Electromagnetic Fault Injection Attacks
Updated: Mar 22
Electromagnetic Fault Injection (EMFI) attacks are a type of hardware attack used to alter the behavior of logic in a computer system or chip. It generally relies upon applying techniques such as, "clock glitching" and/or "voltage glitching" to alter the expected behavior of the system. The goals of such attack is to cause errors and/or alter instructions in the CPU, memory and storage that would ultimately lead to unauthorized data leakage and/or other unexpected behavior within the system. In this article, we will explain EMFI attacks, provide examples of successful applications, and provide recommendations to help you protect against these attacks.
What is an EMFI Attack?
An EMFI attack is a type of hardware attack in which an attacker injects faults into the system by manipulating the target system’s electrical signal either externally or internally. It is one of the more sophisticated attacks in terms of complexity and requires a deep understanding of electrical engineering. EMFI attacks target the clocking, reset, and power signals of the system and is done to induce logic errors and induce faults in a manner that is useful for the actor(s) initiating the attack.
A successful EMFI attack requires an attacker to precisely inject a specific voltage or clock signal at a point in time that triggers an error in the system. It is possible to do this from inside the system using higher clock frequencies, or from outside using voltage glitching and clock glitching. An attacker needs physical access to the printed circuit board (PCB) they're targeting and electrical engineering equipment to perform and monitor the results of the attack (e.g. oscilloscope, logic analyzer, frequency generator, desktop bench power supply, etc). Additional custom signal generators have become available specifically for EFIA:
ChipShouter: https://store.newae.com/chipshouter-picoemp
ChipShouter Schematic: https://github.com/newaetech/ChipSHOUTER/blob/master/documentation/NPCA-CW520-ChipSHOUTER-07_Schematic.pdf
ChipWhisperer: https://www.newae.com/chipwhisperer
Technical Overview
The goal of the attack is to inject an electrical signal at a specific point in time to cause an error in the system. To do this, the attackers need to carefully choose the right type of voltage (typically lower to reduce the likelihood of permanently damaging a PCB) and/or clock signal to be injected, understand the internals of the system and the associated circuitry, and be able to precisely time the injection of the signal.
Once the signal is injected, the attacker has to be able to control the timing of the injection. This is done with specialized hardware that is capable of producing a "glitch". The hardware itself is responsible for timing the injection and can be used to inject the signal with precision.
Here's a simple example of an EMFI attack written in Python:
import time
# Function to simulate a cryptographic operation with vulnerability to timing side-channel attacks
def encrypt(key, plaintext):
result = ""
for i in range(len(plaintext)):
# Simulate expensive cryptographic operation that takes longer when key matches
if plaintext[i] == chr(ord('a') + (i % 26)):
time.sleep(0.1)
result += chr((ord(key[i%len(key)]) + ord(plaintext[i])) % 256)
return result
# Main function to perform EMFI attack
def main():
key = "my_secret_key"
plaintext = "hello, world!"
# Measure time taken for encryption with and without glitching
start_time = time.time()
ciphertext = encrypt(key, plaintext)
end_time = time.time()
print("Encryption time (no glitching):", end_time - start_time)
# Apply EMFI attack to measure timing difference when key matches
for i in range(len(plaintext)):
start_time = time.time()
ciphertext = encrypt(key, plaintext)
end_time = time.time()
print("Encryption time (with glitching at position {}):".format(i), end_time - start_time)
if __name__ == "__main__":
main()
In this example, we simulate a simple encryption function that is vulnerable to timing side-channel attacks due to variable execution times depending on whether the plaintext character matches the key at a given position. By applying an electromagnetic pulse during critical parts of the encryption process, an attacker can manipulate the system into revealing information about the key through timing differences in the execution times.
Examples of Successful EMFI Attacks
There have been several examples of successful EMFI attacks in the past. In 2011, researchers from MIT demonstrated the use of EMFI attacks to break the encryption of a smart card. The attacker used voltage glitching and clock glitching to induce an arbitrary logic error in the card that allowed them to extract the secret keys used to encrypt the card’s data.
In 2014, researchers at the University of Cambridge demonstrated the use of clock glitching to disrupt the operations of an encrypted hard drive. Through the injection of a glitch in the clock signal of the hard drive, the researchers were able to disrupt the encryption process and cause the data on the drive to be corrupted.
In 2015, researchers at the University of California, Riverside demonstrated the use of voltage glitching and clock glitching to bypass the security features of an autonomous robotic car. By injecting a glitch in the drive’s motor controller, the researchers were able to bypass the controller’s authentication mechanism and then take control of the car.
In 2022, Joe Grand leveraged fault injection to recover an estimated $2 million dollars in THETA from a Trezor One hardware wallet where the pin and recovery phrases were lost. Check out the video here:
Recommendations to Prevent EMFI Attacks
Unfortunately, there is no silver bullet to protect against EMFI attacks, as the attacker simply has to be very knowledgeable about electrical engineering and skilled in manipulating the various components of the target system to inject a fault.
However, there are a couple of measures that can be taken to help mitigate such attacks. The first is to ensure that the target system is properly secured from physical and/or remote access. This can be done by using strong physical security measures, such as using locks and cameras, as well as using secure protocols for connecting to the system remotely.
In addition, designers and engineers can also add various safety mechanisms and security measures to the design of the target system. For example, adding a robust watchdog timer to detect and prevent unexpected behavior can be a very effective countermeasure.
Finally, implementing a secure development life-cycle (SDL) with frequent code reviews can help identify vulnerabilities that can be used by an attacker to carry out an EMFI attack. This is especially important as attackers will often rely on second order vulnerabilities of the target system to carry out their attacks.
Conclusion
Electromagnetic Fault Injection (EMFI) attacks are a type of hardware attack used to inject faults into a computer system or chip. It is one of the more sophisticated attacks due to the complexity of the attack, and requires a deep understanding of electrical engineering in order to be successful. There have been a few examples of successful EMFI attacks in the past and there are various countermeasures that you can use to protect against these attacks, such as using secure physical and remote access protocols, implementing safety mechanisms, and using a secure development life-cycle in which these attacks are considered.
Commenti