Home > CAPEC List > CAPEC-625: Mobile Device Fault Injection (Version 2.11)  

CAPEC-625: Mobile Device Fault Injection

 
Mobile Device Fault Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 625
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

Fault injection attacks against mobile devices use disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information. Although this attack usually requires physical control of the mobile device, it is non-destructive, and the device can be used after the attack without any indication that secret keys were compromised.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

Adversaries require non-trivial technical skills to create and implement fault injection attacks on mobile devices. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required. This prerequisite makes the attack challenging to perform (assuming that physical security countermeasures and monitoring are in place).

+ Solutions and Mitigations

Strong physical security of all devices that contain secret key information. (even when devices are not in use)

Frequent changes to secret keys and certificates.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
Extract long-term secret keys (e.g. keys used for VPN or WiFi authentication and encryption) to enable decryption of intercepted VOIP traffic.
+ Technical Context
Architectural Paradigms
Mobile
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2015-11-09Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017