News: 1737040507

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Raspberry Pi hands out prizes to all in the RP2350 Hacking Challenge

(2025/01/16)


Raspberry Pi has given out prizes for extracting a secret value from the one-time-programmable (OTP) memory of the Raspberry Pi RP2350 microcontroller – awarding a pile of cash to all four entrants.

The RP2350 went on sale to the public on August 8, 2024, a substantial improvement over its predecessor, the RP2040. One notable area of change was around security; a weakness of the RP2040 had been a factor for some potential customers who regarded it as a non-starter.

Keen to change that perception, Raspberry Pi offered a $10,000 prize to the first person to retrieve a secret value from the OTP memory on the device. [1]According to Pi supremo Eben Upton, "Our aim was to smoke out weaknesses early, so that we could fix them before RP2350 became widely deployed in secure applications."

[2]

Hackers were given just one month to make their submissions. Nobody claimed the prize. In September, the prize was doubled to $20,000, and the deadline was extended to the end of 2024. This time, the company received four valid submissions.

[3]

[4]

All of the hacks required some form of physical access to the chip to retrieve the data. Some tinkered with the power to induce faults, and another ground away part of the chip package and fired a laser at the internals to cause a glitch that could be taken advantage of. A fourth used techniques, including a focused ion beam, to extract the data.

Raspberry Pi also commissioned cybersecurity outfit Hextree to evaluate the chip's secure boot process. By using electromagnetic fault injection (EMFI) – delivering a high-voltage pulse to a small coil on top of the chip – the team was able to inject faults that weren't spotted by the glitch detectors.

[5]

While having your hardware hacked is less than ideal (although Upton told us at the time that he realized the company was "painting a target on our backs"), the computer maker was very impressed by the attacks and opted to award $20,000 to each of the winners rather than pick the "best."

We imagine the award money was a bargain compared to the reputational damage that an attack in the field could cause.

Upton described the approach taken by Raspberry Pi as "security through transparency," which contrasts with the "security through obscurity" philosophy in some other part of in the industry, he said.

[6]Post-IPO Raspberry Pi results in: So you can make money in tech without added AI

[7]Raspberry Pi 4 bugs throw wrench in the works for Fedora 41

[8]DEF CON badge disagreement gets physical as firmware dev removed from event stage

[9]Raspberry Pi Pico 2 lands with (drum roll) RISC-V cores

There is a saying that security by obscurity is no security at all, but the approach taken by Raspberry Pi of publishing the hackers' exploits before mitigations have been implemented might raise an eyebrow or two. At least two will require changes to the hardware. However, as we've noted, all of the exploits require physical access to the microcontroller.

Another challenge is due to start in a few weeks. In the meantime, Upton acknowledged the pros and cons of the transparent approach and said, "The optimum strategy may vary over time, as the installed base of devices with critical exploits increases.

[10]

"What doesn't work is a strategy where exploits exist, and are widely known to bad actors, but you put on a brave face and pretend to your customers that everything is fine." ®

Get our [11]Tech Resources



[1] https://www.raspberrypi.com/news/security-through-transparency-rp2350-hacking-challenge-results-are-in/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z4k7NUx1tDYrMVKhYc69bAAAAQI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z4k7NUx1tDYrMVKhYc69bAAAAQI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z4k7NUx1tDYrMVKhYc69bAAAAQI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z4k7NUx1tDYrMVKhYc69bAAAAQI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/09/24/raspberry_pi_reports_strong_numbers/

[7] https://www.theregister.com/2024/09/05/pi_and_pico_problems/

[8] https://www.theregister.com/2024/08/13/defcon_badge_disagreement_gets_physical/

[9] https://www.theregister.com/2024/08/08/pi_pico_2_risc_v/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z4k7NUx1tDYrMVKhYc69bAAAAQI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[11] https://whitepapers.theregister.com/



JessicaRabbit

I say kudos to them for being open about the security issues. Now they just need to fix them.

Test the fix too

druck

I hope the $20,000 comes with the caveat that they have to try again when the revised version of the silicon comes out, which is supposed to mitigate whatever technique they used.

Transparency

Anonymous Coward

Does that extend to explaining how they fucked up, made what in retrospect were schoolboy errors, which weren't identified by themselves or those contracted to test and verify the design?

Everyone makes mistakes so I don't entirely blame the implementers but more the reviewers. But you have to wonder why those implementing the design appear to have not known that data consistency does not prove data integrity and single points of failure are a bad thing.

Laser and EMF injecting glitches are hard to detect, but Aedan Cullen did their glitching using much simpler and traditional means.

They can present the outcome as some kind of success but it's also another failure added to the list.

The Preacher, the Politician, the Teacher,
Were each of them once a kiddie.
A child, indeed, is a wonderful creature.
Do I want one? God Forbiddie!
-- Ogden Nash