Aug_EDFA_Digital

edfas.org ELECTRONIC DEV ICE FA I LURE ANALYSIS | VOLUME 23 NO . 3 20 or even to issue malicious commands. I 2 C was chosen for the proof-of-concept because it only uses two signals and has no native security. To be as small as possible, an NXP LPC802 processor was selected. This processor is commercially available in a WLCSP-16 footprint containing 16 pins and measuring 1.8 mm square. On the original circuit board, the I 2 C bus connects the board’s processor to a lithium-ion battery over an off- board stacking connector. In other words, the presumable reason for the attackwould be tomonitor or interferewith this interface. The placement of the extra component was driven by the availability of the signals that run from the microcontroller to the stacking connector. It is important to note that a more patient hacker could hide the extra component almost anywhere, possibly burying it more skillfully in the middle of other components. A series of pictures highlights the steps. First, the origi- nal board is shownwith the processor, stacking connector, and pullup resistors highlighted (Fig. 3). The pullup resis- tors are significant; they are required by the I 2 C standard and are one way that an attacker could find this bus. Second, the board’s Gerber files were accessed in a commercially sold Gerber editor (that was legally pur- chased). A footprint was added just to the left of the pullup resistors (Fig. 4). To finish the design, the pins on the left side of the added component werewired to +3.3V (which is the trace shown in Fig. 4) and to ground (using a top-side trace, shown in Fig. 4, and a via to the ground plane). The two I 2 C connections were made on the right side of the component. One signal, SCL, was connected using a top-side trace. The other signal, SDA, was wired to a via. The ground plane needed an added hole so that the via carrying SDA to a lower signal layer was not shorted to ground. The ground-plane cut is shown in Fig. 5. Figure 5 shows two existing vias on the left and the new via on the right. The drill hole is shown as a circle inside the cut. The odd shape is due to the fact that the hole was added by editing the traces used to construct the ground plane. Because of the Gerber format, a plane (such as a ground plane) is represented as a stacked set of wide traces. As noted in Greenberg, [3] this creates an odd shape when viewed afterwards. With more patience, a rounder hole could be constructed. Once the vias and top-level traces were in place, the Fig. 2 Photo mockup of an altered-component mode of attack, with the original two-pin footprint (left) and altered eight-pin footprint (right). Fig. 3 Original board showing processor (purple), pullup resistors (yellow), and stacking connector (red). R504 is an 0805 component (0.08 in. by 0.05 in.) for scale. Fig. 4 Top-layer Gerber file shown in the Gerber editor. The footprint (a square array of 16 solder pads) has been added to the left of the two resistors. The processor and stacking connector are also shown for reference. Fig. 5 Added hole in ground plane for the SDA via.