Fault injection (FI) involves introducing an error/modification minor enough to cause undefined behavior on a target but not enough to stop the target from operating entirely. This typically involves injecting a high-voltage pulse or temporarily draining the voltage from a targeted power source or “rail” on the target system.
By causing momentary voltage modulations (either above or below the expected voltage), we can force our target system to enter a realm of undefined behavior. An adequately targeted fault can bypass various security checks or other features that may impede an attacker or reverse engineer.
When it comes to FI, I think that Furrtek explained it best here:
Regarding FI, anything capable of pulling a voltage line low or injecting a clock pulse can work. However, depending on your target and attack, you might need advanced timing or protocol triggering, where tools such as the ChipWhisperer become very handy. When learning the fundamentals of fault injection, you cannot go wrong with an introductory ChipWhisperer kit. Their materials and example targets explain the principles behind fault injection and provide a tested, repeatable learning environment. I can’t recommend their materials highly enough. If the ChipWhisperer tools are too expensive for your budget, however, there are other tools that folks have used in the past. I have included the tools in the table below and provided some example blog posts that utilize them to help get you started. We have also published a blog post here as an introduction to FI.
|Item||Price||Link||Projects / Blog Posts|
|RP2040||$4.00||Link||Pico Glitcher, PicoRHG - Xbox 360 Glitch, AirTag Voltage Glitching|
|ICEStick ICE40 FPGA||$49.00||Link||Grazfather’s LPC Glitch, IceStick Glitcher|
|ChipShouter PicoEMP||$60.00||Link||EMFI Made easy with PicoEMP|
|ChipWhisperer Lite||$315.00||Link||Replicant: Reproducing a FI Attack on the Trezor One|
|ChipWhisperer Husky||$549.00||Link||RL78 Glitching (done by Colin O’Flynn)|
|ChipShouter Kit||$4125.00||Link||EMFI for Automotive Safety with ChipShouter|
There are also plenty of great talks that you can find online about fault injection; I’ve listed some of my favorites below: