A team of scientists from Columbia University (USA) has developed a method of attacking the hardware and software of most modern electronic devices, allowing you to gain control over the system being attacked. The attack, called CLKSCREW, is based on the use of power management solutions.

Currently, almost all chipset manufacturers equip their products with energy control systems. The object for their study, scientists at Columbia University have chosen the Dynamic Voltage and Frequency Scaling (DVFS) system, which allows device manufacturers to monitor the voltage and frequency of the current consumed by the processors. Presented in 1994, the system is used today almost everywhere. It is DVFS used to cool the processors and prevent their heating.

CLKSCREW is a classic differential attack based on the introduction of hardware errors (Differential Fault Attack, DFA). This class of attacks involves the use of hardware at the limit to compare the results with the results during normal operation. To bypass security systems, it is sufficient to modify only one byte of data collected by DFA.

Previously, for the implementation of DFA, physical access to the device and the availability of special equipment for its transfer from a normal mode of operation to a stress. Nevertheless, with the advent of power management systems, in particular DVFS, it became much easier to make such an attack.

The software used in such systems allows a remote attacker to attack the device, forcing him to read malicious content from the Internet. The program is able to interact with device drivers and modify the voltage and frequency settings, thereby providing the necessary stress conditions for the DFA.

In their study, scientists attacked the TrustZone chip, used in the central processors of Android-devices to perform cryptographic operations on behalf of the main OS. During the attack CLKSCREW with the help of malicious code, the scientists as much as possible broke the processor. Since TrustZone and the central processor use the same power management system, the chipset also switched to overload mode.

Using architectural flaws, researchers documented how TrustZone works in both normal and stressful modes. Due to this scientists managed to call and detect single-byte errors with the help of which they received the private key of encryption TrustZone - the main key used to encrypt and protect all the calculations performed by the chipset. Using it, researchers were able to download the self-signed code into the TrustZone component of the Nexus 6 smartphone.

DFA - a class of attacks based on the generation of random hardware errors during the execution of the cryptalgorithm and their subsequent analysis.