Laser-Induced Fault Injection on Smartphone Bypassing the Secure Boot-Extended Version

Abstract

This paper describes the outcome of a laser attack study on an Android smartphone targeting specifically the secure boot sequence. Laser fault injection has become a classical attack path in the secure chip industry to investigate potential security mitigation. The implementation of such attacks on a recent mobile phone remains relatively unexplored and represents different challenges, both at hardware and software levels. In this paper, we show how the device is crafted to get a direct access to the silicon and explain the corresponding experimental setup. By inserting our own software into the boot sequence, it was possible to achieve a fine characterization of the die sensitivity to laser emissions. With the knowledge of potential perturbations, several attack scenarios were built, allowing to malevolently get the highest level of privilege within the mobile phone.