Sunday, March 20, 2011

Blackhat TPM Talk Follow-up

Since speaking at BlackHat DC 2009, there have been several inquiries in regards to the security of the SLE66PE series smartcard family.

Here are some issues that should be pointed out:

We have heard, " took 6 months to succeed.."

The reality is it took 4 months to tackle obsticles found in any <200nm device such as:

  1. Capitance/load of probe needles when chip is running.

  2. Powering the device inside the chamber of a FIB workstation.

  3. Level-shifting a 1.8v core voltage following what we learned in #1 above.

  4. Cutting out metal layers without creating electrical shorts.

  5. Other more minute issues regarding the physical size of the die.

Upon overcoming the points above,  the actual analysis required no more than approximately 2 months time.  

In addition, these techniques listed above apply to all devices in the <200nm category (SecureAVR, SmartMX, ST21, ST23).

 We have heard, " said the Infineon SLE66 was the best device out there in the market.."

The Infineon SLE66PE is a very secure device however, it (as do it's competitors) all have their strengths and weaknesses.

Some examples of weaknesses are:

  1. Layout of all Infineon SLE50/66 'P' or 'PE' are very modular by design.

  2. Lack of penalty if active shield is opened.

  3. Begin runtime from a CLEAR (unencrypted) ROM which is 'invisible' to the user.

  4. CPU core is based on a microcode/PLA type implementation.

  5. Power-on-reset always begins running from the externally supplied clock.

  6. Current design is based on a previous 600nm version designed around 1998.

  7. 3 metal layer design for "areas of interest" (4th layer is the active shield).

Some examples of strengths are:

  1. 'PE' family used bond-pads located up the middle of the device.

  2. ROMKey must be loaded before begin attacked (else you just see their clear ROM content).

  3. MED is quite powerful if used properly for EEPROM content.

  4. Mesh is consistent across the device and divided into sections.

  5. Auto-increment of memory base address.

  6. Mixing of physical vs. virtual address space for MED / memory fetch.

No device is perfect.  All devices have room for improvement.  Some things to consider when choosing a smartcard are:

  • Does CPU ever run on external clock?

  • What is the penalty for an active-shield breach?

  • What is the fabrication process geometry?

  • How many metal layers is the device?

  • List of labs who might have evaluated this device and their capabilities.

Lastly, just because the device has been Common Criteria certified does not mean much to an attacker armed with current tools.  This is a common-oversight.

There is an ST23 smartcard device which has recently been certified EAL-6+ and the device has an active-shield with almost 1 micron wide tracks and a 1-2 micron spacing!!!  This makes a person scratch there head and say, "WTH????"

We have some new content to post soon on the blog.  Be sure and tune in for that.  We will tweet an alert as well.


  1. I'm still waiting for the new content! :)

  2. I know if you break the mesh on the 66pe you get some sort of penalization but i was wondering what still can be read ? im sure they were not dumb enough to leave the eeprom in the open when a detected mesh break has occured

  3. destroy the dc/dc converter for Vpp more limited no. of retry.

  4. I thought the EEPROM+ect was crypted in a per die run basis ?

  5. any update on this. found a report that even turkey smart card project reject this due to this hack

    full report on their study here