Fault Injection
Power / VCC - Voltage Glitch
Power glitch injection is a physical attack technique used to test and exploit vulnerabilities in electronic devices by causing controlled, temporary power disturbances. A VCC glitch, also known as a supply voltage glitch, is a specific type of power glitch attack targeting the voltage supply (VCC) of a microcontroller or integrated circuit (IC) in electronic devices.
Most of the time the goal is one of the following:
- Re-enable debugging features (e.g: Trezor One wallet)
- Bypass secure boot
- Gain code-execution by glitching memcpy
Tools:
Voltage Glitching with Crowbars:
import faultier
import serial
ft = faultier.Faultier()
ser = serial.Serial(ft.get_serial_path(), baudrate=115200)
ser.timeout = 0.3
ft.configure_glitcher(
trigger_source = faultier.TRIGGER_IN_EXT0,
trigger_type = faultier.TRIGGER_PULSE_POSITIVE
glitch_output = faultier.OUT_CROWBAR
)
ft.glitch(delay = 1000, pulse = 1)
print(ser.read(3))
Challenges:
-
Fiasco - Riscure Hardware CTF 2016 - solved using HydraBus + Custom Board with MOSFET
- Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - solved using a custom code running on a Xilinx FPGA
- AVR Glitch: Modifying Code Execution Paths Using Only Voltage
- Hextree Glitch Tag - The Hextree GlitchTag is a "totally not AirTag inspired" board for the nRF52832 microcontroller. It is intended as a target for the Hextree Faultier. It gives access to all pins that you need to learn basic fault-injection, including glitch characterization and so on. It also allows you to reproduce LimitedResult's APPROTECT bypass (that was also used to hack the AirTags) without needing to microsolder!
Electromagnetic Fault
Electromagnetic Fault Injection is an advanced technique used in hardware security and testing, where electromagnetic pulses are used to induce faults in electronic devices
Tools:
- findus - Library to perform fault injection attacks with the PicoGlitcher, Chipwhisperer Husky or Chipwhisperer Pro
- emfindus - Add-on library to findus to perform electromagnetic fault injection (emfi) attacks with the ChipSHOUTER
- Dirt cheap Electromagnetic Fault Injection
Challenges:
- Fiesta - Riscure Hardware CTF 2016 - pedro-javierf - solved using a custom EMFI
Clock Glitch
This technique involves momentarily disrupting or altering the clock signal of a device to induce errors or malfunctions in its operation.
Challenges:
- Fiesta - Riscure Hardware CTF 2016 - jcldf - solved using a clock glitch
Pin2pwn
In the case of an external SPI flash, it is possible for an attacker to short these pins :
The MCU will not be able to get data from the external flash and then show a stacktrace, get a shell in the bootloader or worst a root shell on the embedded Linux.
Here is a practical example, putting a cable between MOSI and Chip Select :
References
- Attacking the STM32F4 with the PicoGlitcher - Matthias Kesenheimer - December 15, 2024
- Fault Injection using Crowbars on Embedded Systems - Colin O'Flynn
- Glitching the Raspberry Pico with a Raspberry Pico - Matthias Kesenheimer - February 9, 2025
- Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017
- PicoGlitcher PCB - A dirt chip fault-injection device - Matthias Kesenheimer - September 3 2024
- pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24
- Replicant: Reproducing a Fault Injection Attack on the Trezor One - Voidstar - AUGUST 2022
- rhme-2016 write-up Fault Injection - hydrabus
- Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11
- Your first Glitch/Voltage Fault Injection - hextree.io
- nRF54L15 Electromagnetic Fault Injection - Matthias Kesenheimer - June 17, 2025
- STM32L05 Voltage Glitching - Matthias Kesenheimer - June 6, 2025