Low-Cost Setup for Localized Semi-invasive Optical Fault Injection Attacks

How Low Can We Go?
  • Oscar M. GuillenEmail author
  • Michael Gruber
  • Fabrizio De Santis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10348)


Localized semi-invasive optical fault attacks are nowadays considered to be out of reach for attackers with a limited budget. For this reason, they typically receive lower attention and priority during the security analysis of low-cost devices. Indeed, an optical fault injection setup typically requires expensive equipment which includes at least a laser station, a microscope, and a programmable X-Y table, all of which can quickly add up to several thousand euros. Additionally, a careful handling of toxic chemicals in a protected environment is required to decapsulate the chips under test and gain direct access to the die surface. In this work, we present a low-cost fault injection setup which is capable of producing localized faults in modern 8-bit and 32-bit microcontrollers, does not require handling hazardous substances or wearing protective eyeware, and would set back an attacker only a couple hundred euros. Finally, we show that the type of faults which are obtained from such a low-cost setup can be exploited to successfully attack real-world cryptographic implementations, such that of the NSA’s Speck lightweight block cipher.


Fault injection Semi-invasive Optical fault attacks Backside Microcontrollers Embedded devices Speck 



We thank the anonymous reviewers for their valuable comments and suggestions. This work was performed while Oscar M. Guillen was a research assistant at the Chair of Security in Information Technology of the Technische Universität München.


  1. 1.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. IACR Cryptol. ePrint Arch. 2004, 100 (2004)Google Scholar
  2. 2.
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The Simon and speck families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013).
  3. 3.
    Boit, C., Schlangen, R., Glowacki, A., Kindereit, U., Kiyan, T., Kerst, U., Lundquist, T., Kasapi, S., Suzuki, H.: Physical IC debug - backside approach and nanoscale challenge. Adv. Radio Sci. 6, 265–272 (2008)CrossRefGoogle Scholar
  4. 4.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). doi: 10.1007/3-540-69053-0_4 Google Scholar
  5. 5.
    Breier, J., Jap, D.: Testing feasibility of back-side laser fault injection on a microcontroller. In: Proceedings of the 10th Workshop on Embedded Systems Security, WESS 2015, Amsterdam, The Netherlands, 8 October 2015, p. 5 (2015)Google Scholar
  6. 6.
    Huang, A.B.: Hacking the PIC 18f1320 (2007). Accessed 1 Dec 2016
  7. 7.
    Dehbaoui, A., Dutertre, J.-M., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of AES. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, Leuven, Belgium, 9 September 2012, pp. 7–15 (2012)Google Scholar
  8. 8.
    Hanft, F.: Entwicklung eines prototypen zur verhaltensanalyse von chipkarten bei fault injection attacks (2016). Accessed 26 Mar 2017
  9. 9.
    Huo, Y., Zhang, F., Feng, X., Wang, L.-P.: Improved differential fault attack on the block cipher speck. In: 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 28–34. IEEE (2015)Google Scholar
  10. 10.
    Neve, M., Peeters, E., Samyde, D., Quisquater, J.-J.: Memories: a survey of their secure uses in smart cards. In: 2nd International IEEE Security in Storage Workshop (SISW 2003), Information Assurance, The Storage Security Perspective, 31 October 2003, Washington, DC, USA, pp. 62–72 (2003)Google Scholar
  11. 11.
    O’Flynn, C., Chen, Z.D.: ChipWhisperer: an open-source platform for hardware embedded security research. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 243–260. Springer, Cham (2014). doi: 10.1007/978-3-319-10175-0_17 Google Scholar
  12. 12.
    Schmidt, J.-M., Hutter, M.: Optical and EM fault-attacks on CRT-based RSA: concrete results. In: Posch, K.C., Wolkerstorfer, J. (eds.) Austrian Workshop on Microelectronics - Austrochip 2007, Graz, Austria, 11 October, pp. 61–67. Verlag der Technischen Universität Graz, October 2007. ISBN 978-3-902465-87-0Google Scholar
  13. 13.
    Schmidt, J.-M., Hutter, M., Plos, T.: Optical fault attacks on AES: a threat in violet. In: Naccache, D., Oswald, E. (eds.) Fault Diagnosis and Tolerance in Cryptography - FDTC 2009, 6th International Workshop, Lausanne, Switzerland, 6 September 2009, pp. 13–22. IEEE-CS Press (2009)Google Scholar
  14. 14.
    Skorobogatov, S.P.: Semi-invasive attacks - a new approach to hardware security analysis. Ph.D. thesis, University of Cambridge (2005)Google Scholar
  15. 15.
    Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003). doi: 10.1007/3-540-36400-5_2 CrossRefGoogle Scholar
  16. 16.
    Smith, Z.J., Chu, K., Espenson, A.R., Rahimzadeh, M., Gryshuk, A., Molinaro, M., Dwyre, D.M., Lane, S., Matthews, D., Wachsmann-Hogiu, S.: Cell-phone-based platform for biomedical device development and education applications. PLoS ONE 6(3), 1–11 (2011)Google Scholar
  17. 17.
    Van Woudenberg, J.G., Witteman, M.F., Menarini, F.: Practical optical fault injection on secure microcontrollers. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2011, Tokyo, Japan, 29 September 2011, pp. 91–99 (2011)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Oscar M. Guillen
    • 1
    Email author
  • Michael Gruber
    • 2
  • Fabrizio De Santis
    • 2
  1. 1.Giesecke & Devrient GmbHMunichGermany
  2. 2.Chair of Security in Information TechnologyTechnische Universität MünchenMunichGermany

Personalised recommendations