When performing fault injection attacks we are used to see how the glitch width moves within a set of values, hoping this would help hit the right combination. This is true while blindly searching for a new vulnerability. But when it comes to repeatability, does it really matter?
Building upon our previous post on fault injection techniques for the nRF52 family, I decided to investigate the impact of glitch width on reproducibility.
My initial approach involved modifying the glitcher firmware to expose the glitch width as a configurable parameter. This allowed me to set specific values or ranges for the glitch width, providing greater control over the experiment.
The modifications I made to the glitcher firmware can be found in my github repo at: https://github.com/ggonzalez/ESP32_GLITCHER. Now, I can set the glitch width to a specific value (having the ranges being equal) or to a different range from the default one.
Surprisingly, the specific glitch width itself doesn’t significantly impact reproducibility in this case. The target device could be successfully unlocked with a range of glitch widths from 1 to 30
As expected, focusing on the precise location of the glitch may be more important than fine-tuning the glitch width itself. By narrowing down the timing window we can accelerate the process of unlocking compared to iterating over a broader range of widths. This could be, for example, setting a specific glitch width and targeting a trigger range of 5 steps like 3735 to 3740.
As can be seen above, the three successful glitches (1, 5, and 30 microseconds) all unlocked the device within approximately the same time-frame after starting each campaign. As mentioned previously, the right settings for this specific chip would be:
- Set a glitch width of your choice, I particularly recommend using a shorter width
- Narrowing down the delay range to 5 steps that fall on the area highlighted below.
Would you like to receive notifications about new posts?