Evaluation of Low-Cost Thermal Laser Stimulation for Data Extraction and Key Readout

TL;DR

This paper demonstrates that low-cost thermal laser stimulation can be effectively used for cryptographic key extraction and data attack on FPGAs and microcontrollers, significantly reducing attack costs compared to traditional equipment.

Contribution

It introduces a cost-effective setup for TLS attacks, enabling successful cryptographic key extraction with equipment costing around 100k dollars, five times cheaper than traditional microscopes.

Findings

TLS attacks are feasible with a $100k setup.

Successful data and key extraction from FPGAs and microcontrollers.

Lower-cost TLS attack approach broadens potential threat landscape.

Abstract

Recent attacks using thermal laser stimulation (TLS) have shown that it is possible to extract cryptographic keys from the battery-backed memory on state-of-the-art field-programmable gate arrays (FPGAs). However, the professional failure analysis microscopes usually employed for these attacks cost in the order of 500k to 1M dollars. In this work, we evaluate the use of a cheaper commercial laser fault injection station retrofitted with a suitable amplifier and light source to enable TLS. We demonstrate that TLS attacks are possible at a hardware cost of around 100k dollars. This constitutes a reduction of the resources required by the attacker by a factor of at least five. We showcase two actual attacks: data extraction from the SRAM memory of a low-power microcontroller and decryption key extraction from a 20-nm technology FPGA device. The strengths and weaknesses of our low-cost approach are then discussed in comparison with the conventional failure analysis equipment approach. In general, this work demonstrates that TLS backside attacks are available at a much lower cost than previously expected.