02-24, 11:30–12:15 (US/Central), Track 1 📍 Auditorium 1.110
Advances in embedded device security features have led to more and more researchers utilizing fault injection techniques to bypass security features and gain increased access to systems. While some open-source tools exist to perform these types of attacks, there are still many hurdles that researchers must overcome when conducting their power analysis of a device that they wish to perform a fault injection attack.
While vulnerable to voltage glitching attacks, sudden voltage drops at specific timings can cause permanent damage to devices. We will begin this talk by describing our power analysis research that led us to an RDP bypass on the STM32F4 via voltage glitching. Despite being able to bypass RDP protections with a traditional voltage glitch, the attack would occasionally permanently damage the device. As a result of this, we developed a more reliable EMFI attack.
This talk describes utilizing open-source tools to perform an EMFI attack on an STM32F4 microcontroller, allowing for a full RDP (read-out-protection) bypass via a targeted EMP. This research will release the open-source tooling used to instrument a generic 3D printer and examples of how we integrated it into the workflow utilizing the ChipWhisperer Husky and PicoEMP.
This work describes the process of performing a new fault injection attack. We begin with the test firmware we used to dial in the physical glitch parameters such as location, placement, etc. After dialing in these glitch parameters for maximum consistency, we target the boot ROM of the STM32F4. To determine where to place the glitch, we review the power trace of the boot ROM and an extracted boot ROM in ghidra. The first section of the talk will focus on traditional voltage glitching and power trace analysis.
After demonstrating that a readout protection bypass is possible via voltage glitching, we will discuss the risk of these attacks and how they can permanently damage devices. Given this risk, we attempted to trigger the same glitch with an EMP instead of a traditional voltage glitch. Performing an EMFI attack introduces new variables, probe shape, placement, and pulse shape, to name a few.
While some tools exist to help instrument and perform EMFI attacks, they are prohibitively expensive and require bespoke training and extensive experience. We wanted to complete one of these attacks as cheaply as possible and utilize open-source hardware for the instrumentation of the EMP probe, leading us to use the PicoEMP to generate the EMP and a 3D printer to automate the positioning and placement of the probe.
After 3D printing a custom bracket for the EMP and developing software to control the printer, we could automate glitch data collection while instrumenting the X/Y/Z coordinates of the probe. We determined the optimal probe placement for performing our previously discovered RDP bypass using the resulting data. A portion of this talk will review that data and some of the tools we developed to help visualize the data collection results to determine optimal probe placement.
Using the probe placement data generated from our testing, we developed a consistent RDP bypass for the STM32F4 via a targeted EMP using the power trace analysis from our first glitch. This attack allowed for flash readout capabilities on locked STM32F4 processors. We also will discuss how we've used these tools and resulting workflows to target other microcontrollers, such as the Nuvoton M032 series.
After this talk, we will release the Jupyter notebooks, libraries, tools used to instrument the 3D printer, and the ChipWhisperer Husky and PicoEMP. We will also publish a long-form write-up (blog post) describing the process.
Matthew began his reverse engineering career in the aftermarket automotive industry, searching for vulnerabilities in engine control units' diagnostic protocol implementations. Next, he worked at MIT Lincoln Laboratory, where he led a team focused on embedded systems analysis. While at MIT, Matthew was awarded the Outstanding Contributor Award for his technical contributions. You can find other examples of his work and teaching style on his personal blog, the VSS research blog and through the free Ghidra course he authored at Hackaday.