David Buchanan Opens a Shell on His Laptop the Hard Way: With a Controlled "Electromagnetic Pulse"
The piezoelectric igniter on a cheap lighter is enough to bit-flip a laptop's memory — if you add a suitable antenna to the data line.
Security researcher David "retr0id" Buchanan has successfully exploited software running a laptop computer to gain a command prompt shell — by flipping bits in its memory with the piezoelectric igniter on a butane lighter.
"If you solder a ~10cm long 'antenna' wire to a laptop's DRAM data bus, it makes it extra sensitive to electromagnetic interference," Buchanan explains of his experiments, which — self-admittedly — require a somewhat-unsubtle hardware modification to the target device. "So much so that clicking a piezoelectric arc lighter nearby can induce bit-flips."
A bit-flip is when a bit of memory goes from 0 to 1, or vice-versa, unexpectedly. They can happen naturally, through interactions with comic rays — and error correcting code (ECC) memory was specifically built to detect and correct such flips. In Buchanan's case, though, the bit-flips are being forced through the introducing of unexpected interference: the burst of electromagnetic and radio-frequency noise that you get when you fire a piezoelectric igniter.
The noise from the electric lighter wouldn't usually be strong enough to affect the laptops' memory, which is where the antenna wire comes in — connected to the DQ7 data line, it's designed to pick up the noise and put it directly on the data bus connected to the RAM to force a bit-flip at a specific location. If all that could do was crash the laptop, though, it'd be little more than a curiosity, but Buchanan has his lighter doing something unexpected: corrupting the memory in such a way that it opens a command prompt shell on the system.
"When I click the button on a regular piezoelectric cigarette lighter, a small EMP [Electromagnetic Pulse] is generated, which is picked up by the antenna," Buchanan explains. "Running memtest shows several bit-flips occur each time (depending on the distance) and the flip always affects bit 7 of each 64-bit word. I'm 'exploiting' cpython first as a [Proof of Concept] because I'm familiar with cpython's inner workings."
That exploit, for which Buchanan has published source code, provides that the bit-flips can be used to corrupt software in such a way that it opens a shell — and while he admits that "it's a bit pointless because you can just os.system("/bin/sh")", he's working on expanding the project to real-world exploitation of web browser JavaScript engines, operating system kernels, and even the Nintendo Switch operating system.
Buchanan's proof-of-concept source code is published as a GitHub gist under an unspecified license.