Glitch in the Sky: Exploiting Voltage Fault Injection in UAV Flight Controllers

Exploiting Voltage Fault Injection in UAV Flight Controllers

Introduction

This work rigorously investigates voltage-based fault injection attacks targeting unmanned aerial vehicle (UAV) flight controllers, focusing on the widely deployed PX4-Autopilot architecture. The authors address a critical under-explored attack vector in Cyber-Physical Systems (CPS) security: hardware-level non-invasive fault injection, specifically via precisely timed voltage glitches. By leveraging both simulation (ARMORY for ARM-M binaries) and empirical (ChipWhisperer on STM32) methodologies, the study precisely characterizes timing-sensitive vulnerabilities in the design and implementation of autopilot failsafe mechanisms. The analysis demonstrates that voltage fault injection can systematically bypass, suppress, or alter critical emergency safety logic, resulting in practical scenarios of system takeover or catastrophic denial of intended failsafe actions. The implications for both secure CPS design and UAV operational safety are significant.

Figure 1: A voltage fault injection attack and its potential impacts on embedded system behavior.

Technical Background and Threat Model

Hardware Fault Injection: Principles and Mechanisms

Voltage glitching is highly effective at disrupting digital logic at instruction-level granularity on microcontrollers by causing transient, localized faults—most often manifesting as instruction skips or register corruption. This study highlights the detailed configuration space for successful attacks, emphasizing parameters such as trigger, offset, phase, and glitch width. The underlying vulnerability arises from the tight coupling between voltage stability and synchronous digital execution, enabling malicious manipulation at precisely identified pipeline stages.

PX4-Autopilot Architecture and Failsafe Logic

The PX4-Autopilot is representative of real-world, resource-constrained UAV flight control platforms, typically built on STM32 microcontrollers and equipped with embedded failsafe logic at the firmware layer. The failsafe mechanisms monitor critical sensors (radio, GPS, battery) and enforce protective actions (hold, return-to-launch, emergency land). The integrity of these mechanisms is contingent on both software and hardware soundness, rendering them susceptible to instruction-level fault models introduced by low-level voltage disturbances.

Figure 2: PX4-based UAV architecture; failsafe routines operate within the STM32 MCU.

Threat Model Realism

The assumed adversary installs a miniaturized, stealthy PCB implant within the enclosure of COTS flight controllers. This implant autonomously triggers voltage glitches on the primary supply rail at attacker-profiled execution windows during failsafe logic operation, exploiting physical access points in the supply chain and contextual secrecy provided by device encapsulation.

Dual-Phase Attack Methodology

Software Simulation via ARMORY

ARMORY, an exhaustive ARM-M binary fault simulation framework, allows systematic testing of both instruction and register-level faults targeting failsafe helpers in the PX4 source. Precisely demarcated symbolic windows enable cycle-accurate injection analysis, revealing timing clusters of control-flow vulnerability and detailed downstream behavioral impact categorization.

Empirical Hardware Exploitation

The physical evaluation uses ChipWhisperer-Lite as the glitching engine with STM32F407-Discovery as the target, configured to preserve factory decoupling and achieve non-destructive attacks. Synchronization for precise glitching exploits dual-stage external/internal triggers. Precise monitoring of $V_{DD}$ confirms the physical behavior and temporal dynamics of each glitch-induced fault.

Figure 3: Integrated simulation workflow bridging software-based and hardware-based fault analysis.

Figure 4: Physical setup showing ChipWhisperer fault injection on STM32 hardware.

Figure 5: Coordinated two-stage workflow between glitch target (STM32) and injector (ChipWhisperer).

Experimental Results: Failsafe Exploitation Scenarios

RC Signal Loss: Instruction-Level Control Hijack

Simulations reveal pronounced vulnerability peaks to instruction and register bit-flip faults at cycles 3–4, 24–25, and 50–52 in failsafe helper execution. Empirical hardware results validate temporal correlation, with successful exploits clustering at offset 4 and 5 clock cycles—translating to forced inaction or incorrect error states during RC loss. Notably, the most frequent physical outcome is a total bypass of failsafe action, aligning with simulation predictions.

Figure 6: Temporal clustering of successful faults in RC Signal Loss handling.

