Berkner Tech

Berkner Tech Modern Hardware Security

Voltage Glitching and Fault Injection on Embedded Devices

Voltage glitching fault injection pipeline on an embedded device, from finding the target check to verifying the bypass

A secure-boot check or a password comparison is just a few CPU instructions. Drop the supply voltage for a few nanoseconds at exactly the right moment and the chip can skip one of them. Voltage glitching is how attackers bypass checks that are cryptographically sound but physically exposed. Here is how the attack works and how silicon resists it.

Why a Perfect Check Still Fails

Cryptography assumes the processor faithfully executes every instruction. Fault injection breaks that assumption. A brief, precisely timed voltage dip can cause a single instruction to misexecute, skipping a branch or corrupting a comparison. The math was never attacked; the machine running it was.

Step 1: Find the Target and Trigger

Identify the check you want to bypass, then find a signal that fires just before it, such as a GPIO toggle or a pattern on the bus. That trigger is what lets you place the glitch with cycle accuracy rather than guessing.

Step 2: Sweep the Glitch Parameters

A glitch is defined by a handful of numbers: how long after the trigger, how wide, where in the clock period, and how many. The attack is an automated sweep across them:

Anatomy of a voltage glitch parameter sweep showing ext_offset, width, offset, and repeat
for ext in range(800, 900):
    scope.glitch.ext_offset = ext
    scope.glitch.width = 4.2
    target.write('unlock\n')
    if target.read() == 'OK': log(ext)
Example output
sweeping ext_offset 800..900 ...
Glitch SUCCESS at ext_offset=841 width=4.2 offset=-1.1
Device returned: OK  (auth bypassed)

One combination in the sweep made the device accept an unlock it should have rejected. That is the bypass, and once found it usually reproduces reliably.

Three Things a Glitch Can Do

The effect is always the same primitive, a corrupted instruction, but the impact varies:

Three effects of voltage glitching fault injection: skip a branch, flip a compare, or defeat readout protection

Defending Against Fault Injection

Defenses make a single fault insufficient: check critical conditions twice and compare, add random delays so the attacker cannot time the glitch, use a voltage and clock monitor that resets on a detected fault, and never gate a security decision on one branch. Hardware with built-in glitch detection raises the bar substantially.

Where This Fits

Fault-injection testing, proving whether a product’s secure boot or authentication survives a glitch, is part of a hardware product security assessment. That lab work is the kind of work we do at Berkner Tech.

References and Further Reading