Raspberry Pi's RP2350 Hacking Challenge results announced — four winners are each awarded the full $20K prize

RP2350 Hacking Challenge
(Image credit: Aedan Cullen)

The official winners of the $20,000 Raspberry Pi and Hextree RP2350 Hacking Challenge have been announced. Four successful claimants for the prize are outlined in a blog post by Raspberry Pi chief Eben Upton today. As Raspberry Pi was so impressed by the quality of the submissions all four winners will get the full prize, rather than a share.

One of the four successful competitive hackers was engineer Aedan Cullen, and we covered his RP2350's OTP secret unearthing methodology in detail early this month. Additionally, Raspberry Pi's hired gun, Hextree, managed to bypass the OTP security measures outside the auspices of the competition.

"Our aim was to smoke out weaknesses early, so that we could fix them before RP2350 became widely deployed in secure applications," Upton said of the hacking challenge. Thus the RP2350 should gain 'security through transparency' – which Upton prefers to the 'security through obscurity' philosophy embraced by some vendors.

Winner three: Kévin Courdesses

Winner four: IOActive

Data bits stored in the RP2350's OPT memories, based on antifuses, were extracted using a well-known semiconductor failure analysis technique leveraging passive voltage contrast (PVC) with a focused ion beam (FIB).

IOActive's five-strong team reckons their unique attack vector is potent enough to apply to other systems using antifuse memory for confidentiality. Organizations using antifuse memory this way should therefore "immediately reassess their security posture," says IOActive, and at least use chaffing techniques to make it harder for attackers to recover any data.

The hired gun also succeeds: Hextree

Hextree's investigations highlighted that the RP2350's rate of undetected glitches was high enough to make glitching a worthwhile attack vector. With this initial discovery in mind, the firm began by focusing efforts on electromagnetic fault injection (EMFI).

Crucially, Hextree learned how to use precisely timed EMFI faults to prevent the OTP from being correctly locked. Thus the secret in the OTP was open to read.

Upton notes that there are several mitigations against this attack (E21). However, current mitigations may prevent users from updating device firmware via USB.

Conclusion

The Raspberry Pi team has learned that the RP2350's glitch detection scheme isn't as effective as they had hoped. If you've read through the above, you will understand that several of the hack attacks brushed past this intended safeguard.

If you missed out on the above challenge but would be interested in something similar, Raspberry Pi is preparing another competition. It has an RP2350 implementation of AES which is said to be hardened against side-channel attacks, and it would like to challenge hackers to defeat it. More details are promised next week!

TOPICS
Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.