Synopsis: Secret keys are embedded in the device's e-fuses and are not readable by normal means because of a protection e-fuse. By measuring current draw during power up an interval is determined to be the time when the CPU is reading the e-fuses. At that time the power supplies are "glitched" from 3.3v to 6v using unspecified patterns from a signal generator. This causes errors in the e-fuse reading, one of which is to make a bank of read protected fuses readable. The read values have errors in them, but multiple runs and statistical error correction can retrieve the actual values.<p>Physical access to the device is required. Security compromise is permanent.
This is an interesting attack, and certainly looks highly successful in terms of allowing a determined hardware hacker to gain root/bootloader access to a device that the manufacturer has attempted to lock them out of. Glitching with a 6V supply on a 3.3V bus is certainly something I'd want to be a little cautious of if the hardware was more expensive than a $10 dev board - I wouldn't buy a $800 IoT fridge and use this to install alternate firmware just for fun, but it's nice to know it's possible in case my fridge stops working because the manufacturer declares it end-of-life. It's just not clear to me if or how this is a bad thing. The author writes:<p>> <i>This FATAL exploit allows an attacker to decrypt an encrypted firmware because he is now in possession of the AES Flash Encryption Key.</i><p>> <i>Worst case scenario, he is now able to forge his own valid firmware (using the Secure Boot Key) then encrypt it (using the Flash Encryption Key) to replace the original firmware PERMANENTLY.</i><p>> <i>This last post closes my security investigation on ESP32, which I consider now as a broken platform.</i><p>Isn't that a good thing for me as a consumer? I like the ability to decrypt and modify my own devices. I like that this is a permanent modification, unlike eg. dd-wrt where you have to prevent the bootloader from overwriting your software with that of the manufacturer.<p>The only thing I can think of that would be really bad is if I had a device with an ESP32 inside physically stolen then reinstalled by an attacker (or a counterfeit sold to me with malicious code from the vendor) and this exploit allowed them to get private data from my network to an Internet location. But they could already just buy or build their own device, ESP32 or not, to do that.<p>This is only bad for draconian IoT manufacturers who want to enforce their terms of service and artificial limitations on hardware they think consumers are leasing but consumers think they are buying.
Some additional info is in Espressif's notification (CVE-2019-17391) which is linked to in the write up:
<a href="https://www.espressif.com/en/news/Security_Advisory_Concerning_Fault_Injection_and_eFuse_Protections" rel="nofollow">https://www.espressif.com/en/news/Security_Advisory_Concerni...</a><p>The fix is in ESP32-D0WD-V3 and ESP32-WROVER-E, but of course that doesn't do you any good if you've already shipped product.
Something about e-fuses seems quite mystical. The idea of a computer program deliberately and permanently damaging its own hardware (or hardware it is attached to) using a mechanism so close to regular operation (current flowing in memory) but for a good reason rather than to cause harm, and in such an information rich way.<p>Different to say a robotic tool using its tooltip to maim itself and different to one robot building another, because at the e-fuse level of detail it’s so much more information sense.<p>Perhaps it’s like a tattoo? Perhaps I’m thinking of the ship tattoos in <i>Surface Detail</i> by Iain M Banks?
I've heard e-fuses in general are vulnerable to optical inspection under polarized light after deliding a part. So if someone capable really wanted to clone a device, it's very possible they already were able to get the e-fuse key values.<p>I once used the e-fuse feature of another part for bootloader integrity. I wasn't worried about encryption, but the part would validate the bootloader integrity when encrypted. If integrity failed, the part would keep searching for a valid image. It was an easy way for some protection against flash corruption.
From the article:<p><i>> I quickly identify a pure HW processing 500us before the beginning of the UART ascii strings ‘ets June 2018’ corresponding to the BootROM process.<p>> This HW activity is probably the eFuses Controller initialisation, and a load of the eFuses values in some dedicated buffer memory, to be used by the Flash controller for further steps).</i><p>How one would come to this specific conclusion without having any prior knowledge of the boot rom ?
Props for the effort, but who expects a cheap china MCU for consumer products to be resilient against glitching attacks? You don’t use that stuff in high-security settings anyway. For consumers products resilient to advanced hardware attacks, I can only think of the iPhone and some consoles. Anything else?
If you're interested in this problem space you should definitely check out the chip whisperer. They make some great hardware for doing this kind of test.<p><a href="https://newae.com/tools/chipwhisperer/" rel="nofollow">https://newae.com/tools/chipwhisperer/</a>
Could this get around a locked bootloader on a Sony Xperia Z5 Compact? (As in, the normal sony-website-enabled bootloader unlock NOT allowed when checking in service menu)<p>If so, there might be a bounty out for it...