EM Fault Injection on a Budget (Part 2)

During my last post on this topic, I had explored the possibility of building an EM fault injection rig for home experimentation. In this post, I will discuss my progress, as well as initial exploration of the attack surface of two live targets, as well as next steps.

Remember – fooling around with high-voltage capacitors can injure or kill you – but nothing wagered, nothing gained.

Device Improvements

The first step of my exploration was to modify the glitching platform to a more portable form, resulting in the following:

This is a somewhat safe and simple circuit, utilising a thyristor to “dump power” from the coil, and optocouplers / MOSFET’s to control charge and discharge. Unfortunately, the above device looks is a dirty hack job, due to two mistakes I had made:

  • Firstly, the thyristor was placed on the wrong end of the load. I didn’t realize this would become a problem, until I noticed a significant reduction in the strength of the magnetic field generated (read: the distance it was able to shoot a nail). The thyristor *must* be between the negative end of the capacitor and your coil, or you will lose power.
  • Secondly, I had used a gate resistor on the MOSFET, instead of a gate-source resistor. You *must* have a gate-source resistor, if you are using a MOSFET to enable charging: otherwise, your capacitor will be charge to not-0V when you are expecting 0V, leading to an exceptionally painful shock.

This circuit also includes a simple plug-and-play interface for the installation of a capacitor bank, allowing adjustment of the voltage to suit your target.

With this step complete and tested (using an Arduino to fire a small piece of metal programmatically as the test case), I moved onto the next part of this adventure.

Coil Design

The next stage was to improve the coil. Our goal was to create a targetted, yet strong magnetic field, which would impact the function of transistors inside an IC, without greatly impacting the rest of the device.

Some theory (Biot-Savart’s law) exists about this, a simplified form of which is as follows:

(On a side note – the red ink above is actually Iroshizuku Momiji, the shitty lighting really doesn’t do it justice).

In practice, this is a black art, with different sources claiming different effectiveness of different coil designs. I followed in the footsteps of the folks at Red Balloon Security, in their recent presentation at RECon. By attempting to induce a second order glitch, I could be happy with an entire component failing temporarily and still get the result I want, making the constraints on the coil *much* more relaxed.

I initially attempted to work with the coil I initially used, though to limited success – I was unable to make this reliably and repeatably glitch a production device. This coil was an “air core” coil – going back to the above, it should be noted that the permeability of a ferromagnetic core in a coil would be many, many times that of air.

I had most success with a hand-wound coil like this, utilizing approximately 25 turns of high-guage wire across a 8mm core:

Initial Success and Failure

Using this coil, I am able to repeatedly and reliably generate a second-order glitch, by impeding the functionality of components on two D-Link routers (DSL2880AL and DSL2750U). In the DSL2880AL, I am able to repeatedly crash the Ethernet controller by hand at a capacitor charge level of approximately 160-180V:

I was also able to crash a DSL2750U device by targetting the main MCU. This is displayed in the screenshot above: using this positioning, we can reliably generate a system halt (but no fancy screencap). I believe I may be able to induce a similar fault against the Flash memory chip to a more refined effect, but have not yet instrumented this process.

Next Steps

At this point, I should mention that the implications of this type of thing are tremendous: this allows us both an exploratory tool, as well as a way to intentionally fail a discrete operation at a time of our choosing. Attacks which blur the line between hardware and software have always held a special place in my heart, and my vast abyss that is my life is somewhat brightened by the opportunity to play in this space.

Several improvements are still needed to this device. The ones I can think of are:

  • The device needs a faster charge cycle, and the ability to cycle multiple capacitors. I’m not sure whether the switching time of something like an IGBT is enough to “switch off” a magnetic field (or if it would make sense in terms of the effect it would have on a transistor… or in the mechanism of discharging the capacitor).
  • The device needs is currently driven by an Arduino, but the timing is not sufficiently controlled – an FPGA should be used (triggered by the Arduino to wait, then trigger the optocoupler to fire the device) in addition to the existing controller mechanism. To this end, I am learning Verilog (hardware constraint files can go fuck themselves – spent an hour messing around today until I realized I forgot to define the clock).
  • The device needs some kind of voltage level sensor, that’s more accurate than a single red status LED. This should feed back to the control mechanism, so I can measure voltage using something more accurate than guesswork and a hard-coded set of data points.
  • Once a voltage sensor is in place, the entire rig should be encased in something so that I can’t accidentally shock myself any more.

Recently, I have spent a significant amount of time learning various attacks and discovery methods against hardware – learning to “ride the bus”, as it were. From here, this project becomes lesser priority: I will spend time learning general hardware security / tampering, and then come back to better utilize EM glitching as a tool.

See you all in this weekend’s CTF’s.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s