With PicoEMP Now Anyone Can Induce Exploitable Hardware Faults Using Electromagnetic Pulses
Designed by Colin O'Flynn, built by YOU.
Computers run the code we give them. Sometimes that code does what we expect, and sometimes it does not! However, the worst case is when the code contains exploitable mistakes that hackers can use to execute something unintended. Even if programmers carefully write code to protect against those attacks, there is another to consider: electromagnetic fault injection (EMFI). Using Colin O'Flynn's PicoEMP, anyone from researcher to hobbyist can zap a chip with EMI and potentially generate an exploitable fault!
"This PicoEMP project is not the ChipSHOUTER. Instead it's designed to present a "bare bones" tool that has a design optimization focused in rough order of (1) safe operation, (2) cost, (3) usability, (4) performance." — Colin O'Flynn
An EMFI attack generates a large electric field, causing hardware bits to flip. This attack type affects elements internal to a processor like its registers or static RAM. If you are new to the idea of an EMFI attack, this article written by O'Flynn is an excellent primer on them (and how to protect against it.)
PicoEMP's core analog circuit is a high voltage pulse generator. Transformers, intended for charging a photographic flashbulb, charge a high capacitance-value, low-ESR ceramic capacitor. The capacitor dumps its energy into an EM-field probe tip when activated. You have created an electromagnetic field interference attack with that seemingly simple action!
A key component is the tip, typically some coil form. For PicoEMP, you must build or source tips on your own. However, if you do create a tip, O'Flynn encourages pull requests to the PicoEMP project repository so that others can make them as well.
Stating the obvious, a high-voltage generator circuit such as this one can be dangerous if misused. Therefore, O'Flynn is upfront that PicoEMP should not be activated unless a protective shield covers the high-voltage generator.
With that warning stated, PicoEMP does contain some test points so you can verify its performance with a DMM or high-voltage oscilloscope probe. These, of course, should be used with extreme caution while the circuit is live!
Alternatively, if you need a professional-grade tool, NewAE Technology sells the ChipSHOUTER. Compared to PicoEMP, ChipSHOUTER provides a much higher voltage with adjustable output, faster recovery time, and probe tips.
O'Flynn says in the demo video that the plan is to sell a PCB with the surface mount components already attached. You would need to solder a Pi Pico to the board and attach a protective shield. Alternatively, the PCB Gerber files are available if you wish to have your own fabricated.
For more information, check out the PicoEMP repository.