The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs

TL;DR

This paper demonstrates how voltage fault injection can bypass security in Nvidia Tegra X2 SoCs, revealing vulnerabilities in boot security and enabling extraction of sensitive firmware and keys.

Contribution

It uncovers a hidden bootloader in Nvidia Tegra X2 SoCs that can be re-enabled via voltage fault injection, exposing critical security flaws.

Findings

Voltage FI can bypass boot security in Nvidia Tegra X2.

The hidden bootloader can be re-enabled to extract firmware and keys.

System security can be compromised during normal operation.

Abstract

Voltage fault injection (FI) is a well-known attack technique that can be used to force faulty behavior in processors during their operation. Glitching the supply voltage can cause data value corruption, skip security checks, or enable protected code paths. At the same time, modern systems on a chip (SoCs) are used in security-critical applications, such as self-driving cars and autonomous machines. Since these embedded devices are often physically accessible by attackers, vendors must consider device tampering in their threat models. However, while the threat of voltage FI is known since the early 2000s, it seems as if vendors still forget to integrate countermeasures. This work shows how the entire boot security of an Nvidia SoC, used in Tesla's autopilot and Mercedes-Benz's infotainment system, can be circumvented using voltage FI. We uncover a hidden bootloader that is only available to the manufacturer for testing purposes and disabled by fuses in shipped products. We demonstrate how to re-enable this bootloader using FI to gain code execution with the highest privileges, enabling us to extract the bootloader's firmware and decryption keys used in later boot stages. Using a hardware implant, an adversary might misuse the hidden bootloader to bypass trusted code execution even during the system's regular operation.