“Instead of merely compromising one of the so-called electronic control units or ECUs on a target car’s CAN network and using it to spoof messages to the car’s steering or brakes, they also attacked the ECU that sends legitimate commands to those components, which would otherwise contradict their malicious commands and prevent their attack,” explained Wired’s Whitney Curtis. “By putting that second ECU into ‘bootrom’ mode—the first step in updating the ECU’s firmware that a mechanic might use to fix a bug—they were able to paralyze that innocent ECU and send malicious commands to the target component without interference.”

This technique allowed Miller and Valasek to take control of the parking brake, forcing it to activate at any speed. Another vulnerability discovered in the steering module ECU enabled the duo to “lock” the wheel into place – resisting driver attempts to turn it, although Miller and Valasek were able to digitally turn the wheel themselves. In yet another attack that didn’t require ECU bootrom mode, the security researchers managed to alter the settings on the Jeep’s cruise control and accelerate by tens of miles per hour in just a few seconds.

“Last year, we showed you can remotely send CAN messages. This year, we sent them plugged into the car. This is a new class of attacks against CAN messages. It’s an easy attack,” Miller told DarkReading. [For example], we can permanently lock the electronic parking brake so it’s permanently immobilized. Even if you restarted the car, the parking brake would be on and you would not be able to drive anywhere. We disabled all aspects of steering, so it’s super-hard to turn the wheel and even harder if you drive the car without steering [capability] at any speed.”

It should also be noted that Miller told The Register the attacks could be carried out “using a concealed device which either contains automated and timed commands, or with remote attacks over a wireless link.”

As we’ve previously discussed on Rambus Press, layers of security are necessary to protect vulnerable automotive systems, preferably starting with a hardware-based root of trust and advanced isolation mechanisms that offer uncompromising protection against various forms of attack. Industry collaboration is also important, because one single company cannot fix automotive security by itself. While a more cooperative, comprehensive approach to automotive security is technologically possibly the industry clearly has a long way to go in terms of implementation.

“[DPA] was discovered around the mid 1990s by the teams at Rambus’ Cryptography Research Division,” he explained. “It turned out to be a very effective tool for compromising the ubiquitous SIM card environment.”

According to Simon Blake-Wilson, VP of products and marketing at Rambus, DPA has historically targeted smart cards due to their widespread deployment and security limitations.

“The most traditional market for DPA has been with smart cards because of their limitations – consumer goods type of devices, low cost, limited power,” he told the publication. “That makes them a fertile landscape for DPA. Of course, DPA is capable of side channel attacks on just about any chip, but the relative lack of control over, and ease with which one could obtain SIM cards made them easy pickings for such power analysis techniques.”

Perhaps not surprisingly, evolving DPA techniques have reached sophisticated levels, while DPA kits are now available for sale on the Internet.

“Edge-of-the-envelope hardware and software [offer] tremendous analysis capabilities [for] side channel attacks,” Pankaj Rohatgi, director of engineering at Cryptography Research told Semiconductor Engineering. “Therefore, the data collected is of much better quality, from better equipment, which in turn, allows for more sophisticated attacks.”

Although progress has been made in protecting SIM cards, the attack platform is never more than a step behind, says Worthman.

“DPA continues to be thorn in the side of the semiconductor industry,” he confirmed. “Unless the ‘non-security-centric manufacturers’ suddenly become concerned, it’s likely that DPA will become more prevalent as more and more low/no-security chips are embedded or install in lower-end Internet of Everything (IoE) devices.”

As Worthman notes, it is somewhat difficult to predict the future of DPA relative to the IoE.

“[Nevertheless], there are a couple of things that are a given. One, the IoE will be flush with SIM-type chips. They are cheap, easy to produce and offer plenty of resources for low-end devices,” he added. “They also tend to have weak or no security. Programmable SIMs have yet to develop a clear track so it is difficult to see exactly where, or even if, they will find wide-scale adoption. And the resources for DPA attacks are now easily acquired and relatively cheap.”

Indeed, a Jiao Tong University researcher recently exploited side-channel attack techniques to crack the AES-128 encryption codes protecting 3G and 4G cards. According to Iain Thomson of The Register, Yu Yu and his university team tracked power levels using an oscilloscope, monitored data traffic with an MP300-SC2 protocol analyzer and correlated the results with a SIM card reader and standard PC.

