently available for this vulnerability, which has been assigned erratum number E16" — but that "it is likely to be addressed in a future stepping of RP2350."

A second winning entry came from Marius Muench, who found a fault injection vulnerability that can be exploited through glitching the chip's supply voltage. "While this break may seem straightforward in retrospect," Muench says, "reality is quite different. Identifying and exploiting these types of issues is far from trivial. Overall, this hacking challenge was a multi-month project for me, with many dead-ends explored along the way and countless iterations of attack code and setups to confirm or refute potential findings." This, Upton says, is erratum E20 — and has "several effective mitigations," the recommended one of which is to set the OTP flag BOOT_FLAGS0.DISABLE_WATCHDOG_SCRATCH.

Aedan Cullen's presentation at the 38th Chaos Communications Congress has been validated, along with four other attacks on the RP2350. (📹: CCC/Aedan Cullen)

The third winning entry came courtesy of Kévin Courdesses: a weakness in the chip's secure boot path, coming just after the firmware has been loaded into memory and just before its hash is computed — exploitable, once again, by glitching the chip's supply voltage. "Injecting a single precisely timed fault at this stage can cause the hash function to be computed over a different piece of data," Upton says, "controlled by the attacker. If that data is a valid signed firmware, the signature check will pass, and the attacker’s unsigned firmware will run!" This is erratum E24, and again has no known mitigation — but should be addressed in a future RP2350 chip revision.

The fourth and final winning entry comes from the researchers at IOActive, and is the only one requiring a major investment in advanced hardware to exploit: "An attacker in possession of an RP2350 device, as well as access to semiconductor deprocessing equipment and a focused ion beam (FIB) system, could extract the contents of the antifuse bit cells as plaintext in a matter of days," the company explains. "While a FIB system is a very expensive scientific instrument (costing several hundred thousand USD, plus ongoing operating expenses in the tens of thousands per year), it is possible to rent time on one at a university lab for around $200/hour for machine time or around two to three times this for machine time plus a trained operator to run it."

"The suggested mitigation for this attack is to employ a 'chaffing' technique, storing either {0, 1} or {1, 0} in each pair of bit cells, as the attack in its current form is unable to distinguish between these two states," Upton notes of the vulnerability, which is not believed to be exclusive to the RP2350 and has not been given an erratum number. "To guard against a hypothetical version of the attack which uses circuit editing to distinguish between these states, it is recommended that keys and other secrets be stored as larger blocks of chaffed data, from which the secret is recovered by hashing."

Finally, a fifth attack was demonstrated by Thomas Roth at Hextree, in collaboration with Colin O'Flynn at NewAE. While a commission from Raspberry Pi itself and thus not considered a valid entry to the competition, the researcher's work revealed vulnerability to electromagnetic fault injection (EMFI) which could both corrupt the OTP memory and lead to potential side-channel timing attacks. Further investigation revealed a way to bypass protections using "precisely-timed faults" using EMFI. The vulnerability, dubbed erratum E21, has what Upton describes as "several effective mitigations" — though one of these comes at the cost of losing the ability to flash new firmware over USB.

"While the rules specify a single $20,000 prize for the 'best' attack," Upton notes, "we were so impressed by the quality of the submissions that we have chosen to pay the prize in full for each of them. As expected, we've learned a lot. In particular, we've revised downward our estimate of the effectiveness of our glitch detection scheme; the difficulty of reliably injecting multiple faults even in the presence of timing uncertainty; and the cost and complexity of laser fault injection. We’ll take these lessons into account as we work to harden future chips, and anticipated future steppings of RP2350."

Upton has also pledged a second capture the flag competition to follow, this time focusing on an in-house implementation of the AES cryptographic algorithm which is believed to be hardened against side-channel attacks. More information is available on the Raspberry Pi website, including — where available — links to papers detailing each of the attacks.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.
Latest articles
Sponsored articles
Related articles
Get our weekly newsletter when you join Hackster.
Latest articles
Read more
Related articles