The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators


We have devised a frequency injection attack which is able to destroy the source of entropy in ring-oscillator-based true random number generators (TRNGs). A TRNG will lock to frequencies injected into the power supply, eliminating the source of random jitter on which it relies. We are able to reduce the keyspace of a secure microcontroller based on a TRNG from 264 to 3300, and successfully attack a 2004 EMV (‘Chip and PIN’) payment card. We outline a realistic covert attack on the EMV payment system that requires only 13 attempts at guessing a random number that should require 232. The theory, three implementations of the attack, and methods of optimisation are described.