Glitching Secure Boot in a faster and smarter way: how to reduce attack time to milliseconds. 💻🔨⌚👀👑

A group of hardware security researchers under the name CloudHunter Tense Lab present their research on attacking Secure Boot, focusing specifically on how to more precisely locate Secure Boot verification timing in hardened systems (no UART logs and no visible means of identifying the execution flow).

The idea is quite creative: if there are no logs, analyze the peripheral devices - in this case, eMMC signals such as GND, D0, and CLK. The authors also use an EM probe near the CPU to capture electromagnetic leakage.

Using this technique, the authors argue that the attack time can be reduced to roughly the millisecond scale (previously, almost the entire boot sequence was the target). The main impact is that glitching becomes much faster.

Super interesting and very useful, especially if you perform these attacks for a living. Not an entry-level presentation, but I’m sure you’ll enjoy it!

More details:

When Flash Reveals Its Secrets: Advanced Glitching Leveraging Hidden CPU–eMMC Behavior [PDF]: https://i.blackhat.com/Asia-26/Presentations/BHAS26-Zhang-When-Flash-Reveals-Its.pdf

Fault attacks [Github]: https://github.com/xcatx9527/wfm_cmp