HardwareAllTheThings/docs/side-channel/fault-injection.md

5.4 KiB

Fault Injection

Power / VCC - Voltage Glitch

Power glitch injection is a physical attack technique used to test and exploit vulnerabilities in electronic devices by causing controlled, temporary power disturbances. A VCC glitch, also known as a supply voltage glitch, is a specific type of power glitch attack targeting the voltage supply (VCC) of a microcontroller or integrated circuit (IC) in electronic devices.

Most of the time the goal is one of the following:

  • Re-enable debugging features (e.g: Trezor One wallet)
  • Bypass secure boot
  • Gain code-execution by glitching memcpy

Tools

Voltage Glitching with Crowbars

import faultier
import serial

ft = faultier.Faultier()
ser = serial.Serial(ft.get_serial_path(), baudrate=115200)
ser.timeout = 0.3

ft.configure_glitcher(
    trigger_source = faultier.TRIGGER_IN_EXT0,
    trigger_type = faultier.TRIGGER_PULSE_POSITIVE
    glitch_output = faultier.OUT_CROWBAR
)
ft.glitch(delay = 1000, pulse = 1)
print(ser.read(3))

Challenges

Electromagnetic Fault

Electromagnetic Fault Injection is an advanced technique used in hardware security and testing, where electromagnetic pulses are used to induce faults in electronic devices

Tools

Challenges

Clock Glitch

This technique involves momentarily disrupting or altering the clock signal of a device to induce errors or malfunctions in its operation.

Challenges

Pin2pwn

pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24

In the case of an external SPI flash, it is possible for an attacker to short these pins :

SPI flash example

The MCU will not be able to get data from the external flash and then show a stacktrace, get a shell in the bootloader or worst a root shell on the embedded Linux.

Here is a practical example, putting a cable between MOSI and Chip Select :

SPI flash example

References