Dirt cheap Electromagnetic Fault Injection

Abstract

Today’s post will cover the theory and crafting of an Electromagnetic Fault Injection device for as little as $5.

¿What is Fault Injection?

Fault injection is a term widely used in the hardware and systems security scene. It is the act of introducing logic errors (software errors) into CPUs by altering the underlying hardware. This allows an attacker to exploit a processor even if it were running a 100% safe code. We can cause our own problems, thus being able to obtain code execution, dump memory or secrets, etc.

Types of attacks

The three most common and accessible methodologies to alter the hardware are the following:

  1. Power glitch injection: we modify the power/voltage supply of the target.
  2. Clock glitch injection: we modify the clock signal of a synchronous device (CPU, SRAM, etc)
  3. Electromagnetic Fault Injection: we employ magnetic fields to induce voltage or current variations on the target.

Often these attacks are classified in two groups: invasive attacks (if the chip ends up destroyed or permanently modified after the attack) and non-invaside, like it’s going to be the case.

I must remark these attacks not only affect CPUs, but also other components like memories and such.

Oh physics

I am sorry. But it’s time for a little physics and electronics. Won’t be dull!. We must ask ourselves; how’s that a magnetic field can induce changes in an electronic device?

Electromagnetism: The study of the interaction between electric charges, which is observed on electric fields and magnetic fields, and the relation between them. It’s a long range force (infinite, in theory), much more intense than gravity.

There are a couple of laws that are of special interest. Faraday’s law and Lentz’s law. While I’m not going to explain them in detail, I must reference them, and you can learn more about them. Specially interesting is the result/corollary of these laws: the relation between magnetic field and electric currents. For the purpose of this post it can be summarized to two ideas:

An electric current flowing through a conductor produces a magnetic field.

and at the same time:

A magnetic field in movement, produces an electric current in a conductor if it is within the range of the field (induction).


A magnet (magnetic field) produces a voltage in the spire

The last phenomenon is the one we are going to exploit. We’ll generate an (electro)magnetic field really close to our CPU (we won’t use a magnet, though). This field will induce a voltage in the conductors inside the processor. These voltages can be confused and treated as logic states, by the logic gates. To ilustrate, if the CPU worked at 3.3 volts, a logic ‘1’ would be any line/wire where we had 3.3v. Lines with 0 volts would be treated as a logic ‘0’. Should we induct a voltage on a surface where there wasn’t voltage before, we could be turning a logic ‘0’ (no voltage) into a logic ‘1’ (voltage). And that’s the trick in place.

As a friend says, fault injection is magicbut easy magic.

Basic circuit for EM bursts and EM Injection

To obtain a magnetic field we only need two requeriments. An inductor (which is just a coil made of a conductor element) and a current to go though the coil.

Magnetic field’s flow’s strength is given by the following formula:

$$ \Phi = L * I $$

Where L is the inductance(Henry) and I is the current’s intensity (Ampers). With either a greater inductance, or a greater intensity, a greater magnetic flow is obtained.

The formula to compute the inductance is the following:

$$ L = \frac{N^2 * \mu * S}{l} $$

Where:

  • N: number of spires in the coil (no units)
  • u: permeability of the core (Wb/A*m)
  • S: core section (square meters)
  • l: longitude of the flow lines (meters)

To be able to cause glitches in the circuit we requiere a powerful enough magnetic flow. And there are two choices: increase the inductance or increase the intensity. Increasing intensity is easier and trivial, thanks to Ohm’s law:

$$ I = \frac{V}{R} $$

An increase of the voltage will produce a greater current intensity. This way we have no need to worry about inductance, which involves more parameters.

Finally, let’s see how to obtain an already made, cheap, high voltage conversion circuit. With this, we’ll generate a substantial magnetic field.

Build

At this point do not worry if you are lost. Let’s get down to business and craft our injector. The materials we need are:

  1. Electric mosquito killer racket ($4 aprox)
  2. Soldadering iron and tin
  3. Wires to solder, and silicon gun (or similar)

For less than $5 you can find electric rackets to kill mosquitos, which have almost all the components we need, and already assembled. Just needing minor modifications.
Teardown

Sneak peak of the insides:
from left to right: big capacitor, diodes(not important), transformer.

The transformer’s role is to convert the 3 volts of input into high-voltaje. Warning: high-voltage is dangerous and circuits must be handled with protection and care. I am not responsible of any misuse of this information.