“With this simple setup they cracked eight commercial SIM cards in between 10 and 80 minutes,” Thomson reported. “Yu [also] demonstrated how the cloned SIM card can successfully impersonate the owner in class [and] showed how a cloned card could change the password on an Alipay and potentially drain the account.”

As Yu confirmed, the above-mentioned hack is based on known differential power analysis attacks.

“The move to AES-based encryption algorithms in 3G/4G USIM cards did not systematically take advantage of state-of-the-art countermeasures against side-channel attacks,” he added. “The USIM cards we analyzed essentially relied on plain (unprotected) software implementations of the AES.”

Helena Handschuh, a Director at Rambus’ Cryptography Research division, co-designed the MILENAGE standard discussed in Yu’s Black Hat paper. According to Handschuh, AES-128/Rijndael was chosen for MILENAGE in 2001 so that side-channel countermeasures could be easily incorporated in a SIM-class platform.

“Yu Yu’s paper demonstrates once again that, even though these algorithms are mathematically strong and unbroken, all implementers of crypto need to be aware of side-channel attacks and take appropriate steps to mitigate them,” Handschuh concluded.

As we’ve previously discussed on Rambus Press, physical electronic systems routinely leak information about the internal process of computing. In practical terms, this means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys.

As such, the Rambus Cryptography Research division has designed a range of DPA countermeasures that offer a combination of software, hardware and protocol techniques specifically designed to protect tamper-resistant devices from side-channel attacks. These include leak reduction, incorporating randomness, generating amplitude and temporal noise, as well as executing protocol-level countermeasures.

Interested in learning more about how Rambus is helping to secure SoCs, devices and content? You can read more about our DPA countermeasures here, CryptoFireWall Cores here and CryptoManager platform here.

“Rambus will be making the transition from an IP licensing business to a true fabless semiconductor firm, designing and selling their own products,” writes AnandTech’s Ryan Smith.

Image Credit: AnandTech (via Rambus)

“Rambus is announcing that they will be designing and selling DDR4 DIMM chipsets. The chips, which will trade under the R+ chipset family, will be for Registered DIMMs (RDIMMs) and Load Reduced DIMMs (LRDIMMs) for server usage, with Rambus producing both the Register Clock Driver (RCD) chip for RDIMM/LRDIMM, and the data buffer chips for LRDIMMs.”

As industry analyst Patrick Moorhead notes in Forbes, the move to add chips to the Rambus IP portfolio is another proof point that the chip industry is experiencing a significant amount of vertical integration.

“Other vertical integration examples are ARM Holdings creating many more hard macros and Apple developing their own A-Series SoCs. Industries all undergo times of specialization and integration and we appear to be in that integration stage,” he explains. “In the case of Rambus’s new R+ DDR4 server memory chipset, this isn’t merely a push model to drive topline revenue at the expense of licensees. You see, DDR4 is really hard to get right at high capacities and high speeds in a reliable way.”

Indeed, says Moorhead, in a world of Big Data server applications, high capacity and reliability are paramount.

“Memory will just keep getting faster in a very technologically-challenging DDR4 server memory world. Quite frankly, server OEMs and ODMs needed a new producer of DDR4 server memory chips, and that new provider is Rambus.”

According to Moorhead, Intel and Rambus have been working closely together to ensure Rambus’ technology works well within their existing processors and chipsets. This includes rigorous validation of both the chipsets and the final DIMMs from the module manufacturers who will ultimately sell their RDIMMS and LRDIMMS to server integrators and cloud data center services.

“This deeply involved model is something different for Rambus and really shows how the company has entered a new phase where they work closely with everyone to ensure a better experience for the enterprise and data center customers,” he adds. “With most of Intel’s chipsets transitioning to DDR4 it only seems natural that Rambus would be working closely with them to ensure that they are cooperating at the right level.”

However, as Don Clark of the Wall Street Journal points out, Rambus won’t actually be physically manufacturing its new chips.

