Tampering with the flash memory of microcontrollers: permanent fault injection via laser illumination during read operations

Modern microcontroller units (MCUs) often feature integrated flash memory, which has been found to be vulnerable to hardware attacks. This type of memory is used to store critical data, including firmware, passwords, and cryptographic keys, making it a valuable target for attackers. Recent research has demonstrated the use of laser fault injection (LFI) during runtime to corrupt firmware by targeting the flash memory during read operations. However, these faults are non-permanent, as they only affect the read copies of the data without altering the actual data stored in the flash memory, following a bit-set fault model induced on a single bit. In our work, we extend this fault model to the flash memory of a 32-bit MCU, allowing us to induce permanent faults by compromising the stored data during read operations. In addition, we leverage photoemission analysis for target identification and characterization, enhancing the precision of our attack. By utilizing a double-spot LFI technique, we are able to concurrently induce permanent bit-set faults at two distinct locations in the flash memory, increasing the complexity and effectiveness of the attack. We also provide a practical example of how this fault model can be applied, wherein we iteratively change all 32 bits of a password to logic '1', successfully bypassing a basic counter for login attempts. It is important to note, however, that there are physical limitations associated with using multi-laser spots in this context, which we thoroughly discuss in our research. Nonetheless, our approach presents a powerful method for exploiting vulnerabilities in flash memory of MCUs, underscoring the need for robust security measures to protect critical data and mitigate the risks associated with hardware attacks.