Raspberry Pi RP2350: Security functions cracked

The Raspberry Pi RP2350 microcontroller has security functions such as ARM TrustZone and one-time programmable (OTP) memory to store cryptographic keys.

To demonstrate the robustness of these features against malicious attackers, Raspberry Pi launched a hacking competition with prize money (Bug Bounty) in August 2024. Four winners were recently announced, all of whom received the full sum of 20,000 US dollars.

Out of competition – because it involved a vulnerability for which no prize money was offered – Raspi boss Eben Upton also mentioned a successful attack on the glitch detector built into the RP2350.

Upton emphasized that all successful attacks require physical access to the RP2350. The attackers used voltage pulses, laser light and electromagnetic fields, among other things, to attack the chip. Some vulnerabilities are to be sealed in future revisions of the RP2350 and have been included as errata in the documentation.

Eben Upton emphasizes that Raspberry Pi deals openly with vulnerabilities. The company also wants to set itself apart from its competitors in this way.

The winners of the RP2350 Hacking Challenge

The four winners of the RP2350 Hacking Challenge are Aedan Cullen, Marius Muench, Kévin Courdesses and the company IOActive. Thomas Roth from Hextree outwitted the glitch detector.

Aedan Cullen presented his attack at the Chaos Communication Congress at the end of 2024; he overcame the OTP protection function by changing a power supply. He also showed a nice die shot of the RP2350.

Prof. Markus Muench from the University of Birmingham also injected voltage pulses to throw the RP2350 off its stride.

Kévin Courdesses opened the chip housing and used laser pulses to induce an error in a signature check.

The team at IOActive, on the other hand, used an electron microscope with a finely focused electron beam (focused ion beam, FIB) to visualize the passive voltage contrast (PVC) of circuit components.

(ciw)