As I pointed before, lifting any "secret" key of any chip is quite trivial to a semiconductor professional.
It's part of a job of an IC engineer to be able to tap arbitrary metal layer on the device with microprobes to "debug" it, and this is something quite routine in a process of a microchip development.
Any such measures can only deter people without access to an IC development lab.
I think this is simply not true for modern processes. Can you show me any example of such key being extracted this way from a modern sub 50 nm CPU? I haven't heard of anyone actually succeeding.
So, my spouse was a CPU designer at AMD for many years and now does secure computing work for, well, the US government. I showed her your comment. She laughed. A lot.
Well, that's a bit of a sarcasm. Yes you have to have a quite serious lab for that, a level above what most fabless semi companies have, and skills on par with a process developer.
Yet, "firmware recovery" people in China use that regularly to make a living. Hardened/encrypted MCU firmware extraction costs under $20k here.
There are plenty of retrocomputing folks who would be heavily interested in ROM/firmware recovery from "hardened" chips, for entirely legal archival and/or interoperability purposes. $20k would be peanuts for this use case if success could be reasonably assured even in the "hardest" cases.
Not sure if I understand correctly, but are you saying secrets kept in hardware like console encryption keys (PS4 etc.) can be trivially extracted with the right tool?
not really trivially, you need to drill tiny (sub micron sized) holes with lasers down to the appropriate wires then insert probes (either using FIBs or directly) to pick up signals (we do this to debug bugs in chips)
Smart designers will put wires with useful information under many other layers which if broken will disable them.
So yes it's doable, you'll likely damage the chip in the process, it's certainly neither easy nor trivial
My company (zeroK NanoTech) has developed and is now selling advanced focused ion beam (FIB) systems with enhanced resolution and machining capability that are well suited to these operations.
We did circuit-edits on 10 nm node chips with Intel and they have given talks about it at several conferences (e.g. ISTFA)
Sounds like the sort of resources that most governments could command but few criminals? But of course with criminals there's always just trying to bribe Intel employees.
Yes - but if you could extract (for example) some HDMI-like master keys (so you can pirate first run movies for resale), or eventual access to someone's billion dollar bitcoin stash, it might be worth the trouble. It's not something you'd do to get cheap netflix/etc
It is something a government might do to get someone's crypto keys or iPhone, or to hack into foreign network infrastructure (Huawei/etc) (after all in the past they've built special purpose submarines to do such things)
I think the parent comment was more likely referring to using these devices for personal privacy. For example can a criminal steal my personal information in my phone vs. can the government spy on me. Where the government might spend a million dollars to do this process to read the phone of a terrorist, but a criminal probably wouldn't to steal my personal information off of a phone or USB drive.
Those people are fine. I'm looking at this from the perspective of the malware that can survive across OS re-installs because Intel put this enclave in your CPU that you can't touch. I'd assume the NSA is using that to spy on people right now but the question is how many other groups.
Not the parent commenter, but I suspect it’s less the act than the motivation.
Criminals who anticipate finding a way to profit on the information would be far more likely to go through the trouble of bribing someone or investing in the resources to snag it.
If you can get the key, can't you sign whatever you want, in a way that the IC will validate it? It will still check that it's correctly signed, but doesn't that defeat the usefulness of it?
Cool! Out of curiosity, do these debugging tools keep pace with the recent process shrinks? I would imagine it's really hard to connect a logic probe to, for example, a processor built on TSMC's 7nm process.
The metal layer interconnects usually are _not_ that small. I can't share the exact specs for TSMC's 7nm process but here's an example that should give you some idea:
Gate size on 7nm processes is still 30nm, and even the lowermost M0 metal is way, way bigger.
Even if doing so requires destroying, and reconstructing some tracks around the probe, 7nm shouldn't be much different from how it was done back a decade ago.
It's part of a job of an IC engineer to be able to tap arbitrary metal layer on the device with microprobes to "debug" it, and this is something quite routine in a process of a microchip development.
Any such measures can only deter people without access to an IC development lab.