Figure 7: Fault injection outcomes in RC Signal Loss scenario, demonstrating elevated success rates at specific offsets.

Figure 8: Outcome categorization shows dominance of "No Action" or incorrect error states in RC Signal Loss faults.

Figure 9: Fault-induced action distributions, stratified by glitch duration in RC Signal Loss scenario.

Battery Critical: Fault Timing and State Integrity

Simulation identifies primary vulnerable windows at cycles 4–6, 26–27, and 66–69, with secondary, less concentrated susceptibility in intermediate cycles. Hardware results show highest susceptibility at early and late execution, with larger glitch widths escalating the rate of both successful exploits and resets. There is strong correlation in effect, with induced "No Action" states being the modal successful exploit—demonstrating the ability of physical faults to neutralize critical safety enforcement at the decision point.

Figure 10: Temporal distribution of successful faults in the Battery Critical scenario.

Figure 11: Outcome categorization of fault effects for Battery Critical intervention logic.

Figure 12: Mapping of induced failsafe action modes versus external glitch offset for Battery Critical faults.

Battery Emergency: Bypassing Emergency Land

Simulations over expanded execution context (cycles 0–370) yield ~5% exploitable outcome rate, with dense clustering early in the helper logic and a pronounced periodic vulnerability due to processing loops. Hardware exploits achieve success at offset 15 (aligned via cycle calibration) with high density in offsets 13–21. Surprisingly, the dominant result is total inaction (None/Disable) or mere warning, indicating that physical glitching at key helper decision points frequently disables enforced landing during emergencies, directly contradicting intended failsafe priorities.

Figure 13: Distribution of successful faults in Battery Emergency condition across execution cycles.

Figure 14: Focused analysis shows highest exploitability in initial helper execution cycles for Battery Emergency.

Figure 15: Behavioral outcome distribution for Battery Emergency, with dominance of inactive or downgraded failsafe triggering.

Key Claims and Their Security Implications

The paper demonstrates that voltage fault injection can reliably and repeatedly neutralize high-severity failsafe logic in real PX4 firmware implementations, even with non-invasive and supply-chain-plausible adversary models. The ability to force a drone under RC loss or battery emergency to effectively ignore return-to-launch/land commands highlights a profound security and operational safety risk. Notably, hardware-injected faults result in a high prevalence of "No Action" or "Warn" states at critical windows, directly contradicting safety assumptions embedded in current autopilot implementations.

A strong methodological result is the close correspondence between software-model-predicted and hardware-observed fault windows, validating the ARMORY-based coverage as well as the physical platform calibration.

Implications and Future Directions

CPS Security Hardening

Findings underscore the acute need for robust, hardware-assisted security monitoring in the design of flight controllers. Software-level countermeasures are inadequate in the face of instruction-level, timing-sensitive physical faults. Effective mitigation demands hardware-software co-design, potentially involving side-channel/fault-detection hardware, hardened microarchitectures, execution redundancy, and secure boot-fencing for control transfer logic.

Research and AI Driven Fault Modelling

The dual methodology—integrating ARM binary symbolic execution and empirical glitch characterizations—establishes a robust approach for wider CPS platform evaluation. This framework invites future work on automated search of timing windows for complex, multi-threaded CPS firmware and expansion of simulation capabilities (potentially AI-driven, semantic-aware root-cause analysis) for both validation and automated code patching against hardware-oriented exploits.

Systemic Vulnerability Management

With supply-chain-level attack vectors being plausible at scale, practitioners must reevaluate existing supply channels, device authentication, and update/trust mechanisms for deployed UAVs in critical domains.

Conclusion

This study rigorously establishes that autonomously triggered voltage fault injection, even with modest adversarial assumptions, is sufficient to defeat critical failsafe logic in a representative, widely-used UAV autopilot platform. The research provides a full-stack evaluation from detailed simulation through to practical hardware proof-of-concept, highlighting both the ease of inducing catastrophic states and the inadequacy of current software-only protection paradigms. A paradigm shift toward co-designed, hardware-informed CPS resilience is mandated to mitigate the substantial risks to mission assurance and physical safety in UAV and broader CPS deployments.

Reference: "Glitch in the Sky: Exploiting Voltage Fault Injection in UAV Flight Controllers" (2604.16699)