We can distinguish five major mcu creck categories:
Microprobing techniques can be used to access the chip surface directly, so we can observe, manipulate, and interfere with the integrated circuit.
Reverse engineering is used to understand the inner structure of semiconductor chip and learn or emulate its functionality. It requires the use of the same technology available to semiconductor manufacturers and gives similar capabilities to the attacker.
Software mcu crecks use the normal communication interface of the processor and exploit security vulnerabilities found in the protocols, cryptographic algorithms, or their implementation.
Eavesdropping techniques allows the mcu crecker to monitor, with high time resolution, the analog characteristics of supply and interface connections and any electromagnetic radiation by the processor during normal operation.
Fault generation techniques use abnormal environmental conditions to generate malfunctions in the processor that provide additional access.
All microprobing and reverse engineering techniques are invasive mcu crecks. They require hours or weeks in specialised laboratory and in the process they destroy the packaging. The other three are non-invasive mcu crecks. The mcu crecked device is not physically harmed during these mcu crecks. The last mcu creck category could also be semi-invasive. It means that the access to the chip’s die is required but the mcu creck is not penetrative and the fault is generated with intensive light pulse, radiation, local heating or other means.
Non-invasive mcu crecks are particularly dangerous in some applications for two reasons. Firstly, the owner of the device might not notice that the secret keys or data have been stolen, therefore it is unlikely that the validity of the compromised keys will be revoked before they are abused.
Secondly, non-invasive Unlock IC chip often scale well, as the necessary equipment can usually be reproduced and updated at low cost.
The design of most non-invasive mcu reading requires detailed knowledge of both the processor and software. On the other hand, invasive microprobing mcu crecks require very little initial knowledge and usually work with a similar set of techniques on a wide range of products. MCU cracks therefore often start with invasive reverse engineering, the results of which then help to develop cheaper and faster non-invasive mcu crecks. Semi-invasive mcu crecks can be used to learn the device functionality and test its security circuits. As these mcu crecks do not require establishing any physical contact to the internal chip layers, expensive equipment such as laser cutters and FIB machines are not required. The mcu crecker could succeed using a simple off-the-shelf microscope with a photoflash or laser pointer attached to it.
MCU Crecks can be reversible when the device can be put back into the initial state, or irreversible with permanent changes done to the device. For example, power analysis and microprobing could give the mcu crecker a result without harming the device itself. Certainly microprobing will leave tamper evidence but usually that does not affect further device operation. On the contrary, fault injection and UV light attacks could very likely put the device into the state where the internal registers or memory contents are changed and cannot be restored. In addition, UV crecks leave tamper evidence as they require direct access to the chip surface.