TALES OF A FAILURE: SEEKING FOR BITFLIPS IN THE WILD

Dr. Antonio Nappa
ZIMPERIUM

C/ Serrano, 144 (Madrid) • Aula III
Entrada libre hasta completar aforo.

 

 

What do Apple, the FBI have and a Belgian politician have in common?

In 2003, in Belgium there was an electronic election and mysteriously one candidate got 4096 extra votes. After counting the total number of voters there was an extra of 4096. An accurate analysis led to the official explanation that a spontaneous creation of a bit in position 13 of the memory of the computer, assigned 4096 extra votes to one candidate. One of the most credited answers to this apparently mysterious event, is attributed to gamma rays. Which can filter through the atmosphere. Indeed, soft-errors such as bitflips are frequent faults especially in outer space, where there's no atmosphere which protects from ionizing radiations such as gamma-rays, which are quite common in outer space.
For this reason many space enabled devices mount very expensive and technically advanced memories, to reduce risks of malfunction, breakage or exploit.

On the other hand at ground level our devices aren't equipped with such memories for economic and statistical reasons. Indeed, research in the area shows that gamma rays filter inside the atmosphere, and normally hit our computers every day but mostly they hit unallocated memory and we do not notice their effects.

There are cases though, where such soft-errors may be helpful. In 2016 the FBI demanded Apple to unlock (decrypt) one of its phones (iPhone 5C) after the San Bernardino's shooting. Apple denied the decryption of the phone alleging that it would put the privacy of millions of users at risk. For this reason the FBI resorted to an Israeli company which for a single phone charged around 1M USD and successfully reverse engineered the phone and broke into it.

This study strives to leverage gamma rays to obtain a row-hammer style effect to cheaply break into a phone without resorting to expensive techniques beyond a radiotherapy session which could be held in a common hospital of western countries. Our preliminary results show as expected that on older memories (+15 years) low radioactive emissions (within 0.4 and 1.4 MeV) produce some side effects, while on modern memory such power is not sufficient.

Our hypothesis is to prove that higher emissions, within the radiotherapy range (5-15 MeV) could be enough to generate soft-errors in contemporary COTS electronic devices and consequently allow to unlock/exploit a device by using ionizing radiations. Either by using row-hammer style techniques based on page table spraying or by knowing the memory configuration of a similar unlocked phone and shooting in the right place. We will go deeply into this matter and tell the story so far of a 3 year research, for fun and profit!