-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-022 Product: nRF54L15 Manufacturer: Nordic Semiconductor Affected Version(s): nRF Connect SDK v2.9.0-7787b2649840, part ID 0x00054B15, part variant 0x41414230 Tested Version(s): nRF Connect SDK v2.9.0-7787b2649840, part ID 0x00054B15, part variant 0x41414230 Vulnerability Type: CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI) Risk Level: High Solution Status: Open Manufacturer Notification: 2025-03-07 Solution Date: Public Disclosure: 2025-05-23 CVE Reference: Not yet assigned Author of Advisory: Dr. Matthias Kesenheimer, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The nRF54 is Nordic Semiconductor's next-generation ultra-low-power wireless System-on-Chip (SoC) series, designed for Bluetooth Low Energy (BLE), Thread, Zigbee, and other radio frequency (RF) applications. It offers higher performance, improved security, a glitch detector, and multiple cores compared to the nRF52 and nRF53 series. The manufacturer describes the product as follows (see [1]): "nRF54L15, together with nRF54L10 and nRF54L05, make up the nRF54L Series. All wireless SoCs in the nRF54L Series integrate an ultra-low-power multiprotocol 2.4 GHz radio and MCU (Microcontroller Unit) functionality, featuring a 128 MHz Arm Cortex-M33 processor and comprehensive peripheral set. The series offers a selection of packages and memory size options with pin-to-pin compatible QFN packages. nRF54L15 is suitable for products using Bluetooth Low Energy, Bluetooth Mesh, Zigbee, Thread, Matter, Amazon Sidewalk, and proprietary 2.4 GHz protocols. In addition, it can run a Wi-Fi stack for the nRF70 Series companion ICs." What makes the nRF54 special is a configurable glitch detector that can recognize potential fault injection attacks. This built-in tamper controller is called TAMPC. However, the glitch detector is currently ineffective against electromagnetic fault injection attacks, meaning that security-relevant calculations and internal processor states can be modified. The tamper controller can do the following: - Detect internal timing errors to protect against fault injection attacks such as voltage spikes or electromagnetic fault injection (EMFI). - Detect external tampering by sending a pseudo-random bit sequence (PRBS) pattern to an output pin and ensuring that the same pattern is received on an input pin. (This is designed to be connected to an external tamper shield that detects when the product is tampered with.) - Detect if tampering occurs during AED and IKG operations (the CRACEN detector). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: An electromagnetic fault injection (EMFI) attack exploits the susceptibility of a microcontroller's internal logic to high-intensity electromagnetic pulses, which can cause transient faults in computations. By precisely timing an EMFI pulse during a critical operation, such as an arithmetic calculation or cryptographic processing, an attacker can induce bit flips, corrupt register values, or force incorrect branching. This can lead to subtle but exploitable errors, such as incorrect results in authentication checks, bypassed security conditions, or compromised cryptographic outputs. Since EMFI does not require direct electrical contact, it can target even well- protected chips with limited external access, making it a powerful technique for fault-based exploitation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): To perform an EMFI attack on the nRF54, the NewAE ChipSHOUTER (see [2]) in combination with a custom-built CNC table to precisely position the injection probe over the target device was used. The software packages "emfindus" (see [3]) and "findus" (see [4]) were utilized to control the ChipSHOUTER, the CNC table, and to also handle the communication with the target device. High-intensity electromagnetic pulses, which are carefully timed to disrupt the microcontroller’s execution at critical moments, are generated by the ChipSHOUTER. A custom-built trigger board ("Pico Glitcher", see [5]) is used to trigger the ChipSHOUTER, ensuring precise synchronization with a general- purpose input/output (GPIO) signal from the nRF54. By iterating through different positions, pulse parameters, and timing offsets, attempts to induce faults that alter the results of a CRC calculation were made. The nRF54 microcontroller was prepared for the attack with a specific program. The individual steps carried out by the software are as follows: 1) Initializing of the GPIO pins and the universal asynchronous receiver- transmitter (UART) connection with the host computer. 2) Configuring and activating the glitch detector (default configuration in high-pass filter mode). 