zlacker

>>1317+(OP)
I like this. Upshot - electrostatic bit flip on memory read or write, which with solder can deterministically get a 'safe' pointer mutated into your own evil pointer.

Generally the historical perspective on physical access was: "once they have it, game over." TPM and trusted execution environments have shifted this security perspective to "we can trust certain operations inside the enclave even if the user has physical access."

His next steps are most interesting to me -- can you get something (semi-) reliable without soldering stuff? My guess is it's going to be a lot harder. Lots of thought already goes into dealing with electrical interference. On the other hand, maybe? if you flip one random bit of a 64 bit read every time you click your lighter, and your exploit can work with one of say 4 bit flips, then you don't need that many tries on average. At any rate, round 2 of experimentation should be interesting.

>>vessen+64
If you have physical access to a device that you can solder an antenna you can compromise a TPM or anything else by sticking a custom DIMM in there that you can program from the “back side” so you can replace any part of memory with anything you want anytime you want. You don’t have to randomly flip a bit and hope for the best. You just inject your entire program.

>>wang_l+aF1
A bit late in reply but dont forget that PUFs are a thing too.

Threat models vary of course. I personally believe my iPhone is safe against back side memory hardware swaps if I have turned it off. I could be wrong though!