All the documentation, tutorials and examples found on Internet are executed that I was able to find is related to execute power analysis and glitching attacks on a single chip.
Is it feasible to execute them on the “complete device” and not on the single chip? I mean, it’s possible to execute a timing attack for example on the main power source of the device? I’m pretty sure that this kind of attack will be more complex because of the interference of the others chip/hardware present in the device, but I didn’t found anyone speaking about this kind of possibility.
From my understanding the chipwhisperer lite have a limit of 5.2v on the measurement port. What is the faster and correct way (I don’t have a lot of electronics knowledge) to add the possibility to analyze also 9v and 12v? There is some voltage translator that I can use without loosing the possibility to execute the power analysis on it? Or it’s better to take a Picoscope?
I’d suspect that most of the attacks that the ChipWhisperer targets would be very difficult or impossible would close access to the target device. The other chips on the board would play a role, but you also have to consider that most chips have decoupling capacitors at their power pins. These capacitors remove much of the high frequency information that we need for the attack. As an aside, one of the ways to measure target power is to measure the magnetic field generated by the current passing through decoupling capacitors.
That being said, simpler attacks may be possible. For example, EEVblog has a few videos on getting the password to an electronic safe by placing a shunt resistor between the power supply (a battery in this case) and the power pins of the safe: https://www.youtube.com/watch?v=HxQUKAjq-7w
The measure port of the CWLite is AC coupled, so there shouldn’t be any issue with using something like 12V on the measure pin. Keep in mind, however, that the IO voltage on the ChipWhisperer is 3.3V, so feeding in anything much higher will damage the device.
Maybe not what you’re asking about, and not what ChipWhisperer is built for, but remote timing attacks, not based on power measurements but (for example) response times over a network, are very much a thing. See for example:
@Alex_Dewar I would like to execute a similar attack executed without success from EEVblog. Are you sure about the measure port? I get different information here: Max Voltage for sense/mesure . Maybe @coflynn can help us to clarify this point.
@jpthibault no, network timing attacks are quite different. The work executed from EEVblog on a lock it’s quite the same that I would like to execute.
I’ve used higher voltages without issue. As Alex mentions there is a 5.2V limit on the amplifier input that could come into play. But there are ESD protection diodes in the amplifier that “should” protect against small excursions. It’s a bit of a non-guaranteed land, but the capacitive coupling should limit input power.
Assuming you don’t drive a 9V P-P sine wave, but just have momentary spikes during connect/disconnect, it shouldn’t be a major issue. We do fault injection with the CW attached where swings are exceeding the 5V limit without (apparent) problems…