0xRoM / 12Sec_CTF_v1
Transfer to URL with SHA Find file
Newer
Older
12Sec_CTF_v1 / 09.md
root 12 days ago 2 KB minor fixes
Raw Blame History

Challenge 9: "Clock Spy"

You’ve uncovered a high-security vault guarded by a keypad that requires a 5-digit PIN. When the PIN is entered and the OK button pressed, the system checks the password internally.

Your task is to perform a timing side-channel attack to recover the PIN as quickly and efficiently as possible. But beware — the PIN changes every time the device reboots, adding an extra layer of complexity to your attack.

Disclaimer:
Normally, side-channel attacks require expensive equipment such as oscilloscopes and specialized tooling like a ChipWhisperer. However, we have intentionally added specific delays so these attacks can be performed using a very affordable logic analyzer.

Your mission is clear:

  1. Observe and measure timing variations during the PIN verification process.
  2. Use side-channel analysis techniques to deduce each digit of the PIN.
  3. Recover the correct 5-digit PIN before the device resets.
  4. Retrieve the flag via UART at 9600 baud rate.

Setup

Challenge Setup

Notes

I decided to add some header pins from the resistors (LEDs and buttons) for easier debugging:

header pins added

The LED flashed once the first incorrect pin was found, there was a small delay between each pin check, thereby we could dissern each pin one after the other. e.g.:

pin attempt time notes
1xxx 005ms
2xxx 010ms "2" must be correct as took longest
3xxx 050ms
21xx 015ms "21" took longest of 2nd digit choices
22xx 010ms
23xx 010ms

... and so on until the code is worked out.

I hooked up the logic analyser to the ok button and the LED. The LED on the lower trace:

logic analyzer setup

So I didnt have to push the buttons manually (because that would have been a disaster) I wired up the arduino to the buttons and LED and created an arduino sketch to ineract with input and output pins and time when pins go high/low: 09_arduino.ino

I also created a python class to talk to the arduino: arduinIO.py

This was all tied together with of course, a glitch-o-bolt config: 09_GoB_config.py

With the logic analyzer still hooked up it was possible to see the delay buy usign the timing markers on the start of the button press and the start of the LED turning off:

logic analyzer test 1

This demonstrates the time between ".", "-" and " " (symbolized as "*") for identifying the first character

logic analyzer test 2

The second char

small result

And of course the glitch-o-bolt solution:

small result