Raspberry Pi hands out prizes to all in the RP2350 Hacking Challenge

Raspberry Pi has given out prizes for extracting a secret value from the one-time-programmable (OTP) memory of the Raspberry Pi RP2350 microcontroller – awarding a pile of cash to all four entrants.

The RP2350 went on sale to the public on August 8, 2024, a substantial improvement over its predecessor, the RP2040. One notable area of change was around security; a weakness of the RP2040 had been a factor for some potential customers who regarded it as a non-starter.

Keen to change that perception, Raspberry Pi offered a $10,000 prize to the first person to retrieve a secret value from the OTP memory on the device. According to Pi supremo Eben Upton, "Our aim was to smoke out weaknesses early, so that we could fix them before RP2350 became widely deployed in secure applications."

Hackers were given just one month to make their submissions. Nobody claimed the prize. In September, the prize was doubled to $20,000, and the deadline was extended to the end of 2024. This time, the company received four valid submissions.

All of the hacks required some form of physical access to the chip to retrieve the data. Some tinkered with the power to induce faults, and another ground away part of the chip package and fired a laser at the internals to cause a glitch that could be taken advantage of. A fourth used techniques, including a focused ion beam, to extract the data.

Raspberry Pi also commissioned cybersecurity outfit Hextree to evaluate the chip's secure boot process. By using electromagnetic fault injection (EMFI) – delivering a high-voltage pulse to a small coil on top of the chip – the team was able to inject faults that weren't spotted by the glitch detectors.

While having your hardware hacked is less than ideal (although Upton told us at the time that he realized the company was "painting a target on our backs"), the computer maker was very impressed by the attacks and opted to award $20,000 to each of the winners rather than pick the "best."

We imagine the award money was a bargain compared to the reputational damage that an attack in the field could cause.

Upton described the approach taken by Raspberry Pi as "security through transparency," which contrasts with the "security through obscurity" philosophy in some other part of in the industry, he said.

• Post-IPO Raspberry Pi results in: So you can make money in tech without added AI
• Raspberry Pi 4 bugs throw wrench in the works for Fedora 41
• DEF CON badge disagreement gets physical as firmware dev removed from event stage
• Raspberry Pi Pico 2 lands with (drum roll) RISC-V cores

There is a saying that security by obscurity is no security at all, but the approach taken by Raspberry Pi of publishing the hackers' exploits before mitigations have been implemented might raise an eyebrow or two. At least two will require changes to the hardware. However, as we've noted, all of the exploits require physical access to the microcontroller.

Another challenge is due to start in a few weeks. In the meantime, Upton acknowledged the pros and cons of the transparent approach and said, "The optimum strategy may vary over time, as the installed base of devices with critical exploits increases.

"What doesn't work is a strategy where exploits exist, and are widely known to bad actors, but you put on a brave face and pretend to your customers that everything is fine." ®