“Like most semiconductor companies founded since the 1980s, it will hire manufacturing specialists to make them,” writes Clark. “[Rambus CEO] Mr. Black said computer makers and other customers wanted another credible supplier of the components. Though Rambus isn’t likely to become a broad semiconductor supplier, he said, the new chip probably won’t be the last.”

Indeed, as Loyd Case of the Linley Group opines, by sampling its new DDR4 Buffer Memory Chipset, Rambus has taken a big step toward selling products rather than simply licensing IP.

“If successful, it could look for additional opportunities to turn its hefty IP portfolio into actual products,” he concludes.

“[The cards use] AES-128, which is supposed to be virtually unbeatable by a brute-force attack, but turns out to be easy to defeat using side-channel analysis,” explained Iain Thomson of The Register. “Side-channel attacks measure things like power consumption, electromagnetic emissions and heat generation to work out what is going on in a chip. The technique has been around for years, and requires physical access to the target device.”

Have you read our primer?
– Side-channel attacks: explained

As Thomson reports, Yu Yu and his university team tracked power levels using an oscilloscope, monitored data traffic with an MP300-SC2 protocol analyzer and correlated the results with a SIM card reader and a standard PC.

“With this simple setup they cracked eight commercial SIM cards in between 10 and 80 minutes,” said Thomson. “Yu [also] demonstrated how the cloned SIM card can successfully impersonate the owner in class [and] showed how a cloned card could change the password on an Alipay and potentially drain the account.”

According to Yu, the above-mentioned hack is based on known differential power analysis attacks.

“The move to AES-based encryption algorithms in 3G/4G USIM cards did not systematically take advantage of state-of-the-art countermeasures against side-channel attacks,” he added. “Indeed, the USIM cards we analyzed essentially relied on plain (unprotected) software implementations of the AES.”

Helena Handschuh, a Director at Rambus’ Cryptography Research division, co-designed the MILENAGE standard discussed in Yu’s Black Hat paper. According to Handschuh, AES-128/Rijndael was chosen for MILENAGE in 2001 so that side-channel countermeasures could be easily incorporated in a SIM-class platform.

“Yu Yu’s paper demonstrates once again that, even though these algorithms are mathematically strong and unbroken, all implementers of crypto need to be aware of side-channel attacks and take appropriate steps to mitigate them,” Handschuh concluded.

As we’ve previously discussed on Rambus Press, physical electronic systems routinely leak information about the internal process of computing. In practical terms, this means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys.

As such, the Rambus Cryptography Research division has designed a range of DPA countermeasures that offer a combination of software, hardware and protocol techniques specifically designed to protect tamper-resistant devices from side-channel attacks. These include leak reduction, incorporating randomness, generating amplitude and temporal noise, as well as executing protocol-level countermeasures.

Interested in learning more about how Rambus is helping to secure SoCs, devices and content? You can read more about our DPA countermeasures here, CryptoFireWall Cores here and CryptoManager platform here.

According to an abstract cited by The Register’s John Leyden, such attacks can be executed using inexpensive and readily available equipment including consumer-grade radio receivers or software defined radio USB dongles.

“The setup is compact and can operate untethered; it can be easily concealed,” the researchers confirmed.

Image Credit: Tel Aviv University (TAU)

“Common laptops, and popular implementations of RSA and ElGamal encryptions, are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms such as sliding-window, or even its side-channel resistant variant, fixed-window (m-ary) exponentiation.”

Indeed, the TAU team successfully extracted keys from laptops of various models running GnuPG, a popular open source encryption platform that implements the OpenPGP standard.

“The attack sends a few carefully-crafted ciphertexts. When these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software,” the researchers explained. “These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptanalysis.”

Commenting on the above-mentioned report, Dr. Pankaj Rohatgi, Fellow, Hardware Security Solutions at the Cryptography Division of Rambus, confirmed that such attacks are quite feasible and affect a wide range of devices.

“As the Tel Aviv University researchers demonstrated, these attacks can be performed using low-cost equipment,” said Rohatgi. “We at the Cryptography Research Division of Rambus have been working with several forward-thinking customers to fix this problem at the source. Nevertheless, many in the broader industry still have the misconception that such attacks are difficult or costly to perform.”