crtasmMicrosoft's 'unhackable' Xbox One has been hacked by 'Bliss'
Created a voltage drop that exactly occurred to be timed to the key comparison, then a spike at the continuation.
Irl noop and forced execution control flow to effectively return true.
B e a utiful
The earliest example I know of for this is CLKSCREW, but security hardware (like for holding root CA private keys) was hardened against this stuff way before that attack.
Has anyone heard of notable earlier examples?
In terms of fault injection as a security attack vector (vs. just a test vector, where it of course dates back to the beginning of computing) in general, satellite TV cards were attacked with clock glitching at least dating back into the 1990s, like the "unlooper" (1997). There were also numerous attacks against various software RSA implementations that relied on brownout or crowbar glitching like this - I found https://ieeexplore.ieee.org/document/5412860 right off the bat but I remember using these techniques before then.
It's fascinating - how does one defend against an attacker or red-team who controls the CPU voltage rails with enough precision to bypass any instruction one writes? It's an entirely new class of vulnerability, as far as I can tell.
This talk https://www.youtube.com/watch?v=BBXKhrHi2eY indicates that others have had success doing this on Intel microcode as well - only in the past few months. Going to be some really exciting exploits coming out here!
m0leCon 2025 - Federico Cerutti - Voltage Glitching Intel Microcode
You can't. Console makers have these locked-down little systems with all the security they can economically justify... embedded in an arbitrarily-hostile environment created by people who have no need to economically justify anything. It's completely asymmetrical and the individual hackers hold most of the cards. There's no "this exploit is too bizarre" for people whose hobby is breaking consoles, and if even one of those bizarre exploits wins it's game over.
And if you predict the next dozen bizarre things someone might try, you both miss the thirteenth thing that's going to work and you make a console so over-engineered Sony can kick your ass just by mentioning the purchase price of their next console. ("$299", the number that echoed across E3.)
> You can't
It's a moot point, they are not trying to prevent it. They only need to buy enough time to sell games in the lifespan of the hardware, which they did.
> all the security they can economically justify...
It seems like they did a perfect job, it lasted long enough to protect Microsoft game profits.
> how does one defend against an attacker or red-team who controls the CPU voltage rails
The xbox does have defences against this, the talk explicitly mentions rail monitoring defences intended to detect that kind of attack. It had a lot of them, and he had to build around them. The exploit succeeds because he found two glitch points that bypassed the timing randomisation and containment model.
I hope Apple is paying attention, since their first gen AirTags are vulnerable to voltage glitching to disable the speaker and the tracking warning.
It's pretty trivial to just open it up and disconnect the speaker too. I took one apart to make a custom wallet card out of it and broke the speaker in doing so; the rest of it worked perfectly fine (though obviously the warning would still work).
I don't see much motivation for fixing that when I can purchase a nrf52xx Bluetooth Beacon on aliexpress for €4 and flash it with firmware that pretends to be 50 different airtags, rotating every 10 minutes, and therefore bypassing all tracker detections.
What's the battery life like on one of those?
> It's an entirely new class of vulnerability, as far as I can tell.
It is know as voltage glitching.
If you're interested our research group applies to Intel CPUs.
https://download.vusec.net/papers/microspark_uasc26.pdf
It's not new - fault injection as a vulnerability class has existed since the beginning of computing, as a security bypass mechanism (clock glitching) since at least the 1990s, and crowbar voltage glitching like this has been widespread since at least the early 2000s. It's extraordinarily hard to defend against but mitigations are also improving rapidly; for example this attack only works on early Xbox One revisions where more advanced glitch protection wasn't enabled (although the author speculates that since the glitch protection can be disabled via software / a fuse state, one could glitch out the glitch protection).
The Xbox 360 was hacked in a simpler but nearly identical way [1]! Amazing that despite the various mitigations, the same process was enough to crack the Xbox One.
RGH/RGH3
RGH 3 is a modern method of the Reset Glitch Hack that uses the SMC in the Xbox 360's southbridge instead of an external glitch chip in order to boot unsigned code. MrMario2011 has video guides for RGH 3 on Falcon/Jasper, Trinity, and Corona motherboards respectively. The guides from Larvs on Xbox 360...
But it took them 4x as long to be successful against the xbone.
I think the security team would call their mitigations a success.
No? It is crowbar voltage glitching, but you're significantly underselling it here. The glitching does not affect key comparisons.
It's a double-glitch. The second glitch takes control of PC during a memcpy. The first glitch effectively disables the MMU by skipping initialization (allowing the second glitch to gain shellcode exec). (I am also skipping a lot of details here, the whole talk is worth a watch)
This sounds like a way less crude version of the way many unlicensed NES cartridges got around the lockout chip. Just charge a capacitor and blast it at boot time.