As they built the RayV Lite, Beaumont and Trowell focused on two distinct laser hacking methods. One is laser fault injection, or LFI, which uses a brief blast of light to mess with the charges of a processor’s transistors, “flipping bits” from 1 to 0 or vice versa. In some cases, carefully triggering those bit flips can cause far larger effects. For one automotive chip that Beaumont tested, for instance, glitching the chip with a laser at a certain moment can prevent a security check that puts the chip’s firmware in a protected state, thus leaving it unprotected and letting her scan through its otherwise obfuscated code to find vulnerabilities.
Many cryptocurrency wallets, too, are vulnerable to forms of LFI, Beaumont and Trowell say, such as glitching the chip at the moment it’s asking for a PIN to unlock the cryptographic key to access the owner’s funds. “You take the chip off the crypto wallet, hit it with a laser at the right time, and it will just assume you have the PIN,” says Trowel. “It just jumps through the instructions and gives the key back.”
A second laser-hacking technique, known as laser logic state imaging, focuses instead on surveilling a chip’s architecture and activity in real time, bouncing laser light off of it, and capturing the results (much like a camera or microscope), and then analyzing them—in Beaumont and Trowell’s work, this was often done with the help of machine learning tools. Because a laser’s light bounces off silicon differently based on its electrical charge, that trick allows hackers to map out not only the physical layout of a processor but also the data its transistors store, essentially vivisecting the chip to pull out hints about the data and code it’s handling, which could include sensitive secrets.
In the first iteration of RayV Lite, Beaumont and Trowell are building designs for the tool in two different versions, one for each of those two laser hacking techniques. They’re releasing only the laser fault injection model for now, and hope to debut the laser logic state imaging version in a matter of months.
Both will use the same fundamental components and the same DIY cost-cutting tricks. The body of the tool, for instance, is based on an open source 3D-printable microscope model called OpenFlexure, which uses the flexibility of 3D-printable PLA plastic to achieve precise aiming of the laser. The target chip is mounted on a chassis fixed to printed plastic levers that are bent to small degrees by stepper motors, allowing tiny, precise movements in three dimensions. With that plastic bending trick and a laser focused through a lens, Beaumont and Trowell say, the RayV can target transistors—or rather, groups of them—down to the nanometer scale. (PLA plastic does wear out, Beaumont admits. But she also notes that the entire body of the RayV Lite can simply be printed again for a few dollars.)
Another innovation that allowed Beaumont and Trowell to vastly reduce the RayV Lite’s cost, first implemented by a group of academic researchers at Royal Holloway University of London who built their own low-cost laser fault injection tool, was the discovery that laser-based chip hacking can be performed with far cheaper lasers than previously believed. That’s in part because a lower-powered laser fired at a chip for a longer time interval—still so quick as to be measured in milliseconds—can have an equivalent effect to a higher-powered laser fired for a shorter time, just as a traditional camera can expose film to less light for a longer time to achieve the same exposure.
