Fault Injection

Power / VCC - Voltage Glitch

Power glitch injection is a physical attack technique used to test and exploit vulnerabilities in electronic devices by causing controlled, temporary power disturbances. A VCC glitch, also known as a supply voltage glitch, is a specific type of power glitch attack targeting the voltage supply (VCC) of a microcontroller or integrated circuit (IC) in electronic devices.

Most of the time the goal is one of the following:

• Re-enable debugging features (e.g: Trezor One wallet)
• Bypass secure boot
• Gain code-execution by glitching memcpy

Tools

• Faultier FW
• PicoGlitcher v1.1
• HydraBus
• ChipWhisperer-Pro
• ChipWhisperer-Husky

Voltage Glitching with Crowbars

import faultier
import serial

ft = faultier.Faultier()
ser = serial.Serial(ft.get_serial_path(), baudrate=115200)
ser.timeout = 0.3

ft.configure_glitcher(
    trigger_source = faultier.TRIGGER_IN_EXT0,
    trigger_type = faultier.TRIGGER_PULSE_POSITIVE
    glitch_output = faultier.OUT_CROWBAR
)
ft.glitch(delay = 1000, pulse = 1)
print(ser.read(3))

Challenges

• Fiasco - Riscure Hardware CTF 2016 - solved using HydraBus + Custom Board with MOSFET

  gpio glitch trigger PB0 pin PC15 length 100 offsets 191200
  gpio glitch trigger PB0 pin PC15 length 100 offsets 191300
  

• Fiesta - Riscure Hardware CTF 2016
• Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - solved using a custom code running on a Xilinx FPGA
• AVR Glitch: Modifying Code Execution Paths Using Only Voltage
• Hextree Glitch Tag - The Hextree GlitchTag is a "totally not AirTag inspired" board for the nRF52832 microcontroller. It is intended as a target for the Hextree Faultier. It gives access to all pins that you need to learn basic fault-injection, including glitch characterization and so on. It also allows you to reproduce LimitedResult's APPROTECT bypass (that was also used to hack the AirTags) without needing to microsolder!

Electromagnetic Fault

Electromagnetic Fault Injection is an advanced technique used in hardware security and testing, where electromagnetic pulses are used to induce faults in electronic devices

Tools

• Create a custom Electromagnetic fault injection tool: Dirt cheap Electromagnetic Fault Injection

Challenges

• Fiesta - Riscure Hardware CTF 2016 - pedro-javierf - solved using a custom EMFI

Clock Glitch

This technique involves momentarily disrupting or altering the clock signal of a device to induce errors or malfunctions in its operation.

Challenges

• Fiesta - Riscure Hardware CTF 2016 - jcldf - solved using a clock glitch

Pin2pwn

pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24

In the case of an external SPI flash, it is possible for an attacker to short these pins :

The MCU will not be able to get data from the external flash and then show a stacktrace, get a shell in the bootloader or worst a root shell on the embedded Linux.

Here is a practical example, putting a cable between MOSI and Chip Select :

References

• rhme-2016 write-up Fault Injection - hydrabus
• Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11
• Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017
• pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24
• Replicant: Reproducing a Fault Injection Attack on the Trezor One - Voidstar - AUGUST 2022
• Your first Glitch/Voltage Fault Injection - hextree.io
• PicoGlitcher PCB - A dirt chip fault-injection device
• Fault Injection using Crowbars on Embedded Systems - Colin O'Flynn

Share this content