All chips have vulnerabilities, and most vendors’ strategy is not to talk about them. Raspberry Pi consider this to be suboptimal, so they entered into the DEF CON hacking spirit by offering a one-month, $10,000 prize to the first person to retrieve a secret value from the one-time-programmable (OTP) memory on the device.
Their aim was to smoke out weaknesses early, so that they could be fixed before RP2350 became widely deployed in secure applications. This open approach to security engineering has been generally well received: call it “security through transparency”, in contrast with the “security through obscurity” philosophy of other vendors.
Nobody claimed the prize by the deadline, so in September, Raspberry Pi extended the deadline to the end of 2024 and doubled the prize to $20,000.
On January 14, 2025, Raspberry Pi announced that they received not one but four valid submissions, all of which require physical access to the chip, with varying degrees of intrusiveness. The winners:
- “Hazardous threes” – Aedan Cullen
- USB bootloader single-instruction fault with supply-voltage injection – Marius Muench
- Signature check single-instruction fault with laser injection – Kévin Courdesses
- Extracting antifuse secrets from RP2350 by FIB/PVC – IOActive
Outside of the contest, Thomas “stacksmashing” Roth and the team at Hextree also discovered a vulnerability: Glitch detector evaluation, and OTP read double-instruction fault with EM injection.
Read all the details in the Raspberry Pi News post here.
10k or 20k reward does not bring real players to the game.