Click here to register.


Colin O'Flynn


15-18 June 2020, Hilton Hotel


24 Seats


4600$ CAD before May 1,
5400$ CAD after.

This 4-day course takes you through side-channel power analysis & fault injection attacks on embedded systems (32-bit Arm Cortex M3/M4 as well as 8-bit XMEGA). This course concentrates on low-level embedded systems such as found in many IoT devices, as well as boot ROM and similar code. Students should have a good background in embedded design or hardware hacking, and the course assumes good familiarity with C & Python. Using many hands-on labs, students will use the ChipWhisperer hardware to walk through attacks on software AES, hardware AES, password checks, RSA, and more. Results of the attack include recovering encryption keys with DPA, bypassing JTAG security checks, bypassing password checks, and more. Students leave the course with a ChipWhisperer setup they keep, meaning they can continue to experiment with the provided material, and then apply it to their own targets after the course is complete.


Side-Channel Analysis and Fault Injection Attacks have never been more accessible, and testing your products has never been this inexpensive or easy. Register for this class to get four full days of intense training on embedded security threats. The course uses the open-source ChipWhisperer project ( for both hardware & software tools, meaning attendees can immediately take the knowledge learned in this course and apply it in real life. The course includes a ChipWhisperer-Lite along with a UFO target board, so students walk away with the hands-on hardware used during the lab.

SIDE-CHANNEL POWER ANALYSIS - that freaky method of extracting secret keys from embedded systems that doesn’t rely on exploits or coding errors. It can be used to read out an AES-128 key in less than 60 seconds from a standard implementation on a small microcontroller. Are your products vulnerable to such an attack? This course is loaded with hands-on examples to teach you not only about the attacks and theories, but how to apply them.

FAULT INJECTION ATTACKS - can you even trust your hardware? This 4-day training will cover fault injection attacks (also known as glitch attacks) on embedded systems. These attacks allow you to entirely bypass security mechanisms, dump memory over communication interfaces, and wreck havoc for fun and profit.

This course is an updated and improved version of the previous 2-day course, and now goes into more depth with more pracitcal examples of both Side-Channel Analysis and Fault Injection Attacks. It also includes updated hardware so we can target ARM devices, alongside hardware AES peripherals. Fault injection topics include demonstrations of bootloader and lock bit attacks.


Class outline

Day 1:
* What is advanced hardware hacking, what can we attack?
* LAB Simple Power Analysis: Instruction Diffs, Password Bypass
* LAB Simple Power Analysis: RSA on XMEGA
* Leakage Detection
* LAB Leakage Detection: Large HW swings, TVLA

Day 2:
* Introduction to DPA
* CPA Attack Theory
* AES Implementation with T-Tables
* LAB: AES CPA on STM32F3 / MBED-TLS Implementation
* AES Hardware Implementation
* LAB: AES HW Implementation
* H-Field Probes (EM Attacks)


Day 3:
* Introduction to Fault/Glitch Attacks
* LAB: Clock glitching for breaking loops, finding parameters (STM32F3)
* LAB: Clock glitching for password bypass
* LAB: Clock glitching for bootloader dumping
* EM Fault Injection


Day 4:
* Triggering demos (USB, analog waveform, SPI, etc)
* VCC Glitching intro
* LAB: VCC Glitching on STM32F0
* Microcontroller boot functions
* LAB: VCC glitching for JTAG/lock byte bypass on LPC1114
* Differential Fault Attacks (DFA) on AES
* LAB: AES DFA Attack
* Differential Fault Attacks on RSA
* LAB: RSA DFA Attack
* Further interfacing, next steps, open time



Students should have used C & Python before.



Laptop with 32 GB free space & VirtualBox installed.



Colin O'Flynn developed the open-source ChipWhipserer project, and since started a company (NewAE Technology) which offers pre-assembled versions along with additional tools for advanced hardware security analysis. He lives in Halifax, NS, Canada.


Click here to register.