Physical Fault Injection and Side-Channel Attacks on Mobile Devices:A Comprehensive Analysis

Today's mobile devices contain densely packaged system-on-chips (SoCs) with multi-core, high-frequency CPUs and complex pipelines. In parallel, sophisticated SoC-assisted security mechanisms have become commonplace for protecting device data, such as trusted execution environments, full-disk and file-based encryption. Both advancements have dramatically complicated the use of conventional physical attacks, requiring the development of specialised attacks. In this survey, we consolidate recent developments in physical fault injections and side-channel attacks on modern mobile devices. In total, we comprehensively survey over 50 fault injection and side-channel attack papers published between 2009-2021. We evaluate the prevailing methods, compare existing attacks using a common set of criteria, identify several challenges and shortcomings, and suggest future directions of research

A new model for forensic data extraction from encrypted mobile devices

In modern criminal investigations, mobile devices are seized at every type of crime scene, and the data on those devices often becomes critical evidence in the case. Various mobile forensic techniques have been established and evaluated through research in order to extract possible evidence data from devices over the decades. However, as mobile devices become essential tools for daily life, security and privacy concerns grow, and modern smartphone vendors have implemented multiple types of security protection measures - such as encryption - to guard against unauthorized access to the data on their products. This trend makes forensic acquisition harder than before, and data extraction from those devices for criminal investigation is becoming a more challenging task. Today, mobile forensic research focuses on identifying more invasive techniques, such as bypassing security features, and breaking into target smartphones by exploiting their vulnerabilities. In this paper, we explain the increased encryption and security protection measures in modern mobile devices and their impact on traditional forensic data extraction techniques for law enforcement purposes. We demonstrate that in order to overcome encryption challenges, new mobile forensic methods rely on bypassing the security features and exploiting system vulnerabilities. A new model for forensic acquisition is proposed. The model is supported by a legal framework focused on the usability of digital evidence obtained through vulnerability exploitation

Combined Fault Injection and Real-Time Side-Channel Analysis for Android Secure-Boot Bypassing

The Secure-Boot is a critical security feature in modern devices based on System-on-Chips (SoC). It ensures the authenticity and integrity of the code before its execution, avoiding the SoC to run malicious code. To the best of our knowledge, this paper presents the first bypass of an Android Secure-Boot by using an Electromagnetic Fault Injection (EMFI). Two hardware characterization methods are combined to conduct this experiment. A real-time Side-Channel Analysis (SCA) is used to synchronize an EMFI during the Linux Kernel authentication step of the Android Secure-Boot of a smartphone-grade SoC. This new synchronization method is called Synchronization by Frequency Detection (SFD). It is based on the detection of the activation of a characteristic frequency in the target electromagnetic emanations. In this work we present a proof-of-concept of this new triggering method. By triggering the attack upon the activation of this characteristic frequency, we successfully bypassed this security feature, effectively running Android OS with a compromised Linux Kernel with one success every 15 minutes

EM-Fault It Yourself: Building a Replicable EMFI Setup for Desktop and Server Hardware

EMFI has become a popular fault injection (FI) technique due to its ability to inject faults precisely considering timing and location. Recently, ARM, RISC-V, and even x86 processing units in different packages were shown to be vulnerable to electromagnetic fault injection (EMFI) attacks. However, past publications lack a detailed description of the entire attack setup, hindering researchers and companies from easily replicating the presented attacks on their devices. In this work, we first show how to build an automated EMFI setup with high scanning resolution and good repeatability that is large enough to attack modern desktop and server CPUs. We structurally lay out all details on mechanics, hardware, and software along with this paper. Second, we use our setup to attack a deeply embedded security co-processor in modern AMD systems on a chip (SoCs), the AMD Secure Processor (AMD-SP). Using a previously published code execution exploit, we run two custom payloads on the AMD-SP that utilize the SoC to different degrees. We then visualize these fault locations on SoC photographs allowing us to reason about the SoC's components under attack. Finally, we show that the signature verification process of one of the first executed firmware parts is susceptible to EMFI attacks, undermining the security architecture of the entire SoC. To the best of our knowledge, this is the first reported EMFI attack against an AMD desktop CPU.Comment: This is the authors' version of the article accepted for publication at IEEE International Conference on Physical Assurance and Inspection of Electronics (PAINE 2022

Experimental Analysis of the Laser-Induced Instruction Skip Fault Model

International audienceMicrocontrollers storing valuable data or using security functions are vulnerable to fault injection attacks. Among the various types of faults, instruction skips induced at runtime proved to be effective against identification routines or encryption algorithms. Several research works assessed a fault model that consists in a single instruction skip, i.e. the ability to prevent one chosen instruction in a program from being executed. This assessment is used to design countermeasures able to withstand a single instruction skip. We question this fault model on experimental basis and report the possibility to induce with a laser an arbitrary number of instruction skips. This ability to erase entire sections of a firmware has strong implications regarding the design of counter- measures

How Practical are Fault Injection Attacks, Really?

