Injecting Permanent Faults into the Flash Memory of a Microcontroller with Laser Illumination During Read Operations

Abstract

Microcontrollers embed an integrated Flash memory which has been proven to be vulnerable to certain hardware attacks. The Flash memory stores the microcontroller unit (MCU) firmware and, eventually, security related data such as passwords and cryptographic keys. Recent research works report the use of Laser Fault Injection (LFI) to corrupt the firmware at run time by targeting the Flash memory during its read operations. These faults, induced on a single bit and following a bit-set fault model, are non-permanent: the data stored in the Flash remain unchanged while only their read copies are corrupted. In this work, we report an extension of this model on the Flash memory of a 32-bit MCU. By compromising the stored data during read operations, we are able to induce permanent faults in the Flash memory. Furthermore, by means of a double-spot LFI, we were able to concurrently induce permanent bit-set faults at two distinct locations. We also present an example of a practical application of this fault model by iteratively changing all the 32 bits of a password to logic "1" while defeating a basic counter for login attempts. Physical related limitations of using multi-laser spots are also covered in this work.