MIN()imum Failure: EMFI Attacks against USB Stacks

Website Maintenance Alert

Due to scheduled maintenance, the USENIX website will not be available on Tuesday, December 17, from 10:00 am to 2:00 pm Pacific Daylight Time (UTC -7). We apologize for the inconvenience.

If you are trying to register for Enigma 2020, please complete your registration before or after this time period.

Authors: 

Colin O'Flynn, Dalhousie University

Abstract: 

Electromagnetic Fault Injection (EMFI) allows generation of faults in a target device without needing to physically modify the target. This paper uses EMFI to recover secret data from two devices without opening the enclosure of the devices, making the attack possible without leaving any physical evidence. This is demonstrated on two devices: a Trezor bitcoin wallet and a Solo Key open-source FIDO2 authentication key.

The specific vulnerable code attacked with EMFI is part of the USB stack. The attack allows a host-provided value of wLength to be used in reading back up to 64~Kbyte of memory from the target device. Examples of this vulnerability are given for three popular general-purpose RTOSes.

To assist with evaluation of this attack, the open-source PhyWhisperer-USB hardware is also introduced. This tool provides hardware USB decoding and pattern matching to allow cycle-accurate fault injection timing.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {238594,
author = {Colin O{\textquoteright}Flynn},
title = {MIN()imum Failure: {EMFI} Attacks against {USB} Stacks},
booktitle = {13th {USENIX} Workshop on Offensive Technologies ({WOOT} 19)},
year = {2019},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/woot19/presentation/oflynn},
publisher = {{USENIX} Association},
month = aug,
}