The capacitor’s output (left side) is the one going to the racket, while the batteries input is on the right side of the image.
Modifications

We must disconnect this racket, and whatever goes after the capacitor. We’ll replace it with a spark gap and an inductor.

Craft Inductor

To craft the inductor, all we need to do is bend some wires to form a coil. The cables must have insulation, so you can either use wires with plastic covering, or enamel wire. You can try different thicknesses and number of spires.
First test coil with 8 spires and some separation between them

Second inductor, 6 spires in parallel. Placed in the final injector.

Build Spark Gap

Spark gap is nothing more than a space among two wires. When the capacitor stores enough charge, that charge will be able to break the potential barrier of the air, and go through it. It’s then when we watch the spark’s effect.

All we need is a couple of wires, to be placed in a fixed manner, one close to the other but not touching. I used jumper cables for this.


In the centre of the image, you can see the spark gap, with green cables

With all done, just re-assembly and testing is needed.

Observation: the greater the distance of the wires in the spark gap, the greater voltage will be needed to break the potential barrier. Our injector would take more time to charge each burst, nevertheless, the magnetic field would be greater.

Results

The following piece of code is used on every platform to perform tests:

#include <stdio.h>


int main(void){
    int i,j,k,cnt;
    k = 0;
    while(1){
     cnt = 0;
     for(i=0; i<5000; i++){
       for(j=0; j<5000; j++){
          cnt++;
       }
     }
     printf("%d %d %d %d\n", cnt, i, j,k++);
    }
}

We’ll observe if it’s able to induce glitches on the program’s execution.

Arduino UNO

A perfect target for the first tests, Arduino UNO has a microcontroller (ATMEGA 328P) which is very big and exposed in the board.
ATMEGA to the right. The target.

Build the code and upload it from the Arduino IDE (for example). Then, open a serial terminal and start glitching:
As soon as sending some bursts, we obtain arithmetic glitches. Injector at a 5-6 cm distance

After a couple of tries, it can be easy to deduct on which areas or sides of the chip we must attack. Left half of the ATMEGA produces useful glitches (arithmetic, variable changes, speed changes, freezes) while provoking glitches on the right half most often crashes or reboots the device. We might suppose that the microcontroller’s SRAM is located under the left section.
More messing with bits, this time, the counter’s value has turned negative.

One of the most interesting glitches I introduced was back with the precursory version of the device, and I was not aware enough of it’s greatnes to take screenshots (so, you can only believe me!). Im pretty sure this glitch attacked the sprintf() function or its argument number two, which is a formated string. Probably, inducing some changes on it. The arduino started dumping its memory contents over the serial connection sending it to the PC. Was able to read some strings like “Arduino Co.” or the serial printable charset abcd…ABCD..1234567890 etc.

I have since tried to reproduce the glitch with the final version, but I’ve only achieved this:
Memory dump? Not likely

Arduino MEGA

Arduino MEGA is the steroids version when it comes to Arduino, packing an ATmega2560 with more I/O and more memory.
Arduino MEGA

With its more compact microcontroller design, it seemed sightly more resilient, but not that much. Achieving arithmetic errors was easy and done quickly so I’ll skip that as you’ve already seen them with the UNO.

I managed though, to dump some unknown data over the serial by confusing the sprintf(), perhaps some close stack variables and pointer. But I cannot know for sure:



Raspberry Pi B+

Raspberry Pi B+ packs a Broadcom BCM2835 SoC, with and ARM7 CPU. I’ll be running armbian (a debian ARM fork) for the tests.
SoC Raspberry Pi B+

Again depending on the part of the surface of the chip that we place closer to the injector’s coil, we’ll obtain diverse results.
Glitch in the arithmetic of the program. It keeps executing.

Often, some areas of the SoC would cause a reset. Other would blackout the HDMI output for some seconds.
We have introduced a glitch which may have caused a wrong memory access, causing an exception

This last case is extremely important, as we can observe a glitch that has caused a segmentation fault, likely caused by an invalid memory access (reading/writing or jumping somewhere invalid, doesn’t matter). This proves that we can cause exceptions, which can allow for far more complex attacks, to components like the bootloader or the kernel, which we can take over by poisoning the exception vector table and then forcing an exception, with our hardware attack.

Thanks and Acknowledgements

Thanks to @MatyFM and @marunmagesh for the help with electronics

Leave a Reply