Fault injection attacks (FIA) are a class of active physical attacks, mostly used for malicious purposes such as extraction of cryptographic keys, privilege escalation, attacks on neural network implementations. There are many techniques that can be used to cause the faults in integrated circuits, many of them coming from the area of failure analysis. In this paper we tackle the topic of practicality of FIA. We analyze the most commonly used techniques that can be found in the literature, such as voltage/clock glitching, electromagnetic pulses, lasers, and Rowhammer attacks. To summarize, FIA can be mounted on most commonly used architectures from ARM, Intel, AMD, by utilizing injection devices that are often below the thousand dollar mark. Therefore, we believe these attacks can be considered practical in many scenarios, especially when the attacker can physically access the target device

Electromagnetic Fault Injection On Two Microcontrollers: Methodology, Fault Model, Attack and Countermeasures

Cryptographic algorithms are being applied to various kinds of embedded devices such as credit card, smart phone, etc. Those cryptographic algorithms are designed to be resistant to mathematical analysis, however, passive Side Channel Attack (SCA) was demonstrated to be a serious security concern for embedded systems. These attacks analyzed the relationship between the side channel leakages (such as the execution time or power consumption) and the cryptographic operations in order to retrieve the secret information. Various countermeasures were proposed to thwart passive SCA by hiding this relationship. Another different type of SCA, known as the active SCA is Fault Injection Attack (FIA). FIA can be divided into two phases. The first one is the fault injection phase where the attacker aims at injecting a fault to a target circuit with a specific timing and spatial accuracy. The second phase is the fault exploitation phase where the attacker exploits the induced fault and forms an attack. The major targets for the fault exploitation phase are the cryptographic algorithms and the application-sensitive processes. Over the last one and a half decades, FIA has attracted expanding research attention. There are various techniques which could be used to conduct an FIA such as laser, Electromagnetic (EM) pulse, voltage/clock glitch, etc. EM FIA achieves a moderate spatial resolution and a high timing resolution. Moreover, since the EM pulse can pass through the package of the chip, the chip does not need to be fully decapsulated to run the attack. However, there remains a lack of understanding of the fault injected to the cryptographic devices and the countermeasures to protect them. Therefore, it is important to conduct in-depth research on EM FIA. This dissertation concentrates on the study of EM FIA by analyzing the experimental results on two different devices, PIC16F687 and LPC1114. The PIC16F687 applies a two-stage pipeline with a Harvard structure. Faults injected to the PIC16F687 resulted in instruction replacement faults. After analysis of detailed experiments, two new Advanced Encryption Standard (AES)-128 attacks were proposed and empirically verified using a two-step attack approach. These new AES attacks were proposed with lower computational complexity unlike previous Differential Fault Analysis (DFA) algorithms. Instruction specific countermeasures were designed and verified empirically for AES to prevent known attacks and provide fault tolerant protection. The second target chip was the LPC1114, which utilizes an ARM Cortex-M0 core with a three-stage pipeline and a Von Neumann structure. Fault injection on multiple LDR instructions were analyzed indicating both address faults and data faults were found. Moreover, the induced faults were investigated with detailed timing analysis taking the pipeline stall stage into consideration. Fault tolerant countermeasures were also proposed and verified empirically unlike previous fault tolerant countermeasures which were designed only for the instruction skip fault. Based on empirical results, the charge-based fault model was proposed as a new fault model. It utilizes the critical charge concept from single event upset and takes the supply voltage and the clock frequency of the target microcontroller into consideration. Unlike previous research where researchers suggested that the EM pulse induced delay or perturbation to the chip, the new fault model has been empirically verified on both PIC16F687 and LPC1114 over several frequencies and supply voltages. This research contributes to state of the art in EM FIA research field by providing further advances in how to inject the fault, how to analyze the fault, how to build an attack with the fault, and how to mitigate the fault. This research is important for improving resilience and countermeasures for fault injection attacks for secure embedded microcontrollers