Computer Laboratory

[What's New] [Research Proposal] [Scientific Interests] [My Skills] [Research and Plans] [Old Projects] [Contact Details] [Publications]

Dr Sergei Skorobogatov

I am a Senior Research Associate in the Security Group at the Computer Laboratory of the University of Cambridge in the UK.

I have background in electronics, chemistry, computer science and physics. Before starting my research at the University of Cambridge in 2000, I was working for industry designing various electronic devices for eye sight diagnostic and correction.

My ongoing research projects are aimed at Hardware Security and Hardware Assurance. My first project here was EU funded G3Card project aimed to design a new generation of smartcard chips. This project was finished in January 2003 and since then I had independent research grants from various industrial sponsors and collaborators.


Since 2008 I have been giving guest lectures on Tamper resistance and hardware security in the Part II Security course for undergraduate students.

Since 2013 I have been contributing to the PartIII/MPhil ACS course Current Applications and Research in Computer Security as a guest convener with topic "Tampering with hardware".

I am currently a second supervisor of a PhD student Omar Choudary.

I am invited from time to time to give lectures about my research achievements. The usual places are security-related workshops and other universities. Please refer to my publications section for the full list.

I now have a dedicated teaching course on Hardware Security aimed at industrial engineers and graduate students. It covers the following subjects: Introduction to Hardware Security; Common mistakes in the design of secure hardware; Data remanence effects in memory; Imaging techniques and Optical attacks; Side-channel attacks; Lessons, Countermeasures and Defence technologies. The course was well received by various people from industry and academia. I now have a contract with a large industrial chip manufacturing company for running yearly teaching course for their design engineers during the next five years.

I gave a lecture course on Hardware Security of semiconductor chips at Nanyang Technological University in Singapore for undergraduates and PhD students of Temasek Laboratory department in May 2013.

As an initial reading on the hardware security subject I recommend my PhD thesis and a book "Introduction to Hardware Security and Trust" to which I contributed on Physical Security (Chapter 7). For further reading please see my publications list. Also latest research achievements in that area are usually published at the following conferences: CHES, HOST, FDTC, COSADE and CARDIS.

If you are keen about Hardware Security, have some amazing projects in mind and want to do PhD research under my supervision please first see information about PhD degree at the Computer Laboratory before contacting me.


I work in the Hardware Security field on attack technologies and tamper-resistant processors. My Hardware Security research is aimed at finding vulnerabilities, hidden functions and backdoors in silicon chips.

Here is the list of some of my recent research projects:

Usually new areas of research require additional work force. For that collaborators from industry and academia are sought and new grant applications are submitted. Should a new postdoc position be open this will be announced at the University Job site.

I am a member of the following communities:

  • Hardware-Oriented Security and Trust (HOST), Program Committee (2008, 2009, 2010, 2011, 2012, 2013, 2014)
  • Cryptographic Hardware and Embedded Systems (CHES), Program Committee (2010, 2012)
  • Fault Diagnosis and Tolerance in Cryptography (FDTC), Program Committee (2010, 2011, 2012, 2013)
  • Smart Card Research and Advanced Application Conference (CARDIS), Program Committee (2011, 2012, 2013)
  • Constructive Side-Channel Analysis and Secure Design (COSADE), Program Committee (2012)
  • Digital System Design (DSD) Euromicro conference, Special Session Sub-Committee (2014)
  • European Research Council (ERC), Peer Reviewer (2010)
  • Technology Foundation STW, Dutch Research Funding Council, Peer Reviewer (2013)
  • Journal of Cryptographic Engineering (JCEN), Associate Editor (2011, 2012, 2013, 2014)
  • IEEE Transactions on Computers (TC), Peer Reviewer (2006, 2007, 2009, 2012, 2013)
  • IEEE Transactions on Reliability (TR), Peer Reviewer (2014)
  • Wiley Publisher, Reviewer (2010)
  • Journal of Information Security, Peer Reviewer (2011)
  • Journal of Microelectronics Reliability, Peer Reviewer (2012, 2013)
  • Journal of Information Science and Engineering, Peer Reviewer (2013)
  • The Computer Journal (COMPJ), Peer Reviewer (2013)
  • ACM Transactions on Reconfigurable Technology and Systems, Peer Reviewer (2008, 2013)
  • ACM Transactions on Information and System Security, Peer Reviewer (2013)

Here are some of my current project ideas for undergraduate students. Old project ideas are placed here and here.