3) Sending the current glitch detector configuration via UART to the host computer. 4) Activating a GPIO pin to start the glitching window. 5) Performing a CRC calculation over a memory area of 256 bytes. 6) Deactivating the GPIO pin to close the glitching window. 7) Returning the result of the CRC calculation to the host computer. Using the Python libraries emfindus and findus, a script was created that initializes the ChipSHOUTER, the CNC table, and the board for trigger generation ("Pico Glitcher"). After initialization, the following steps were carried out with the script: 1) Selecting a random parameter point for the next glitch. 2) Arming the Pico Glitcher and the ChipSHOUTER. 3) Waiting for the trigger signal from the nRF54. 4) Triggering the electromagnetic pulse. 5) Reading the results of the CRC calculation via UART. 6) Characterizing the target response and inserting the results in a local database. 7) The "analyzer" tool of findus was used to display the target states in a graph. The following figure shows the target response as a function of the probe coordinates when the glitch detector of the nRF54 is activated. Pin position 1 of the microcontroller is labelled 'O'. Areas in which the microcontroller is reset are shown with '+'. States in which the CRC calculation could be modified are marked with 'x'. y [mm] ^ 6 | ......................................... | .......................................O. | ......................................... | ......................+++++++............ | ...................+++++++++++++......... | ..................++++++++++++++......... | ................+++++++++++++++.......... | .................+++++++++++++........... | .................+++++++++++............. | .....................xxxxx......+++...... | ..............................++++++..... | ...........................+++++++++..... | ..........................++++++++++..... | ..........................++++++++++..... | ..........................++++++++++..... | ...........................+++++++++..... | ............................+++++++...... | ................................+........ | ......................................... 0 | ......................................... ------------------------------------------> x [mm] 0 6 The following parameter ranges were used to optimize the EMFI attack: - x = 2.7 - 3.8 mm - y = 2.3 - 2.7 mm - z = 0.1 - 0.4 mm - pulse width = 90 - 110 ns - pulse delay = 0 - 310.000 ns - pulse voltage = 190 V However, no dependency on the pulse width and the pulse delay with respect to the trigger signal was observed. With these parameters, a success rate of 2% to modify the outcomes of a CRC calculation could be achieved. This shows that the used glitch detector does not reliably detect electro- magnetic pulses and that attackers can thus gain partial control over the control flow or the results of a calculation. Under certain circumstances, this can have an impact on security-relevant applications that are executed on the nRF54. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-07: Vulnerability discovered 2025-03-10: Vulnerability reported to manufacturer 2025-05-23: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for the Nordic Semiconductor's nRF54 https://www.nordicsemi.com/Products/nRF54L15 [2] NewAE ChipSHOUTER https://www.newae.com/products/nae-cw520 [3] emfindus Python package https://pypi.org/project/emfindus/ [4] findus (fault-injection-library) Python package https://pypi.org/project/findus/ [5] Pico Glitcher https://www.tindie.com/products/faulty-hardware/picoglitcher-v21/ [6] Glitch Detector documentation https://docs.nordicsemi.com/bundle/ps_nrf54L15/page/chapters/power-and-clock/glitchdet/doc/glitchdet.html [6] SySS Security Advisory SYSS-2025-022 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-022.txt [7] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Matthias Kesenheimer of SySS GmbH. E-Mail: matthias.kesenheimer@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Kesenheimer.asc Key ID: 0x15E203385E96D04E Key Fingerprint: B259 18D6 49F6 FD35 8F5E 485E 15E2 0338 5E96 D04E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEslkY1kn2/TWPXkheFeIDOF6W0E4FAmguxPYACgkQFeIDOF6W 0E40PQv8DR4ddocJlpgQycBWorhBoWo/3s04ynxojSkqvh9vLnLw9UNg5Qk1mZQb xsoiu7n00jrOlL9IT3tlymA6CYe5bNvlKuw4WMHUpDHkscrkb3jLe6VvGjDvupsc obtSgPjO9lV3KwWM2aK1fJC0sDcA0L9fTg6FDL8n0oJo+w/O7zMw9rx5RaIAzUkM slM2dKR3nC8Ans4lFZB6IKNvDQL3X8OfqJxqF+/S4KOX3uWOzsZtKDYaz2N0ylEV KCOf4n3pAR2nxgTA3kyJsrtC82eR3zBmSKfWRc1fgWzIc2vzyYHQbUXOfYaa4LO2 Y/qVefdIr5oCfKqfUxizEggKGHoVJdfY9r1N6qAhTf+aw5mc1xoj4vEuZ16HRf0F xxf4bkmJ2XfEVDVM69iBMw5yvXvmltM5CzcBKnoqoLWzRNwEYOixXVllUQxPvfhh rYvxqSOUV30iXttVHa/KDwhZ4+qPfG6YTjTP4RZEKkGwgbwO+4VEx3o3wX/wZXKd rEVfh1kG =GGs6 -----END PGP SIGNATURE-----