Kévin Courdesses Breaks the ESP32-V3, ESP32-C3, and ESP32-C6 Wide Open with a Side-Channel Attack
"There is no software [or] hardware fix available," Espressif warns of vulnerabilities allowing for encrypted flash data exfiltration.
Hardware and embedded software engineer Kévin Courdesses has replicated research into breaking the flash encryption on selected Espressif ESP32 microcontrollers — including the ESP32-C3 and ESP32-C6 — using side-channel attacks to extract data and even bypass secure boot functionality.
"I recently read the Unlimited Results: Breaking Firmware Encryption of ESP32-V3 (Abdellatif et al, 2023) paper," Courdesses explains. "This paper is about breaking the firmware encryption feature of the ESP32 SoC [System on Chip] using a side-channel attack. This was an interesting read, and soon, I wanted to try to reproduce these results. To understand everything about this attack, I wanted to start from scratch, even if it meant sometimes reinventing the wheel."
The original paper, published last year by Ledger researchers Karim M. Abdellatif, Olivier Hériveaux, and Adrian Thillard, detailed an attack against the ESP32-V3 platform in which an attacker with physical access to the device could extract the microcontroller's encryption keys and decrypt the contents of flash — by taking thousands of high-precision power measurements during power-up decryption.
"I wanted to keep things low-cost," Courdesses writes of his — successful — attempts to reproduce the team's results. "This means no five-figure digital oscilloscope could be used, as [is] sometimes the case for such attacks."
Courdesses began by targeting the same ESP32 devices as Abdellatif et al — repeating the team's research but at a considerably reduced cost. For this, Courdesses designed a swappable cartridge-based host board dubbed the ESP CPA and swappable cartridges with each target microcontroller.
Key to the attack's performance: a stable temperature, ensured by each cartridge including both a temperature sensor and a resistive heating element. Power sampling is handled by an analog to digital converter (ADC) sampling at 12MHz, with the target microcontroller underclocked, and an FPGA provides clock timings and a faked external flash device.
After successfully replicating the original research, Courdesses turned to two newer Espressif devices: the ESP32-C3 and ESP32-C6, both released after the company's move to using the free and open source RISC-V instruction set architecture. These, Espressif claimed in the aftermath of the Abdellatif et al paper, use a more complex XTX-AES encryption process — making them more difficult to attack through side-channel vulnerabilities.
More difficult, though, doesn't mean it's impossible: Courdesses found that a tweaked approach could crack the flash in 128-byte blocks, and that only the first 128 bytes need be controlled in order to bypass secure boot and run arbitrary code to extract the rest of the flash content.
Even specific countermeasures added to the ESP32-C6 proved fallible: "The countermeasures implemented to protect the ESP32-C6 against side-channel attacks don’t appear to be effective," Courdesses concluded. "The masking countermeasure doesn’t seem to have much impact, while the hiding countermeasure can be undermined by guessing the behavior of the crypto-clock."
This isn't the first time Espressif's popular ESP32 range has come under attack. Back in September 2020 embedded security specialist Raelize published details of a security flaw which allowed those with physical access to extract plain-text data from the encrypted flash memory — using a similar fault-injection attack to this most recent research, exploiting a vulnerability Espressif had patched in later silicon revisions.
Courdesses full project write-up is available on his website; hardware design files for the ESP CPA and its cartridges are also available on his site, with source code published to GitHub under the permissive MIT license.
Espressif has responded to Courdesses' disclosure with a security advisory (PDF), warning that "at present there is no software [or] hardware fix available" but that it plans to "incorporate hardware countermeasures in the chip[s]" to mitigate the vulnerabilities in the future.