What's New

I have been criticised a lot about the fact that most of the chips I analyse and publish successful attacks on, are built with 0.7-micron or even 0.9-micron technology. This is now changed, meaning that chips I use in my new research investigations are built with at least 0.5-micron technology (still popular in some secure chips) and some tests applied down to 90nm chips, with some interesting results recently published on 0.13-micron chips.

I was contacted many times in the past with questions about consulting projects I can perform here in the lab. It was mainly caused by rapidly growing concerns about hardware security of semiconductor products (mostly microcontrollers, CPLDs and FPGAs) and growing intellectual property theft in Asian countries where most outsourcing is taking place. Some projects were aimed on finding security flaws in existing devices in order to improve their security or to select the most secure parts from a list. Other projects were dedicated for teaching and educating personnel. While other projects were about developing of certain attack techniques. More information on the types of research projects and possible collaboration with industry.

Upcoming events (soonest first)

The cause of embedded systems sporadic failures was found and this could have very serious consequences. You might have come across situations when some microcontroller-based systems started behaving odd or stopped working. This might be home appliances, cars, industrial equipment etc. It seems that a serious reliability issue was overlooked and we might see more systems and devices starting to behave unpredictably or going off. If it is a toaster or microwave oven you can cope, but what about old electronic equipment used in cars, avionics and industrial infrastructure? Draft report will be published soon.

We are presenting our paper Chip and Skim: cloning EMV cards with the pre-play attack" at IEEE Symposium on Security and Privacy (Oakland), 18-21 May, 2014, San Jose, USA.

Past events (latest first)

I gave a guest lecture "Tamper resistance and hardware security" in the Part II Security course for undergraduate students 2013-14.

I gave a lecture course on Hardware Security of semiconductor chips at Nanyang Technological University in Singapore for undergraduates and PhD students of Temasek Laboratory department in May 2013.

I gave invited talk "Silicon scanning technology for hidden backdoors in semiconductor chips" at National University of Singapore, Department of Engineering on 20 May 2013.

I gave a guest lecture "Tamper resistance and hardware security" in the Part II Security course for undergraduate students 2012-13.

Chip and Skim: cloning EMV cards with the pre-play attack. Co-authored paper on yet another EMV vulnerability. We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit.

Breakthrough silicon scanning discovers backdoor in military chip (slides). Exposes some serious security issues in the devices which were supposed to be unbreakable. Appeared at Cryptographic Hardware and Embedded Systems Workshop (CHES-2012).

In the blink of an eye: There goes your AES key. IACR Cryptology ePrint Archive, Report 2012/296, 2012. Short summary of a real world AES key extraction performed on a military grade FPGA marketed as 'virtually unbreakable' and 'highly secure'.

I gave a guest lecture "Tamper resistance and hardware security" in the Part II Security course for undergraduate students 2011-12.

I created a new page: Up-to-date information on my hardware security research.

I wrote chapter Physical Attacks and Tamper Resistance in Introduction to Hardware Security and Trust, Eds: Mohammad Tehranipoor and Cliff Wang, Springer, September 2011, ISBN 978-1-4419-8079-3

I gave an invited talk "Hardware Security of Semiconductor Chips: Progress and Lessons" on 27 June 2011 at School of Computing Science, Newcastle University (abstract).

I gave two invited talks: Fault attacks on secure chips: from glitch to flash (slides); and Side-channel attacks: new directions and horizons (slides) at ECRYPT2 School on Design and Security of Cryptographic Algorithms and Devices, 29 May-03 June 2011, Albena near Varna, Bulgaria.

I gave an invited talk at the 2nd ARO Special Workshop on Hardware Assurance (abstract, slides and video).

Synchronization method for SCA and fault attacks. Journal of Cryptographic Engineering (JCEN), Springer, 2011. New application for frequency locking in side-channel and fault attacks on secure microcontrollers and secure FPGAs.

