Fault Injection: Breaking Hardware Encryption via Voltage Manipulation

To comprehend Fault Injection, one must understand how a microchip executes instructions. A microcontroller operates in sync with a clock signal, a continuous pulse that dictates the timing of operations. During each clock cycle, the CPU fetches an instruction from memory, decodes it, executes it, and writes the results. This flawless execution relies entirely on the chip receiving a stable supply of power (voltage) and operating within specific environmental parameters.

Fault Injection seeks to disrupt this delicate balance precisely at the moment a critical instruction is being processed. The primary methodologies include:

1. Voltage Glitching

Voltage glitching is the most common and accessible form of Fault Injection. An attacker physically connects to the power supply pins of the target microcontroller. During a critical operation—such as verifying a cryptographic signature or checking a password—the attacker uses specialized hardware (like a ChipWhisperer or a custom FPGA setup) to rapidly drop the power supply voltage to zero (or a near-zero level) for an incredibly brief duration, often measured in nanoseconds, before restoring it.

This sudden starvation of power causes the transistors inside the chip to behave unpredictably. If timed perfectly, the CPU might fetch an instruction but fail to execute it, effectively skipping a critical security check (e.g., bypassing an if (password == correct) statement). Alternatively, it might cause the CPU to misread data from memory, turning a secure state variable from '0' to '1'.

2. Clock Glitching

Clock glitching involves manipulating the external clock signal provided to the microcontroller. The attacker introduces an artificially shortened clock cycle (a clock glitch). Because the cycle is shorter than expected, the CPU does not have enough time to allow electrical signals to propagate fully through its logic gates. This timing violation causes the CPU to latch incorrect data or skip instructions, leading to exploitable errors in execution flow or data corruption, similar to voltage glitching.

3. Electromagnetic Fault Injection (EMFI)

EMFI is a highly advanced, non-invasive technique that does not require direct electrical connection to the chip's pins. Instead, the attacker uses a high-voltage pulse generator connected to a tiny, specialized magnetic coil. The coil is positioned meticulously over the surface of the decapped chip. When the pulse is fired, it generates an intense, highly localized electromagnetic field. This field induces temporary currents directly within the silicon die of the chip, corrupting data in memory registers or altering the execution of instructions. EMFI allows attackers to target specific regions of a chip (such as the cryptographic coprocessor) with incredible precision.

4. Optical Fault Injection

Optical Fault Injection involves using high-powered lasers to target specific transistors on a decapped silicon die. The photon energy from the laser creates electron-hole pairs within the semiconductor material, temporarily altering the state of a targeted transistor. This is the most precise and expensive form of fault injection, allowing attackers to flip individual bits in memory or logic circuits with pinpoint accuracy.

The true power of Fault Injection becomes apparent when it is applied to break cryptographic implementations through a technique known as Differential Fault Analysis (DFA).

Consider a smartcard or a secure microcontroller performing an AES encryption operation. AES consists of multiple rounds of substitution and permutation. In a DFA attack, the attacker first requests the chip to encrypt a known piece of data and records the correct, final ciphertext.

Next, the attacker requests the chip to encrypt the exact same data again, but this time, they introduce a precise Voltage or EM glitch during one of the final rounds of the AES algorithm (typically round 8 or 9). The glitch causes a single byte of data to become corrupted. The chip continues the encryption process using this corrupted data and outputs a faulty ciphertext.

By mathematically comparing the correct ciphertext with the faulty ciphertext, the attacker can deduce the internal state of the algorithm at the moment the fault occurred. With a small number of faulty ciphertexts (sometimes as few as two or three), the attacker can calculate the entire secret AES key. The impenetrable math of AES is completely bypassed because the physical hardware was forced to make a mistake.

Another devastating real-world application of Fault Injection is bypassing Secure Boot. Modern devices use Secure Boot to ensure that only cryptographically signed, authorized firmware can execute. During the boot process, the hardware verifies the digital signature of the firmware. An attacker can use voltage glitching to precisely time a power drop at the exact moment the CPU executes the Branch if Not Equal (BNE) instruction that handles the signature verification failure. The glitch causes the CPU to skip the instruction, falsely tricking the hardware into believing the signature was valid, and allowing the attacker to boot malicious, custom firmware on a locked device.

Defending against Fault Injection is incredibly challenging because it requires addressing physical vulnerabilities at the hardware level. However, robust hardware design and careful software engineering can significantly raise the bar for attackers.

1. Hardware Countermeasures

The most effective defenses must be built directly into the silicon. Secure microcontrollers designed for high-security applications (like banking smartcards) incorporate dedicated hardware countermeasures:

• Voltage and Clock Monitors: Specialized circuits that constantly monitor the power supply and clock signal. If a sudden drop or spike is detected, the monitor immediately resets the chip or locks down the memory, preventing the glitch from being exploited.
• Internal Oscillators: Using internal clock generation instead of relying on external clock signals prevents attackers from injecting clock glitches.
• Physical Shielding: Covering the silicon die with active mesh layers. If an attacker attempts to decap the chip to perform EMFI or Optical FI, the mesh is broken, triggering a tamper response that permanently erases cryptographic keys.

2. Software Countermeasures and Redundancy

Software developers writing code for secure embedded systems must assume the hardware can be glitched. They must implement software countermeasures to detect and resist faults:

• Redundant Execution: Critical security checks (like password verification or secure boot signature validation) should be executed multiple times. If an attacker successfully glitches the first check, the subsequent redundant checks will fail, preventing the bypass.
• Variable Duplication: Store critical state variables (e.g., isAuthenticated) in multiple locations and verify they match before proceeding.
• Randomized Execution (Jitter): Attackers rely on precise timing to inject faults. By introducing random delays (jitter) into the execution of critical code, it becomes exponentially more difficult for an attacker to synchronize their glitching equipment with the target instruction.

3. Cryptographic Hardening

To defend against Differential Fault Analysis (DFA), cryptographic implementations must be hardened. When a device performs a cryptographic operation (like generating a signature or encrypting data), it should decrypt the result internally and verify it matches the original input before outputting the final ciphertext. If a fault was injected during the process, the verification step will fail, and the device should output an error instead of the faulty ciphertext, denying the attacker the data needed to extract the key.

4. Attack Surface Reduction

Minimize the physical exposure of the device. Disable debug interfaces (like JTAG or SWD) permanently in production devices by blowing hardware fuses. Ensure that accessible communication ports (like UART or USB) are robustly authenticated and do not provide direct access to memory or sensitive execution paths.