It would be very hard to ‘glitch’ a computer browser or in general any ‘rich’ environment. This is why Fault Injection research is mostly focused on embedded systems: where the code base is small, the hardware to be attacked is relatively simple, hence the potential for a successful attack is higher. But any complex device, like a laptop or a smartphone, relies on a ‘simple routine’ when booting, and this is when the core security mechanisms are being established. A successful attack on a Secure Boot implementation could then be utilized to alter the firmware, circumvent the root of trust, with obvious consequences – a compromise of secure payment on a smartphone or placing a permanent backdoor on a laptop.
For many applications it is much easier to attack via a software vulnerability in a rich environment. That is the reason why hardware attacks are often perceived as low priority. We believe this needs to be changed. Software becomes more resilient and at some point adversaries will switch to more complex attacks on hardware, including Fault Injection. Compromising Secure Boot and other critical components of a system may lead to disastrous consequences, i.e. complete security compromise. It can also be used to analyze firmware to find additional vulnerabilities. Combined, an attacker is then capable of scaling the attack, affecting not only a single device, but rather the entire fleet or even the backend network infrastructure of a vendor.

The threat is real
Fault Injection is not something only a sophisticated research laboratory or some government agency can only perform. Fault Injection is increasingly accessible to adversaries with some basic electronics knowledge and time. Since many devices are not protected at all against Fault Injection, finding the needle in the haystack is not that hard. Furthermore, if a weakness has been found then it’s usually easy to reproduce.
The threat of Fault Injection in a nutshell:
- Inexpensive and can be carried out with basic tools.
- Becomes even easier with the development of open source tools.
- Easy to reproduce when you find a fault.
- Large attack surface.
- Often it takes anywhere from minutes to hours to compromise a commercial device.