I gave a talk at the Security Group seminar on 7 December 2009 (slides: Bumping attacks: the affordable way of obtaining chip secrets). I presented my research into a new class of fault injection attacks called bumping attacks. These attacks are aimed at data extraction from secure embedded memory, which usually stores critical parts of algorithms, sensitive data and cryptographic keys. I evaluated memory verification and AES authentication schemes used in secure microcontrollers and a highly secure FPGA. Partial reverse engineering of the FPGA made bumping attacks possible via the use of non-invasive threshold voltage alteration combined with power glitching. How the sensitive areas can be found? How the AES key can be attacked? How long does it take to get the AES key? How the super secret factory backdoor can be found? What was the biggest security mistake in Actel ProASIC3, Igloo, Fusion and SmartFusion FPGAs? How not to get screwed by irresponsible corporate security strategy? These and other questions are answered.

I gave a guest lecture "Tamper resistance and hardware security" in the Part II Security course for undergraduate students 2010-11. Slides are substantially revised and new material is included compared to the last year lecture.

Optical Fault Masking Attacks. (slides). I presented new inexpensive semi-invasive optical fault technique which can disable Flash memory write and erase operations 7th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2010).

Real world AES key extraction. Rump session at Cryptographic Hardware and Embedded Systems Workshop (CHES-2010).

Flash Memory 'Bumping' Attacks (slides). New powerful attack method aimed at secure memory integrity check which allows contents and secret key extraction. Appeared at Cryptographic Hardware and Embedded Systems Workshop (CHES-2010).

I gave an invited talk at the PASTIS-2010 Workshop on PACA Security Trends in Embedded Systems (abstract and slides).

I gave an invited talk at the Lorentz Center Workshop on Provable Security against Physical Attacks (abstract and slides).

I gave a guest lecture "Tamper resistance and hardware security" in the Part II Security course for undergraduate students 2009-10. Slides are revised and new material is included compared to the last year lecture.

I gave a talk at the Security Group seminar on 13 October 2009 (slides: Optical surveillance on silicon chips: your crypto keys are visible). I presented my research into a new class of side-channel attacks - optical side-channel attacks on secure semiconductor chips. By using an inexpensive CCD camera to monitor the emission from operating chip, information stored in SRAM, EEPROM and Flash was successfully recovered. In extreme cases, AES key stored inside a secure FPGA chip and used for secure code updates could be extracted thus seriously compromising the hardware security. Protection against these new side-channel attacks should become a new challenge to chip manufacturers.

Using Optical Emission Analysis for Estimating Contribution to Power Analysis. (slides). I presented new inexpensive semi-invasive side-channel attack method which is marking new direction in the hardware security arm race between developers and attackers. 6th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2009).

Local Heating Attacks on Flash Memory Devices (slides). I presented a new semi-invasive attack technique which is aimed on modifying Flash and EEPROM memory as well as data extraction directly from the memory cell. Appeared at 2nd IEEE International Workshop on Hardware-Oriented Security and Trust (HOST-2009).

I gave a talk at the Security Group seminar on 20 January 2009 (slides: Hardware security: trends and pitfalls of the past decade). I was talking about progress in the hardware security area during the past decade. Instead of looking at various attack technologies, like I did in my previous lectures, I paid more attention to underlying problems of security failures caused by silicon hardware. I summarised achievements in attack and defence technologies and discussed some hardware security related issues of security economics and security psychology. After giving some examples of low-cost attacks on moderately secure silicon chips, I finally tried projecting the trend of hardware security area into the nearest future which is likely to be fruitful on news of more previously thought unbreakable devices actually being easy to attack.

I gave a guest lecture "Tamper resistance and hardware security" in the Part II Security course for undergraduate students 2008-09.

I prepared a short live hardware security demonstration course for students. Demonstrations involved decapsulated samples show, optical microscopy and rear-side infrared microscopy of various microcontrollers including deprocessed chips, optical fault injection history and live attack on security in microcontroller, power analysis attack on security in custom design. A short version of the demonstrations were also given as a part of Show and Tell local event here in the Computer Lab on 29 September 2008.

I gave a talk as invited speaker at the IPAM Workshop on Special purpose hardware for cryptography: Attacks and Applications (abstract and slides).

