Last May 15 there was a story published in The Register, a global online news publication covering the worlds of technology and enterprise software, which reaches about 40 million readers worldwide, mentioning a paper presented by Sandro Pinto and Cristiano Rodrigues, researchers from the ALGORITMI Center at Black Hat Asia conference, the most prestigious conference in the world of hackers, in which the researchers presented, for the first time publicly, a cybersecurity attack, of the class of “side-channels”, something that was thought to be impossible.

Explaining the high media and business interest in this work and its repercussions, Sandro Pinto reveals that “in 2018, the security of most computers was called into question with the discovery of an attack called “Spectre”. This attack takes advantage of a computer’s microarchitecture to basically gather information and steal confidential data (e.g., passwords, cryptographic keys) by observing certain properties. This attack had a huge impact, and was considered the breakthrough of the decade in the computer security world. However, this class of attacks mostly affected processors that are used in servers, computers and phones.”

The researcher goes on to say that, “nevertheless, in the computing spectrum, there are a few computing units, called microcontrollers, which are manufactured in the order of billions every year, and are used in virtually every device we use in everyday life, including Internet of Things (IoT) devices.

These microcontrollers are very small and simple compared to the processors used in our computers and phones. So there was a widespread assumption that it would not be possible to implement attacks with Spectre-like characteristics on microcontrollers.”

Defying all odds, Sandro Pinto and Cristiano Rodrigues proved otherwise: “we developed an attack called “BUSted”, where we show that it is possible to extract information and steal confidential data from these microcontrollers. And we proved this using the most modern microcontrollers, with their own security technologies (Arm TrustZone-M), in the context of a “Smart Lock” use case. Basically we were able to “catch” the users’ PIN when they enter it, supposedly in a secure way.”

The article published in The Register then contrasts this work with the positioning of some manufacturers of these devices, since they defended a perspective that the researchers proved to be unsafe. Following this work, Sandro Pinto and Cristiano Rodrigues have already had several interactions with key-players in this domain (such as the main seller of CPUs and IPs for microcontrollers, Arm, mentioned in the article in question).

Currently, the researchers are waiting for a scientific paper of this work to be submitted to the world’s leading academic security conference, the IEEE Symposium on Security and Privacy, and are very confident about its acceptance and impact.

The School of Engineering congratulates the researchers for keeping our institution at the forefront of Cybersecurity!