Home Fault injection

What is Fault Injection?

Fault injection is a technique used in device security testing, wherein flaws or faults are deliberately introduced into a system in order to measure how it responds. Fault injection enables testers to identify issues that would not be discovered using traditional test methods and helps them assess whether the system can handle errors and recover effectively without crashing.

Fault injection testing

Fault injection testing is widely used in high-profile sectors such as payment and content protection, where strict security requirements are in place. A typical Fault injection attack forces a device to bypass the security mechanism. We call that ‘introducing a glitch’. Fault injection is a an attack on hardware that utilizes insecure practices in software. Fault Injection testing can therefore help developers understand how their code will respond when it encounters a glitch, ideally allowing them to make design changes before deploying their application into production.

Fault injection can be performed manually or automated through specialized tools and software, such as Inspector Fault Injection.

The story of fault injection attacks

Fault injection was originally developed in the 1970s as a means of testing the robustness of hardware. The technique quickly became an indispensable tool for engineers, allowing them to identify potential weaknesses in their systems and verify the correctness of their designs. Fault injection has been used to test individual chips and whole systems, embedded and IoT devices, as well as payment card circuitry.

Fault injection techniques have evolved considerably over the years thanks to advances in technology and increased understanding of how different types of systems respond under fault conditions. The improved accuracy and speed of modern fault injection testing hardware allow developers to quickly pinpoint the underlying cause of any given vulnerability before they take corrective action.

Examples of attacks that utilize Fault Injection

Why we consider Fault Injection to be the next generation security threat?

It takes one fault to dump your firmware, bypass a secure boot or to derive a key.

Logical attacks are the number one threat for any secure embedded system. If you are developing hardware or software for an IoT appliance, router or mobile phone, you have to develop secure code and follow universally accepted standards like rely on secure coding standards. However, ensuring that your development is resistant to pure software attacks in just part of the problem.

With the improvement of software security, adversaries have started to look for new ways to attack devices, in their pursuit to steal private data, intellectual property and compromise target infrastructure in general. Fault Injection is a physical attack on the data and behavior of an Integrated Circuit (IC). This means, Fault Injection is a physical attack on the logic with the goal to bypass secure boot mechanisms, extract a secret key, disrupt a program counter, and extract firmware or to manipulate any other secure asset inside an IC. Such attack is harder to implement, but often it allows to bypass protection methods entirely, with a severe impact on vendors and consumers. We believe that Fault Injection is the next logical step in the evolution of attacks, especially relevant for any embedded system developer.

Optical & Laser Fault Injection

Optical & laser fault injection is a form of fault injection that uses light pulses to physically manipulate and distort data. This manipulation can be done in real-time or in an offline environment on previously recorded data, such as signal traces. Using this method, the signal paths within the device can be manipulated causing misfunctioning and unexpected behavior when using certain components of the system.

The primary benefit of using optical & laser fault injection is its precision, as it allows to identify specific areas where an attack can be implemented. This makes optical & laser fault injection a great tool for improving resilience of a device.

Why Fault Injection testing should have priority

It would be very hard to ‘glitch’ a computer browser or in general any ‘rich’ environment. This is why Fault Injection research and testing is mostly focused on embedded systems: where the code base is small, the hardware to be attacked is relatively simple, hence the potential for a successful attack is higher. But any complex device, like a laptop or a smartphone, relies on a ‘simple routine’ when booting, and this is when the core security mechanisms are being established. A successful attack on a Secure Boot implementation could then be utilized to alter the firmware, circumvent the root of trust, with obvious consequences – a compromise of secure payment on a smartphone or stealing an encryption key.

For many applications it is much easier to attack via a software vulnerability in a rich environment. That is the reason why hardware attacks are often perceived as low priority. We believe this needs to be changed. Software becomes more resilient and at some point adversaries will switch to more complex attacks on hardware, including Fault Injection. Compromising Secure Boot and other critical components of a system may lead to disastrous consequences, i.e. loss of sensitive customer data and corporate intellectual property. Fault Injection can also be a stepping stone to access firmware and analyze it to find additional vulnerabilities. By combining various vulnerabilities, an attacker is then capable of scaling the attack, affecting not only a single device, but rather the entire fleet or even the backend network infrastructure of a vendor.

“A Fault Injection attack is easier to perform
than Side Channel Analysis”

Fault Injection is not something only a sophisticated research laboratory or some government agency can only perform. Fault Injection is increasingly accessible to adversaries with some basic electronics knowledge and time. Since many devices are not protected at all against Fault Injection, finding the needle in the haystack is not that hard. Furthermore, if a weakness has been found then it’s usually easy to reproduce.

The threat of Fault Injection in a nutshell:

  • Inexpensive and can be carried out with basic tools.
  • Becomes even easier with the development of open source tools.
  • Easy to reproduce when you find a fault.
  • Large attack surface.
  • Often it takes anywhere from minutes to hours to compromise a device.

Riscure & Fault Injection

Riscure has more than 20 years of experience in Fault Injection and is considered the expert in Fault Injection. Fault Injection can be mitigated with the proper knowledge and testing. At Riscure we offer 4 pillars of Fault Injection knowledge and testing:

Security Training
True Code – Code Testing
Inspector – Hardware Analysis
Services – Testing and Certification

If you are interested in embedding the latest hardware security expertise in your development, feel free to get in touch with us via inforequest@riscure.com or by completing the form below.

Inspector Fault Injection

Our cutting-edge hardware and advanced software features the most accurate and reliable fault injection tools available on the market.

Fundamental Secure Coding

Are you a seasoned C/C++ programmer who wants to take their skills to the next level? Then this learning program is for you! Learn how to eliminate logical errors, protect crypto algorithms against Side Channel Analysis attacks, and harden critical code areas against Fault Injection attacks.

Riscure True Code

Automate vulnerability identification and help security evaluators collaborate efficiently with the development team to deliver secure code.

Security training: Fault Injection Crash Course

The easiest example of a Fault Injection is an attack is a voltage drop. If a device, or a specific chip normally needs 3.3 volts from a power supply, what could happen if during a sensitive operation (e.g. checking your PIN) we drop it to 2.2v more, or less? A few things can happen, either the devices continues working, or it mutes and needs to be reset, or even worse it breaks. But with the right timing it skips the verification and gives access to something normally not allowed, for example your bitcoin wallet data. This is what we would describe as a successful glitch. In general we say at Riscure: Every unprotected IC is vulnerable to Fault Injection Attacks.

In the most basic way, using general-purpose hardware a fault injection attack is described in this video presentation by Riscure’s expert Rafael Boix Carpi:

Free on demand webinars on fault injection attacks

We invite you to take a sneak peek at one of our on demand webinars regarding Fault Injection. Click here to register.

The Price We Pay for Faults: Video Webinar

The Price We Pay for Faults: Video Webinar

Tune into our recent webinar presented by Riscure's CEO Marc Witteman, as he breaks down the dollars and cents of Fault Injection.
New webinar: Fault Injection for Software Developers in a Nutshell

New webinar: Fault Injection for Software Developers in a Nutshell

Join Riscure webinar Fault Injection for Software Developers in a Nutshell.
Join us online for the Riscure Fault Injection Crash Course

Join us online for the Riscure Fault Injection Crash Course

This online event aims to provide you with an essential knowledge on hardware attacks and remediations.

Publications on fault injection by Riscure:

Forgotten Essence Of The Backend Penetration Testing

Forgotten Essence Of The Backend Penetration Testing

At Riscure we have observed many severe security issues exploited by hackers even in previously certified solutions. In recent years, certification, which aims to minimize security risks, has ...
The Price We Pay for Fault Injection

The Price We Pay for Fault Injection

This new paper describes the background and risks of Fault Injection.
Fault Mitigation Patterns

Fault Mitigation Patterns

To make it easier for developers to protect their security-critical devices, Riscure created this paper discussing patterns that can cost-effectively mitigate the code.
PEW PEW PEW: Designing Secure Boot Securely

PEW PEW PEW: Designing Secure Boot Securely

We present our vision on secure boot design for embedded devices by means of clear, concrete, practical and easy-to-follow recommendations.
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses

This talk presents a fault simulator created using existing open-source components and without requiring a detailed model of the underlying hardware.
Bypassing Secure Boot Using Fault Injection

Bypassing Secure Boot Using Fault Injection

This research is also available in a form of slides and video from the BlackHat Europe 2016.
Fault injection on automotive diagnostic protocols

Fault injection on automotive diagnostic protocols

From the beginning of the electronics era in vehicles, car manufacturers have been trying to simplify how to troubleshoot problems in their vehicles.
Bypassing Secure Boot using Fault Injection

Bypassing Secure Boot using Fault Injection

Watch the video of this research presented at SHA2017
Escalating Privileges in Linux using Fault Injection

Escalating Privileges in Linux using Fault Injection

Today’s standard embedded device technology is not robust against Fault Injection (FI) attacks such as Voltage Fault Injection (V-FI)
Controlling PC on ARM using Fault Injection

Controlling PC on ARM using Fault Injection

Fault injection attacks are a powerful technique to influence the intended behavior of embedded systems.
Practical Differential Fault Attack on AES

Practical Differential Fault Attack on AES

Practical Differential Fault Attack on AES from Riscure
Optical fault injection on secure Microcontrollers

Optical fault injection on secure Microcontrollers

In this paper we detail the latest developments regarding optical fault injection on secure microcontrollers.

Get in touch with us

Contact our sales team to discuss how Riscure can help you protect your solution from Fault Injection attacks with tools, security evaluation service or training. Our team responds within a working day.

Get in touch with us

Feel free to contact us anytime at inforequest@riscure.com or fill out the form below.

By checking this box you agree to process your data according to Riscure's privacy policy:
Check this box to also subscribe to our monthly newsletter: