Keyless Entry: Breaking and Entering eMMC RPMB with EMFI
Aya Fukami, Richard Buurke
TL;DR
This paper demonstrates that electromagnetic fault injection can break the authentication of eMMC RPMB, allowing attackers to overwrite secure data without detection, revealing vulnerabilities in the hardware security mechanism.
Contribution
It presents a novel fault injection attack on eMMC RPMB authentication, showing how electromagnetic pulses can compromise data integrity in real devices.
Findings
Successful glitched authentication in three eMMC models
Ability to overwrite secure data without detection
Vulnerabilities in hardware-based security mechanisms
Abstract
The Replay Protected Memory Block (RPMB) in modern storage systems provides a secure area where data integrity is ensured by authentication. This block is used in digital devices to store pivotal information that must be safeguarded against modification by potential attackers. This paper targets the authentication scheme of the RPMB in three different eMMCs from a major manufacturer. A glitch was injected by sending an electromagnetic pulse to the target chip. RPMB authentication was successfully glitched and the information stored in two target eMMCs was overwritten with arbitrary data, without affecting the integrity of other data.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptographic Implementations and Security · Physical Unclonable Functions (PUFs) and Hardware Security · Security and Verification in Computing