This fault injection attack on AMD CPUs Could be super relevant for a PS5 hack
Security researchers Robert Buhren and Jean Pierre Seifert have published a hardware attack against AMD’s Secure Processor, the coprocessor in charge of handling a secure boot on the AMD Zen series. The PS5 is using a Custom Zen 2 CPU, which could be impacted by the vulnerability.
The hack, they say, “allows an attacker to execute custom payloads on the AMD-SPs of all microarchitectures that support SEV currently on the market (Zen 1, Zen 2, and Zen 3)“.
The white paper from the researchers was published about a month ago, with sample code provided on github 2 weeks ago, and a live presentation scheduled for November this year. (links below)
Glitching the AMD Secure Processor
The Security researchers provide the following summary of their attack:
The AMD Secure Processor (AMD-SP, formerly known as PSP) is susceptible to voltage fault injection attacks. Using our fault injection attack, we are able to execute custom code on secure processors embedded in Ryzen and Epyc CPUs of the AMD Zen series (Zen1, Zen2 and Zen3). In our paper we show how this affects the security guarantees of AMD’s Secure Encrypted Virtualization technology (SEV). Furthermore, we show how an attacker can mount attacks against SEV protected virtual machines without physical access to the target host by leveraging previously extracted endorsement keys (CEK/VCEK).
The document and data focus mostly on SEV (Secure Encrypted virtualization) to showcase that once hacked, the processor cannot be trusted to host a secure Virtual Machine (e.g. for usages in the cloud). However, since the attack directly targets the Secure Processor, there are non negligible chances that this glitch could be used on the PS5, whether it uses a VM or not.
The white paper and the code sample already provide a lot of information that should be enough for security researchers to look specifically into attacking the PS5. Additionally, the folks behind this attack will be presenting the glitch in November at the 28th ACM Conference on Computer and Communications Security (CCS’21) in Seoul.
Links and relevant Data for the AMD-SP glitch
What’s next for the PS5?
It’s of course unclear at this point if this attack could be used on the PS5. But there’s no doubt that someone, somewhere, is already looking into it to see if any kind of information could be extracted from the PS5’s AMD Zen 2 CPU. The white paper provides enough details that someone with the right set of skills could get started already.
Hardware vulnerabilities are the holy grail of the hacking scene, since they cannot easily be patched. Full control of the PS5 boot sequence could mean a lot of good things for the PS5 scene, but of course only time will tell us if this is useful.