# Hardware Attack: Voltage Fault Injection In this document, we're doing a fault injection experiment that is referenced from "The Hardware Hacking Handbook: Breaking Embedded Security"<span style="color: yellow;">[1]</span>. The experiment can be found at page 221, "A BBQ Lighter of Pain" section. <br> ## Preface <b>Fault Injection(FI)</b> is a means that we use some physical way to affect the target device, making it act as a fault status. The common ways include: Voltage FI, Laser FI, Electromagnetic FI...etc. We use it to force the device acting abnormally and hope it bypass some security features like fliping the bit of password checking status. This experiment is pointing to attack a <span style="color: red;">ATmega328</span> chip that can be fault by using high voltage from outside the chip. This is convenient since we don't need to decouple it. To test the fault injection, we do it by giving high voltage when running a loop test on the chip as the book showed. <br> ## Preparation To make this fault injection experiment, we need the following elements: #### Arduino Nano board <div style="display: flex; margin:0;"> <img style="width: 30%;" src="https://hackmd.io/_uploads/r1PYJQrC0.jpg" /> <p style="margin-left: 30px;">The origin board in the book is Adafruit Metro Mini, but it is much harder to get one, so we use the Arduino Nano, which has the same chip that allow us to do the same thing. Download the Arduino IDE, we will be using the monitor to view the result. To connect to Arduino Nano we need to set the IDE processor to <span style="color: red;">ATmega328p(Old Bootloader)</span>.</p> </div> <br> #### USB isolator <div style="display: flex; margin:0;"> <img style="width: 30%;" src="https://hackmd.io/_uploads/rJ6IJQSR0.jpg" /> <p style="margin-left: 30px;">Since we're going to use high voltage injection, we need to protect our computer from potential damage that could be caused by the voltage. It doesn't matter which USB isolator you choose as long as it has the ability to protect our computer.</p> </div> <br> #### Piezoelectric igniter <div style="display: flex; margin:0;"> <img style="width: 30%;" src="https://hackmd.io/_uploads/HJ_DyQHCA.jpg" /> <p style="margin-left: 30px;">We need a piezoelectric igniter that helps generate high voltage. We can get one by tearing down a BBQ lighter(like mentioned in the book), or simply buy one on the internet. If you put two eletric wire close to each other(be sure they're not connected), press the button you should see sparkles coming up.</p> </div> <br> #### Polyimide tape <div style="display: flex; margin:0;"> <img style="width: 30%;" src="https://hackmd.io/_uploads/B115kXSRR.jpg" /> <p style="margin-left: 30px;">To prevent the piezoelectric igniter from damaging other elements on the Arduino Nano board, we need to wrap it with polyimide tape. You can find it at shops that sell eletric products or on the internet. We don't need much of it for this experiment. We only need to cover the board and wrap the eletric wire.</p> </div> <br> ## Experiment steps ### <span style="color: orange;">Step 1. Wrapping the polyimide tape</span> Let's start by assemblying our materials. First we need to wrap the Arduino Nano board with polyimide tape, two layers is sufficient. Also, wrap the two eletric wires on the piezoelectric igniter with polyimide tape to make them close to each other but not connected. Make sure not to wrap the core wire. Once done, you should get the following result: <div style="display: flex;"> <img style="width: 30%; margin: 10px;" src="https://hackmd.io/_uploads/HJPdhrBAA.jpg" /> <img style="width: 30%; margin: 10px;" src="https://hackmd.io/_uploads/B1PRhHB0C.jpg" /> </div> ### <span style="color: orange;">Step 2. Connect to Arduino IDE</span> Connect the Arduino IDE with USB isolator and then to the computer, remember to check the processor. It should look somthing like this: <img style="width: 30%; margin: 10px;" src="https://hackmd.io/_uploads/HynFprHRA.jpg" /> ### <span style="color: orange;">Step 3. Start the loop test</span> Compile the following code and send to Arduino Nano. ```c void setup() { Serial.begin(115200); } unsigned long cnt = 0; unsigned int loopcnt = 0; void loop() { cnt = 0; loopcnt = 0; for (unsigned int i = 0; i < 500; i++) { for (volatile unsigned int j = 0; j < 500; j++) { cnt++; } } Serial.print(cnt); Serial.print(" "); Serial.print(loopcnt++); if (cnt != 250000) { Serial.print(" <--GLITCH\n"); } else { Serial.print("\n"); } } ``` Open monitor and you should see it keeps writing "250000, 0". This means that currently the loop test is acting normally, two for loop are running and counting correctly. <img style="width: 50%; margin: 10px;" src="https://hackmd.io/_uploads/Bk5nwIBCC.jpg" /> ### <span style="color: orange;">Step 4. Start faulting the device</span> Let the loop test keep going, and started to use piezoelectric igniter to fault injecting. Put the eletric wires as close as possible to the ATmega328 chip, and press the button intermittent. You should see that the loop test will sometimes act abnormally and printing out the word "<--Glithcing". <img style="width: 50%; margin: 10px;" src="https://hackmd.io/_uploads/HJjAvIrC0.jpg" /> ## Wrap Up We can now fault an Arduino Nano board with basic voltage fault injection. Though it is not common that we can affect the processor simply by outer voltage injection, this is still a good practice for the first try in fault injection. As the experiment did not require decouple or signal analysis process, it is easy to implement and can lead to a basic knowledge of how we try to flip bits in IoT products. In this experiment we try to escape the `i loop` or `j loop`, but we don't know directly which one is escaped. Another valuable topic is to find out which one is escaped, and how to prevent that from happening. ## Reference <span style="color: yellow;">[1]</span> Radcliffe, C., & Ketabchi, A. (2021). The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks. No Starch Press.