Fault injection testing
Fault injection testing is widely used in high-profile sectors such as payment and content protection, where strict security requirements are in place. A typical Fault injection attack forces a device to bypass the security mechanism. We call that ‘introducing a glitch’. Fault injection is a an attack on hardware that utilizes insecure practices in software. Fault Injection testing can therefore help developers understand how their code will respond when it encounters a glitch, ideally allowing them to make design changes before deploying their application into production.
Fault injection can be performed manually or automated through specialized tools and software, such as Inspector Fault Injection.
The story of fault injection attacks
Fault injection was originally developed in the 1970s as a means of testing the robustness of hardware. The technique quickly became an indispensable tool for engineers, allowing them to identify potential weaknesses in their systems and verify the correctness of their designs. Fault injection has been used to test individual chips and whole systems, embedded and IoT devices, as well as payment card circuitry.
Fault injection techniques have evolved considerably over the years thanks to advances in technology and increased understanding of how different types of systems respond under fault conditions. The improved accuracy and speed of modern fault injection testing hardware allow developers to quickly pinpoint the underlying cause of any given vulnerability before they take corrective action.
Examples of attacks that utilize Fault Injection
- In 2016, researcher Yifan Lu was able to successfully bypass the Playstation Vita’s DRM protections by using fault injection techniques.
- Using fault injection attack to bypass the security of a crypto wallet – a research by Riscure’s expert Sergei Volokitin.
- Fault Injection vulnerability in ESP32 IoT System-On-Chip that leads to arbitrary code execution – discovered by Riscure
Optical & Laser Fault Injection
Optical & laser fault injection is a form of fault injection that uses light pulses to physically manipulate and distort data. This manipulation can be done in real-time or in an offline environment on previously recorded data, such as signal traces. Using this method, the signal paths within the device can be manipulated causing misfunctioning and unexpected behavior when using certain components of the system.
The primary benefit of using optical & laser fault injection is its precision, as it allows to identify specific areas where an attack can be implemented. This makes optical & laser fault injection a great tool for improving resilience of a device.
Why Fault Injection testing should have priority
It would be very hard to ‘glitch’ a computer browser or in general any ‘rich’ environment. This is why Fault Injection research and testing is mostly focused on embedded systems: where the code base is small, the hardware to be attacked is relatively simple, hence the potential for a successful attack is higher. But any complex device, like a laptop or a smartphone, relies on a ‘simple routine’ when booting, and this is when the core security mechanisms are being established. A successful attack on a Secure Boot implementation could then be utilized to alter the firmware, circumvent the root of trust, with obvious consequences – a compromise of secure payment on a smartphone or stealing an encryption key.
For many applications it is much easier to attack via a software vulnerability in a rich environment. That is the reason why hardware attacks are often perceived as low priority. We believe this needs to be changed. Software becomes more resilient and at some point adversaries will switch to more complex attacks on hardware, including Fault Injection. Compromising Secure Boot and other critical components of a system may lead to disastrous consequences, i.e. loss of sensitive customer data and corporate intellectual property. Fault Injection can also be a stepping stone to access firmware and analyze it to find additional vulnerabilities. By combining various vulnerabilities, an attacker is then capable of scaling the attack, affecting not only a single device, but rather the entire fleet or even the backend network infrastructure of a vendor.
“A Fault Injection attack is easier to perform
than Side Channel Analysis”
Fault Injection is not something only a sophisticated research laboratory or some government agency can only perform. Fault Injection is increasingly accessible to adversaries with some basic electronics knowledge and time. Since many devices are not protected at all against Fault Injection, finding the needle in the haystack is not that hard. Furthermore, if a weakness has been found then it’s usually easy to reproduce.
The threat of Fault Injection in a nutshell:
- Inexpensive and can be carried out with basic tools.
- Becomes even easier with the development of open source tools.
- Easy to reproduce when you find a fault.
- Large attack surface.
- Often it takes anywhere from minutes to hours to compromise a device.
Security training: Fault Injection Crash Course
The easiest example of a Fault Injection is an attack is a voltage drop. If a device, or a specific chip normally needs 3.3 volts from a power supply, what could happen if during a sensitive operation (e.g. checking your PIN) we drop it to 2.2v more, or less? A few things can happen, either the devices continues working, or it mutes and needs to be reset, or even worse it breaks. But with the right timing it skips the verification and gives access to something normally not allowed, for example your bitcoin wallet data. This is what we would describe as a successful glitch. In general we say at Riscure: Every unprotected IC is vulnerable to Fault Injection Attacks.
In the most basic way, using general-purpose hardware a fault injection attack is described in this video presentation by Riscure’s expert Rafael Boix Carpi:
Get in touch with us
Contact our sales team to discuss how Riscure can help you protect your solution from Fault Injection attacks with tools, security evaluation service or training. Our team responds within a working day.