MIN()imum Failure: EMFI Attacks against USB Stacks


Colin O'Flynn, Dalhousie University


Electromagnetic Fault Injection (EMFI) allows generation of faults in a target device without needing to physically modify the target. This paper uses EMFI to recover secret data from two devices without opening the enclosure of the devices, making the attack possible without leaving any physical evidence. This is demonstrated on two devices: a Trezor bitcoin wallet and a Solo Key open-source FIDO2 authentication key.

The specific vulnerable code attacked with EMFI is part of the USB stack. The attack allows a host-provided value of wLength to be used in reading back up to 64~Kbyte of memory from the target device. Examples of this vulnerability are given for three popular general-purpose RTOSes.

To assist with evaluation of this attack, the open-source PhyWhisperer-USB hardware is also introduced. This tool provides hardware USB decoding and pattern matching to allow cycle-accurate fault injection timing.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {238594,
author = {Colin O{\textquoteright}Flynn},
title = {{MIN()imum} Failure: {EMFI} Attacks against {USB} Stacks},
booktitle = {13th USENIX Workshop on Offensive Technologies (WOOT 19)},
year = {2019},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/woot19/presentation/oflynn},
publisher = {USENIX Association},
month = aug