G’day, mates. Grab your soldering iron, chuck on a fresh brew, and settle in. Today we’re diving headfirst into the wonderfully chaotic world of glitching attacks – those cheeky little hardware hacks that make secure systems question their life choices.
Whether you’re a budding hacker, an automotive security nerd, or just someone who gets a thrill from poking electrons where they shouldn’t be, this yarn’s for you. We’re going from the basics of glitching to the nitty-gritty of pwning Hardware Security Modules (HSMs) in modern cars – and how manufacturers can wise up and defend against us cheeky sods.
What the Bloody Hell is a Glitching Attack?
At its core, a glitching attack is a carefully timed “oopsie” for electronics. Instead of smashing through software like a brute-forcer, you politely nudge hardware at just the right time to make it forget its manners. You don’t need to pick the lock – you convince the door it’s already open.
These attacks work by introducing faults in the physical world – voltage, timing, electromagnetic pulses – that mess with a system’s internal state, making it behave in unexpected (and often insecure) ways.
Let’s walk through the main flavours of glitching.
Flavours of Glitch: How to Zap a Chip
1. Voltage Glitching (a.k.a. Power Bashing)
You momentarily drop or spike the supply voltage (Vcc) to knock a processor off its rocker. If timed just right, this can cause it to skip instructions or execute corrupted ones. It’s the Vegemite of glitching: basic, salty, and effective.
Tools:
- ChipWhisperer
- PicoGlitcher (DIY, cheap as chips)
- Custom FET-based glitch injectors
Further reading: Synacktiv’s Voltage Glitching Guide
2. Clock Glitching
Mess with the clock signal by injecting spikes or skips. The CPU’s like “Wait, what?” and trips over its own execution flow. Trickier than voltage, but less likely to trip brownout detectors.
Tools:
- External clock generators
- High-speed FPGAs
Further reading: ChipWhisperer Clock Glitch Tutorial
3. Electromagnetic Fault Injection (EMFI)
You use focused EM pulses to zap specific regions of silicon. You can literally beam faults into the brain of a chip without even touching it. James Bond vibes, anyone?
Tools:
- EM pulse coils
- Pulse generators
- ChipSHOUTER
Further reading: Learn EMFI at GitHub – ChipSHOUTER
4. Optical / Laser Fault Injection
Strip the chip naked (decap it), shine a modulated laser, and interrupt logic execution directly. This one’s more “CSI Silicon Valley”, but hey, it works.
Tools:
- RayV Laser Station
- DIY setups using Blu-ray lasers
Further reading: Wired: DIY Laser Attacks
5. Temperature, Radiation & Exotic Stuff
Not as sexy, but useful: cooling chips with freeze spray or heating them up can subtly alter timing paths. Radiation can flip bits, but it’s not exactly backyard friendly.
Target Locked: Hacking Automotive HSMs
Alright, enough warm-up. Let’s get to the juicy bit: pwning HSMs in automotive Electronic/Electrical (E/E) systems.
These little silicon vaults sit inside your car’s ECUs (Engine Control Units), guarding crypto keys, secure boot routines, and OTA update systems. In modern vehicles, an HSM isn’t just nice-to-have – it’s mission-critical.
Why target HSMs in cars?
- Unlock tuning access
- Bypass immobilisers
- Inject custom firmware
- Extract OEM private keys (!)
Tools of the Trade: What’s in a Glitcher’s Toolbox?
To hack an HSM in a vehicle, you should usually bring:
Needle Probes (Pogo Pins)
Essential for tapping tiny test pads or chip pins without desoldering. Think of them as the hacker’s acupuncture needles.
Logic Analyser
Let you watch signals like RESET, CLK, and Vcc to find juicy glitch points.
ChipWhisperer or PicoGlitcher
For precision glitching: voltage or clock. ChipWhisperer Lite is great for most jobs; PicoGlitcher is the go-to for stealthy field work.
Microscope & Hot Air Station
To solder onto 0.5 mm pitch test pads or to safely remove shielding from automotive PCBs.
Faraday Tent
For EMFI jobs, you want to block outside interference. Plus, it looks very cool at conferences.
Real-World Workflow: Popping an HSM in a Vehicle ECU
Let’s say you’ve got an automotive ECU from a late-model ute that uses a Tricore-based microcontroller with an HSM.
Step 1: Reconnaissance
Pull the datasheet. Look for power domains, secure boot pinouts, test pads, UARTs.
Step 2: Tap the Right Pins
Use pogo pins or wire-wrap to tap:
- Vcc
- RESET
- CLK
- BOOT_CFG (if present)
- UART TX/RX
Watch the boot process. Use a logic analyser or oscilloscope to find where the secure boot check happens.
Step 3: Glitch Setup
Inject a voltage glitch 300 μs after RESET when the CPU checks the signature of the bootloader.
This might cause:
- The secure boot to fail silently
- A protected debug interface to unlock
- Firmware code to be dumped via UART
Step 4: Iterate & Optimise
Glitching isn’t one-size-fits-all. You’ll sweep delay offsets, pulse widths, and voltages. Automate this with a script and have it retry until bingo.
Step 5: Extract the Goods
If successful, dump flash. Look for:
- Hardcoded keys
- Firmware routines
- Debug flags
Use binwalk and Ghidra to reverse engineer.
Step 6: Cover Your Tracks
Always remember: don’t do this on someone else’s hardware without permission. Ethics matter, mate.
Defensive Driving: How to Harden Against Glitching
Manufacturers, take note. If you don’t want someone like me dancing on your silicon, here’s how to tighten your bolts:
1. Voltage and Clock Monitors
Detect and abort when anomalies occur.
2. Randomised Timing
Add jitter to boot sequences or critical crypto ops to make timing glitches harder.
3. Dual-Core Lockstep
Two CPUs run the same code, compare results. If one glitches, the mismatch triggers a fail.
4. Physical Shielding
- Shielding against EMFI
- Light sensors for laser detection
- Tamper mesh
5. Secure Boot Watchdogs
Include integrity checks at multiple stages and verify not just once but periodically.
6. DFA/Glitch-Resistant Crypto
Implement fault-resistant ECC, RSA, and AES. Techniques include:
- Redundant computation
- Random blinding
- CRT verification
Further reading: NIST Fault Injection Countermeasure Guide
Final Thoughts …
Glitching is both an art and a science. It’s not about destruction – it’s about precision. About timing. A gentle nudge here, a skipped instruction there, and boom – you’re past the silicon sentry.
In the world of automotive security, HSMs are getting stronger—but so are the hackers. And in true hacker spirit, we never back down from a challenge. The goal? Make security better, not worse.
So whether you’re a defender trying to build a better HSM or a researcher probing the limits of embedded systems – stay curious, stay safe, and never stop learning.
Cheers, legends.
