SiliconToaster: A Cheap and Programmable EM Injector for Extracting Secrets

Abdellatif, Karim M.; Heriveaux, Olivier

doi:10.1109/fdtc51366.2020.00012

Cited by 11 publications

(10 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Examples of the architectures and variations can be seen in published and available injection platforms. This includes platforms described in previous work such as [8], [9], [15], [16], [17].…”

Section: Drive Architecturesmentioning

confidence: 99%

“…The exploitation of the fault is not specific to EM faults, and many comprehensive backgrounds on this topic have been given [7], [28]. The objective of an attacker will vary widely, but realworld demonstrations have shown usage of EMFI to dump secrets from memory [22], bypass password checks in bootloaders [10], bypass code protection mechanisms in microcontrollers [15], and perform differential fault analysis [9], [17], [29]. The insertion of faults with EMFI can even be used to validate safety-critical systems [27].…”

Section: From Interference To Exploitationmentioning

confidence: 99%

See 1 more Smart Citation

(Adversarial) Electromagnetic Disturbance in the Industry

Beckers

Guilley

Maurine

et al. 2023

IEEE Trans. Comput.

View full text Add to dashboard Cite

Faults occur naturally and are responsible for reliability concerns. Faults are also an interesting tool for attackers to extract sensitive information from secure chips. In particular, non-invasive fault attacks have received a fair amount of attention. One easy way to perturb a chip without altering it is the so-called Electromagnetic Fault Injection (EMFI). Such attack has been studied in great depth, and nowadays, it is part and parcel of the state-of-the-art. Indeed, new capabilities have emerged where EM experimental benches are used to cryptanalyze chips. The progress of this "field" is fast, in terms of reproducibility, accuracy, and number of use-cases. However, there is too little awareness about such advances. In this paper, we aim to expose the true harmfulness of EMFI (including reproducibility) to enable reasonable security quotations. We also analyze protections (at hardware/firmware/system levels) in light of their efficiency. We characterize the specificity of EM fault injection compared to other injection means (laser, glitch, probing).

show abstract

Section: Drive Architecturesmentioning

confidence: 99%

Section: From Interference To Exploitationmentioning

confidence: 99%

(Adversarial) Electromagnetic Disturbance in the Industry

Beckers

Guilley

Maurine

et al. 2023

IEEE Trans. Comput.

View full text Add to dashboard Cite

show abstract

“…Recently, there have been published several custom-made low-cost EMFI device prototypes which can be easily reproduced by using inexpensive off-the-shelf components and a moderate knowledge in electronics. BADFET [10] was shown to be capable of overcoming a secure boot, Silicon-Toaster [55] was used to defeat a firmware security protection of an IoT device, and another low-cost device was shown to be effective in privilege escalation [56].…”

Section: Electromagnetic Fault Injectionmentioning

confidence: 99%

How Practical Are Fault Injection Attacks, Really?

Breier

Hou

2022

IEEE Access

View full text Add to dashboard Cite

Fault injection attacks (FIA) are a class of active physical attacks, mostly used for malicious purposes such as extraction of cryptographic keys, privilege escalation, attacks on neural network implementations. There are many techniques that can be used to cause the faults in integrated circuits, many of them coming from the area of failure analysis. In this paper we tackle the topic of practicality of FIA. We analyze the most commonly used techniques that can be found in the literature, such as voltage/clock glitching, electromagnetic pulses, lasers, and Rowhammer attacks. To summarize, FIA can be mounted on most commonly used architectures from ARM, Intel, AMD, by utilizing injection devices that are often below the thousand dollar mark. Therefore, we believe these attacks can be considered practical in many scenarios, especially when the attacker can physically access the target device.INDEX TERMS Hardware security, fault injection attacks, fault analysis, cryptography.

show abstract

“…Next to the intended corruption of data values, faults can be used to skip security checks, enter protected code paths, or gain code execution [4], [5]. During the past years, attacks against microcontrollers and SoCs using laser-based [6] and electromagnetic [7], [8] FI have been presented. While these techniques offer high accuracy in targeting a specific part of the chip, they also require comparatively sophisticated setups.…”

Section: Introductionmentioning

confidence: 99%

The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs

Bittner¹,

Krachenfels²,

Galauner³

et al. 2021

Preprint

View full text Add to dashboard Cite

Voltage fault injection (FI) is a well-known attack technique that can be used to force faulty behavior in processors during their operation. Glitching the supply voltage can cause data value corruption, skip security checks, or enable protected code paths. At the same time, modern systems on a chip (SoCs) are used in security-critical applications, such as selfdriving cars and autonomous machines. Since these embedded devices are often physically accessible by attackers, vendors must consider device tampering in their threat models. However, while the threat of voltage FI is known since the early 2000s, it seems as if vendors still forget to integrate countermeasures. This work shows how the entire boot security of an Nvidia SoC, used in Tesla's autopilot and Mercedes-Benz's infotainment system, can be circumvented using voltage FI. We uncover a hidden bootloader that is only available to the manufacturer for testing purposes and disabled by fuses in shipped products. We demonstrate how to re-enable this bootloader using FI to gain code execution with the highest privileges, enabling us to extract the bootloader's firmware and decryption keys used in later boot stages. Using a hardware implant, an adversary might misuse the hidden bootloader to bypass trusted code execution even during the system's regular operation.

show abstract

SiliconToaster: A Cheap and Programmable EM Injector for Extracting Secrets

Cited by 11 publications

References 6 publications

(Adversarial) Electromagnetic Disturbance in the Industry

(Adversarial) Electromagnetic Disturbance in the Industry

How Practical Are Fault Injection Attacks, Really?

The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs

Contact Info

Product

Resources

About