I gave a talk at the Security Group seminar on 31 October 2006 (slides: Optically Enhanced Position-Locked Power Analysis). I introduced a refinement of the power analysis attack on integrated circuits. By using a laser to illuminate a specific area on the chip surface, the current through an individual transistor can be made visible in the circuit's power trace.

Optically Enhanced Position-Locked Power Analysis (slides). New fascinating results of applying semi-invasive attacks to on-chip SRAM arrays for recovering information about its internal functionality without interfering with the chip operation. Appeared at Cryptographic Hardware and Embedded Systems Workshop (CHES-2006).

I gave a four-hour talk as invited lecturer at the ECRYPT Summer School on Cryptography in Louvain-la-Neuve (Belgium) 12-15 June 2006. I gave an introduction to hardware security and presented my achievements in hardware security analysis in the last six years. The abstract of the talk and references are available here. Slides for Part 1, Part 2, Part 3 and Part 4 of my talk are now available.

Cryptographic Processors -- A Survey (Invited Paper). IEEE Proceedings, Special Issue on Cryptography and Security, February 2006, Vol.94, No.2, pp.357-369. Full version is available as a Technical Report UCAM-CL-TR-641.

Data Remanence in Flash Memory Devices. Cryptographic Hardware and Embedded Systems Workshop (CHES-2005), 30 August - 1 September 2005, LNCS 3659, Springer-Verlag, ISBN 3-540-28474-5, pp.339-353 (slides).

My Ph.D. thesis, which discusses the area of my research and achievements up until the end of 2003, has been out since April 2005 and exists in forms of hardbound copy and on-line Technical Report version. No part of my thesis or correspondent Technical Report may be used to produce any other reports or publications. It can be viewed on a computer or printed out for reference and consultation purposes only. You must contact me and obtain my permission in writing if you want to reproduce or use any images or diagrams from my thesis. I do not provide or authorise any translation of my thesis into other languages.

I gave a talk at the Security Group seminar on 26 October 2004 (slides: Data remanence in non-volatile semiconductor memories. Part I: Introduction and non-invasive approach). I showed how the security protection in microcontrollers and smartcards with EEPROM/Flash memories can be compromised if the information from embedded memory does not disappears completely after erasing.

On a New Way to Read Data from Memory. First International IEEE Security in Storage Workshop, 11 December 2002, Greenbelt Marriott, Maryland, USA.

Optical Fault Induction Attacks. Cryptographic Hardware and Embedded Systems Workshop (CHES-2002), 13-15 August 2002, LNCS 2523, Springer-Verlag, ISBN 3-540-00409-2, pp.2-12 (slides, Russian version). We describe a new class of attacks on secure microcontrollers and smartcards. Illumination of a target transistor causes it to conduct, thereby inducing a transient fault. Such attacks are practical; they do not even require expensive laser equipment. As an illustration of the power of this attack, we developed techniques to set or reset any individual bit of SRAM in a microcontroller. Unless suitable countermeasures are taken, optical probing may also be used to induce errors in cryptographic computations or protocols, and to disrupt the processor's control flow. It thus provides a powerful extension of existing glitching and fault analysis techniques. This vulnerability posed a big problem for the industry, similar to those resulting from probing attacks in the mid-1990s and power analysis attacks in the late 1990s.

Low Temperature Data Remanence in Static RAM. Technical Report UCAM-CL-TR-536, University of Cambridge,Computer Laboratory, June 2002.

Copy Protection in Modern Microcontrollers is an overview of copy protection reliability in modern microcontrollers, 2000.

My research proposal for the ongoing 2013-2014 academic year (public open abstract part only. detailed proposal and other parts are confidential)

  • Using new methods of side-channel analysis for finding backdoors and trojans in secure chips

    Status: ongoing research project

  • Using side-channel analysis and fault attacks for partial reverse engineering of secure chips

    Status: ongoing research project

  • EEPROM and Flash memory analysis methods. This research project is aimed on developing new techniques for analysing EEPROM and Flash memory contents using semi-invasive methods.

    Status: proposed research project

  • Investigation of hardware security related problems in Flash and EEPROM memory structures. Evaluation against: fault injection, data remanence, external influence, side-channel leakage, memory extraction and new attacks.

    Status: ongoing research project

  • Practical use of fault-injection attacks. We introduced these attacks in 2002. Unfortunately they have still not been properly investigated. Research is needed to estimate the requirements on these attacks for each chip manufacturing technology and possible success rate. We are currently setting up the equipment necessary for this research. Some of the results are very likely to be published in 2011 once new special equipment has arrived.

    Status: ongoing research project

  • Investigation of hardware security related problems in encryption engines implemented in semiconductor devices. Evaluation against: side-channel attacks, fault injection, side-channel leakage and new attacks.

    Status: proposed research project

  • Practical reverse engineering of programmable logic chips. It is strongly believed that CPLDs and FPGAs offer superior IP protection by design as there is no sequential programming execution flow and the device functionality is obscured using proprietary encoding. The question is how far an attacker can go by observing the device configuration process and analysing the differences.

    Status: proposed research project

  • Optically controlled microcontroller chip. Despite to the fact that I discovered the optical fault injection attacks in 2001 and introduced them to public in 2002, there still were very little done in the direction of performing such attacks in a controllable and reliable way. This project is aimed to eliminate such disproportion by showing a good demonstration how such attacks can be used to run an arbitrary code on a standard 8-bit microcontroller with fully disabled or damaged memory programming interface.

    Status: proposed research project

  • Data remanence in EEPROM and Flash memory devices under special conditions. Additional directions for my previous research on data remanence in semiconductor memory devices.

    Status: ongoing research projects

  • Advanced optical probing attacks. Research into practical methods of reading SRAM, EEPROM and Flash memory contents using semi-invasive approach.

    Status: proposed research project

  • Advanced EMA attacks. Research into combining of EMA attacks with semi-invasive methods.

    Status: proposed research project

  • High-resolution power analysis. Research into improving effectiveness of power analysis attacks by using special data acquisition, measurement and post-processing techniques.

    Status: ongoing research project

  • Using nanotechnologies for hardware security analysis. Current trends in the miniaturisation of electronic devices demand the ability to understand the structure and properties on the deep submicron level (latest technology is 28nm and 20nm is already proposed). Recent achievements in scanning probe microscopy allow us to observe many characteristics of semiconductor chip surface such as landscape (with atomic force microscopy), doping concentration (with scanning capacitance microscopy), resistance (with scanning spreading resistance microscopy), magnetic field (with magnetic force microscopy), temperature (with scanning thermal microscopy), and many others. We need research to estimate how much information could be extracted from silicon chips by using such technologies. This research might involve designing and building some special microscopes. As such research requires large investments in equipment, it is difficult to predict when it will be started.

    Status: future research project

My scientific interests include:

Some of my special skills and fields of knowledge include:

  • Secure microcontrollers
  • Tamper resistance, smartcard systems, analysis of secure systems
  • Decapsulation and chemical (wet) etching
  • Semi-invasive attacks
  • FIB workstation (FEI Vectra 200)
  • Laser cutting systems
  • Probing stations and microprobing techniques
  • Submicron mechanical positioning (stage1, stage2, stage3, stage4 ).
  • Laser microscopy
  • Advanced imaging techniques
  • Assembler programming (8048, Z80, 8051, 6502, 80x86, 6805/08/11, PIC12/16/18/24, 68000, AVR, MIPS, ARM, MSP430, H8/300, PowerPC)
  • C/C++ programming for PC and embedded systems
  • Verilog HDL programming (Altera, Xilinx)
  • Designing of hardware devices using CPLDs and FPGAs (Altera, Xilinx)
  • Printed Circuit Boards (PCB) design
  • IBM PC hardware design and programming
  • Hardware design and programming for Sinclair ZX Spectrum, Nintendo (NES) game console, SEGA Megadrive game console

Some of my research and plans

Up-to-date information on my hardware security research.

My first security-related research project was an analysis of the copy protection mechanisms in modern microcontrollers. I still work in this area and I occasionally provide penetration testing and consulting services for old and new microcontroller designs. My work aims at understanding the detailed mechanism of how protection can be broken and how the security of new designs can be improved.

