Glitching in 3D: Low Cost EMFI Attacks

Advances in embedded device security features have led to more and more researchers utilizing fault injection techniques to bypass security features and gain increased access to systems. While some open-source tools exist to perform these types of attacks, there are still many hurdles that researchers must overcome when conducting their power analysis of a device that they wish to perform a fault injection attack. While vulnerable to voltage glitching attacks, sudden voltage drops at specific timings can cause permanent damage to devices. We will begin this talk by describing our power analysis research that led us to an RDP bypass on the STM32F4 via voltage glitching. Despite being able to bypass RDP protections with a traditional voltage glitch, the attack would occasionally permanently damage the device. As a result of this, we developed a more reliable EMFI attack. This talk describes utilizing open-source tools to perform an EMFI attack on an STM32F4 microcontroller, allowing for a full RDP (read-out-protection) bypass via a targeted EMP. This research will release the open-source tooling used to instrument a generic 3D printer and examples of how we integrated it into the workflow utilizing the ChipWhisperer Husky and PicoEMP. This presentation will also add an additional target that will not be presented at Ringzer0 Austin

About the Presenter: Matthew Alt

Matthew Alt is a hardware security researcher and founder of VoidStar Security LLC, which provides low-level assessments of embedded systems, power analysis, fault injection research, and practical hardware security training.

Examples of his work can be found on the VoidStar Security research blog, Wrongbaud's blog, and the numerous articles and courses published at Hackaday.