Published on

Efficient Attack-Surface Exploration for Electromagnetic Fault Injection


As technology progresses, System-on-Chips (SoCs) are becoming increasingly prevalent in critical applications, such as secure payments and infrastructure management. However, their intricate nature can render them susceptible to attacks like fault injection. Fault injection is a technique utilized to disrupt the nominal operation of a circuit and expose its vulnerabilities. Although physical access is necessary for this method, electromagnetic pulse injection (EMFI) presents a potentially less expensive means of executing it, albeit with challenges in precision and equipment configuration. Together with one of my former students (now at STMicro) and Security Pattern researchers, we recently presented a paper at Cosade 2023 that explores the use of low-cost devices, namely a NewAE Chipshouter and a 3D printer, to execute such attacks.

The attack setup

Instead of relying on guesswork, we've developed a special bisection method to move the injection probe with the 3d printer. We've discovered that this new method allows us to find faults at a much faster rate than other methods. In fact, we were able to reduce the search space by five times in a specific use case (which we can't disclose) finding faults with an average probability of 26.7% in all susceptible coordinates, some reaching as high as 97.6%.

This approach has proven successful, uncovering three times more faults than a random search on selected coordinates. This supports our belief that fault points are best located at the equilibrium between positions that completely break the system and safe positions. While there is still work to be done in examining parameters such as probe angle, type, size, and winding, our results have been promising. We're excited to continue pushing forward with future work in pursuit of even more discoveries.

Reach out if you are interested in doing a thesis in applied cryptography!