Basilisk: Remote Code Execution by Laser Excitation of P−N Junctions Without Insider Assistance

Abstract

Inadvertent photosensitivity of P–N junctions has been known for a long time, but most of the attacks that have been demonstrated are covert channels, requiring an adversarial presence on the device. We show not only how it is possible for an external attacker to bias a P–N junction with a low power laser, without any kind of insider assistance, but also how this kind of attack can be used to perform logic level attacks on the target device and thus interfere with the device's operation. The technique requires precision but is feasible in practice with off the shelf hardware, as long as the attacker has a line of sight to the target. It can result in attacks that include crashing a computer, change memory contents, alter the instruction stream of a running program, alter messages on a shared communication bus, insert new messages, or prevent communication. Most of these attacks have never been demonstrated before without insider assistance. We demonstrate that under the right circumstances the attack can lead to arbitrary code execution on the target device. We show a working proof of concept including remote code execution, and quantitative measurements leading to testable predictions. Mitigation of this vulnerability is challenging and countermeasures will in most cases require hardware changes.