Fault Injection
Power / VCC Glitch
Power glitch injection is a physical attack technique used to test and exploit vulnerabilities in electronic devices by causing controlled, temporary power disturbances. A VCC glitch, also known as a supply voltage glitch, is a specific type of power glitch attack targeting the voltage supply (VCC) of a microcontroller or integrated circuit (IC) in electronic devices.
-
Fiasco - Riscure Hardware CTF 2016 - solved using HydraBus + Custom Board with MOSFET
-
Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - solved using a custom code running on a Xilinx FPGA
- AVR Glitch: Modifying Code Execution Paths Using Only Voltage
Electromagnetic Fault
Electromagnetic Fault Injection is an advanced technique used in hardware security and testing, where electromagnetic pulses are used to induce faults in electronic devices
Tools
- Create a custom Electromagnetic fault injection tool: Dirt cheap Electromagnetic Fault Injection
Challenges
- Fiesta - Riscure Hardware CTF 2016 - pedro-javierf - solved using a custom EMFI
Clock Glitch
This technique involves momentarily disrupting or altering the clock signal of a device to induce errors or malfunctions in its operation.
Challenges
- Fiesta - Riscure Hardware CTF 2016 - jcldf - solved using a clock glitch
Pin2pwn
In the case of an external SPI flash, it is possible for an attacker to short these pins :
The MCU will not be able to get data from the external flash and then show a stacktrace, get a shell in the bootloader or worst a root shell on the embedded Linux.
Here is a practical example, putting a cable between MOSI and Chip Select :
References
- rhme-2016 write-up Fault Injection - hydrabus
- Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11
- Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017
- pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24