Raspberry Pi's RP2350 Hacking Challenge results announced — four winners are each awarded the full $20K prize
'Security through transparency'
The official winners of the $20,000 Raspberry Pi and Hextree RP2350 Hacking Challenge have been announced. Four successful claimants for the prize are outlined in a blog post by Raspberry Pi chief Eben Upton today. As Raspberry Pi was so impressed by the quality of the submissions all four winners will get the full prize, rather than a share.
One of the four successful competitive hackers was engineer Aedan Cullen, and we covered his RP2350's OTP secret unearthing methodology in detail early this month. Additionally, Raspberry Pi's hired gun, Hextree, managed to bypass the OTP security measures outside the auspices of the competition.
In a preamble to naming the RP2350 Hacking Challenge winners, Upton reminds us of the reasoning behind the competition. The RP2350 was delivered last August (via the Raspberry Pi Pico 2) as a successor to the popular RP2040 (Raspberry Pi Pico) microcontroller. It has the advantage of various technologies, including security built around Arm TrustZone for Cortex-M.
"Our aim was to smoke out weaknesses early, so that we could fix them before RP2350 became widely deployed in secure applications," Upton said of the hacking challenge. Thus the RP2350 should gain 'security through transparency' – which Upton prefers to the 'security through obscurity' philosophy embraced by some vendors.
Raspberry Pi and Hextree announced the RP2350 Hacking Challenge, announced at DEF CON in August, with a prize of $10,000. The prize was doubled and Raspberry Pi hired Hextree as an off-field competitor, to ensure that some useful hack results would be available come January 2025. The competition closed on the last day of December 2024.
To recap, competitors were tasked with retrieving a secret value from the one-time-programmable (OTP) memory on the RP2350. Moreover, it is noted that all four valid submissions required physical access to the chip.
Winner one: Aedan Cullen
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
We wrote about Cullen's RP2350 hack earlier this year after it was detailed during a fascinating stage presentation at the 38th Chaos Communication Congress (38C3).
Cullen physically isolated pin 53 of the RP2350 chip by cutting a PCB trace, then used a voltage injection glitch attack to turn on the 'permanently disabled' RISC-V cores and their debug access port, enabling him to read the secret.
That's our summary of the successful attack, but we shall repeat that Cullen's process was fascinating to see and hear recounted during his 38C3 presentation, if you have a spare hour.
Raspberry Pi boss Eben Upton admits there is no mitigation for this vulnerability yet, but says it is "likely to be addressed in a future stepping of RP2350."
Winner two: Marius Muench
Muench issued a normal reboot command to the USB bootloader, then employed fault injection via glitching the supply voltage to skip an instruction. With the correct timing and by pre-loading malicious code into the RAM, the code could run and extract the OTP secret.
This attack has been designated E20, and can now be mitigated by setting the OTP flag BOOT_FLAGS0.DISABLE_WATCHDOG_SCRATCH.
Winner three: Kévin Courdesses
Just after the firmware to be validated has been loaded into RAM, and just before the hash function needed for the signature check is computed, there is an exploitable weakness in the secure boot path.
Courdesses built a custom laser fault injection system to avoid anti-glitch detection. A brief pulse of laser light to the back of the die, revealed by grinding away some of the package surface, introduced a brief glitch, causing the digital logic in the chip to misbehave and open the door to this attack.
As with Cullen's RP2350 hack, there is no mitigation for this (E24) vulnerability yet, but says it is likely to be addressed in a future stepping of RP2350.
Kévin Courdesses laser fault injection
IOActive focused ion beam (FIB) method
Winner four: IOActive
Data bits stored in the RP2350's OPT memories, based on antifuses, were extracted using a well-known semiconductor failure analysis technique leveraging passive voltage contrast (PVC) with a focused ion beam (FIB).
IOActive's five-strong team reckons their unique attack vector is potent enough to apply to other systems using antifuse memory for confidentiality. Organizations using antifuse memory this way should therefore "immediately reassess their security posture," says IOActive, and at least use chaffing techniques to make it harder for attackers to recover any data.
The hired gun also succeeds: Hextree
Hextree's investigations highlighted that the RP2350's rate of undetected glitches was high enough to make glitching a worthwhile attack vector. With this initial discovery in mind, the firm began by focusing efforts on electromagnetic fault injection (EMFI).
Crucially, Hextree learned how to use precisely timed EMFI faults to prevent the OTP from being correctly locked. Thus the secret in the OTP was open to read.
Upton notes that there are several mitigations against this attack (E21). However, current mitigations may prevent users from updating device firmware via USB.
Conclusion
The Raspberry Pi team has learned that the RP2350's glitch detection scheme isn't as effective as they had hoped. If you've read through the above, you will understand that several of the hack attacks brushed past this intended safeguard.
If you missed out on the above challenge but would be interested in something similar, Raspberry Pi is preparing another competition. It has an RP2350 implementation of AES which is said to be hardened against side-channel attacks, and it would like to challenge hackers to defeat it. More details are promised next week!
Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.