Clock Glitching in Device Security Analysis

Clock glitching is a fault injection technique where an attacker—or a security evaluator—deliberately alters a device’s clock signal to induce errors in its normal operation. Although this method was once highly popular in the realm of smart card testing, it eventually became less prominent when many smart cards transitioned to internal clock generators. More recently, however, clock glitching is regaining relevance, as modern systems-on-chip (SOCs) and other embedded devices often rely on external clocks during critical initialization phases. These windows of opportunity allow security evaluators to disrupt the clock signal at just the right moments, potentially exposing vulnerabilities that other testing methods can miss.

At its core, clock glitching involves creating short disturbances—“glitches”—in the clock line. By carefully timing when these glitches occur, testers can modify a device’s operational flow without altering its power supply or injecting invasive energy sources such as electromagnetic pulses or lasers. During normal operation, a device’s digital circuits follow predictable behaviors governed by the rising and falling edges of a steady clock. When one or more of these edges shifts abruptly, or is artificially shortened, it can confuse the circuit into skipping instructions, storing incorrect data, or bypassing security checks.

This approach is useful not only for singled-out, specialized targets like smart cards. In today’s security testing environment, any embedded system that depends on external clock signals at any point in its lifecycle might be susceptible. For instance, many SOCs initially rely on an external clock at power-up before switching to internal phase-locked loops (PLLs). During that initial phase, if testers introduce even a brief disruptive pulse sequence, the SOC may deviate from its intended boot sequence, possibly ignoring certain security features.

Another intriguing aspect of clock glitching is the potential for remote attacks, particularly if a chip’s PLLs are configurable via software once the operating system boots. In rare cases, misconfiguration of these settings could enable malicious actors to replicate the effects of clock glitching from a distance. While physical access is still the most practical manner to introduce faults, the existence of such remote possibilities underscores the importance of thorough hardware security evaluations.

Overall, security evaluators and Red Teams can benefit from adding clock glitching to their arsenal of fault injection methods. Voltage glitching, electromagnetic pulse injection, and laser fault injection each have unique strengths, but clock glitching offers a degree of specificity that can be more targeted when the vulnerability lies in timing-related pathways. Although it is not a universal solution, finding a single exploitable weakness can unravel an entire security architecture—especially if an adversary can force the device to skip password checks, skip signature verifications, or erroneously grant privileged instructions.

Keysight’s DS1150A Clock Glitcher is a solution designed to provide precision control over normal and glitch clock signals. This hardware can generate two clocks simultaneously, allowing quick switching at user-defined trigger points. With support for a wide frequency range—1 kHz up to 300 MHz—and adjustable voltage levels between –1 V and +4 V, the DS1150A can be tailored to the exact requirements of many embedded systems or connected devices.

By enabling users to supply both normal and glitch clocks in parallel, an evaluator can conduct repeated fault injection experiments under controlled conditions. This could mean steadily tightening a timing window until the device skips an instruction—a sign that the glitch occurred at just the right cycle. Engineers and researchers can then observe the outputs of the target in real time using measurement equipment, verifying whether unintended operations or security bypasses have occurred. The DS1150A’s flexibility in analog front-end design further helps ensure compatibility with various interfaces, be it single-ended or differential clock lines.

One crucial advantage of using a specialized clock glitcher is the precision it offers in glitch generation. A haphazard glitch might simply crash or reset the target device, offering minimal insight into how or why the fault occurred. Precision glitching, however, allows methodical sweeps of different timing points, glitch widths, and voltage levels. This can reveal subtle device characteristics, including how secure bootloaders or cryptographic routines handle out-of-spec conditions.

While clock glitching is powerful, it is important to note that it is often part of a broader security testing strategy. In practice, evaluators consider multiple fault injection techniques, side-channel analysis approaches, and logical software testing to get a comprehensive overview of a product’s resilience. Nevertheless, clock glitching’s effectiveness, universality, and relatively low invasiveness make it a technique worth revisiting, whether you are a hardware vendor, an independent lab, or a Red Team looking for fresh angles to probe.

If you would like to discuss how clock glitching may be used in your testing environment, feel free to contact us at [email protected]. You can also learn more about Keysight’s DS1150A Clock Glitcher on the official product page.

Related Posts