Fraktal Unveils a Low-Cost Open Source Raspberry Pi Pico-Powered Laser Fault Injection Rig
Blast your target chip with a high-powered laser and see if you can't bypass its security systems, in $550 or less.
Finnish cybersecurity firm Fraktal has released a design for a laser fault injection (LFI) system for investigating the security systems in modern integrated circuits, buildable for under $500 — and powered by a Raspberry Pi Pico.
"Laser fault injection (LFI) has long been a domain only accessible to labs and research institutions with equipment worth hundreds of thousands of Euros," claims Fraktal's Janne Taponen. "Today we are breaking down those barriers by open-sourcing all of our laser fault injection research and releasing a laser fault injection rig that anyone can build for less than €500 [around $550]. Along with our methods, we will demonstrate how to successfully perform laser fault injection attacks to bypass firmware protections, authentication, and other feats previously achievable only in specialist labs."
The idea behind fault injection is simple: security systems in everything from basic microcontrollers up to high-performance server processors rely on everything working as expected. By deliberately introducing a fault into the system, it's possible to invalidate that assumption — and, if all goes well, break the security and do something unexpected. Typically, fault injection revolves around glitching the power supply or exposing the chip to radio-frequency or electromagnetic radiation outside of its rated operating specifications — but LFI opts for laser pulses instead.
"Laser Fault Injection (LFI) is a technique used to introduce faults into a semiconductor device, such as a microcontroller, by precisely targeting its silicon die with a laser," Taponen explains. "This process disrupts the normal operation of a chip, often allowing bypassing of security mechanisms such as code readout protection."
Typically, doing this requires extremely expensive equipment — putting such experimentation out of the reach of hobbyist hackers and tinkerers. Fraktal's system, though, is affordable — replacing expensive high-precision XY stages with moving mirrors controlled by a Raspberry Pi Pico. "By turning a precision attack into an opportunistic one," Taponen adds of the company's approach to the problem, "we have managed to work around most of the limitations and make it possible to perform the attacks without the need to have nanosecond time accuracy and nanometer positional precision."
Fraktal isn't the only one designing new tools for fault injection attacks. The timing of the company's release is the result of the announcement of NetSPI's RayV Lite at the Black Hat USA security conference this month, a similarly-priced laser fault injection system — though one for which, at the time of writing, design files had not yet been published. Aaron Christophel, meanwhile, has been automating the process of electromagnetic pulse (EMP) fault injection with a Raspberry Pi Pico — and Matthias Kesenheimer has used the same microcontroller to build the PicoGlitcher for voltage fault injection attacks.
There are caveats in Fraktal's approach, though. First is that the silicon die of the chip has to be exposed to the laser, which for everything except back-side packaged parts means the careful and entirely unsubtle mechanical or chemical removal of material without damaging the underlying silicon die. Second is the risks involved in shining a high-power 1,064nm infrared laser at mirrors — potentially scattering an invisible beam that can cause rapid and disastrous eye damage.
For those not put off by the risks, the first of a planned series of blogs introducing the system has been published by Fraktal; hardware design files and MicroPython source code are available on GitHub under the permissive MIT license.