Using new methods of side-channel analysis for finding backdoors and trojans in secure chips.

Using side-channel analysis and fault attacks for partial reverse engineering of secure chips.

Developing new technology for effective side-channel analysis and secret key extraction from real-world devices.

My other research is more about a general evaluation of different memory structures against all kind of attacks, rather than testing any particular samples. As I expected long time ago (it was announced by me in 1999) Flash and EEPROM memories are not very good candidates for hardware security on their own, unless special attention was taken into data flow control and interface protocols. It was also suggested in my popular article on copy protection in microcontrollers with its first edition in year 2000. Much more information about various problems in EPROM, EEPROM and Flash memories are in my Ph.D. thesis which is available for public. My further research will involve detailed investigation in different Flash/EEPROM memory cells as well as in antifuse cells which are believed to be highly secure and my personal opinion is that it was not properly proved and tested. The next step would be learning and testing FRAM and MRAM memory structures as they are considered to be a highly secure replacement to Flash and EEPROM memories.

Some of my old projects

How you can contact me

Dr Sergei P. Skorobogatov
University of Cambridge
Computer Laboratory
William Gates Building
15 JJ Thomson Avenue
Cambridge CB3 0FD
United Kingdom
Phone:  +44 (0)1223 763563
        +44 (0)1223 763744
Fax:    +44 (0)1223 334678
Email:  Sergei.Skorobogatov (at)
        sps32 (at)
        sps32 (at)
        Sergei.Skorobogatov (at)

Secure email: For confidential messages use HushMail and send email to my HushMail address Sergei.Skorobogatov (at) Alternatively, use my PGP key.

I always reply to personal emails. But sometimes due to server problems or spam filters mail could be lost. Therefore please resend your message if I have not replied within one week. In case of important messages I would prefer you to forward a copy of your letter to my HushMail address. Please avoid using HTML format in your emails (such messages are very likely to be filtered out) and ask my permission if you want to attach any files to your emails.


Please do not copy any of my publications onto your own Internet server for public access without explicit permission. If you want to refer to any of my texts, please use a hyperlink to my original and not a copy. I update these texts frequently and I want to prevent the confusion that arises if people read somewhere else obsolete versions that are not under my control.

Press releases September 2012

Press releases May 2012

Press releases 2002


English texts

Russian texts

[What's New] [Research Proposal] [Scientific Interests] [My Skills] [Research and Plans] [Old Projects] [Contact Details] [Publications]

Sergei Skorobogatov <Sergei.Skorobogatov (at)>
last modified 24-04-2014 --

Keywords: hardware security, hardware assurance, analysis, evaluation, computer testing, microcontroller, smartcard, embedded systems, tamper resistance, trojans, backdoors, smartcard systems, breaking copy protection, IP, data extraction, AES key, DES, TDES, RSA, SHA-1, electronic engineering, invasive, non-invasive, semi-invasive attacks, optical probing, side-channel, EMA, power analysis, cryptography, encryption, crypto, digital electronics, controllers, MCU, CPLD, FPGA, ASIC, IC, fuse, antifuse, flash, EPROM, EEPROM, lock bits, attacking, cracking, hacking, crack, hack, unlock, unprotect, break, reverse engineer, recover, recovery, Motorola, Atmel, Microchip, NEC, Texas Instruments, Hitachi, Renesas, Winbond, Freescale, Cypress, Maxim, Dallas, Zilog, STMicroelectronics, SGS Thomson, Ubicom, Scenix, Intel, Cygnal, Philips, Holtek, Mitsubishi, Siemens, Samsung, Toshiba, Actel, NXP, ARM, Elan, Altera, Infineon, Lattice, Xilinx, Fujitsu, Maxim, Temic, Macronix, National Semiconductor, PIC, AVR, MSP430, H8, ST62, Z86, MC68HC, HC908, HC12, PIC16, PIC18, PIC24, dsPIC30, dsPIC33, DS2432, AT89, AT90, ATMEGA, ATtiny, PA3, A3P, ProASIC, ProASIC3, Igloo, Fusion, SmartFusion, passkey, flashlock, ibutton, Nintendo, SEGA, SONY, WII, NES, Newport, PM500 card, motorized stage, motion control, Kensington