Raelize Warns of Secure Boot, Flash Encryption Bypass Vulnerability in Selected ESP32 Parts
ESP32 parts based on revision 0 or 1 silicon are vulnerable to attack; anything based on the company's latest revision can be made safe.
Embedded security specialist Raelize has discovered a flaw in Espressif ESP32 microcontrollers which allows those with physical access to bypass the chip's encrypted secure boot functionality β extracting plain-text data from the encrypted flash memory.
"During our Fault Injection research on the ESP32, we gradually took steps forward in order to identify the required vulnerabilities that allowed us to bypass Secure Boot and Flash Encryption with a single EM glitch," the company explains of its research. "Moreover, we did not only achieve code execution, we also extracted the plain-text flash data from the chip."
The flaw, discovered during a long-term analysis of the microcontroller which included previous successful attacks which bypassed secure boot and flash encryption separately, allows for the execution of arbitrary code and access to plain-text flash memory contents β despite the parts having been configured with Secure Boot enabled and the flash memory being encrypted.
"We envisioned that we may be able to leverage the persistence of data in SRAM across warm resets for an attack," the two-man firm states. "The first attack we came up with is to fill the SRAM with code using the UART bootloader and issue a warm reset using the watchdog. Then, we inject a glitch while the ROM code is overwriting this code with the flash bootloader during a normal boot."
"Interestingly, two weaknesses of the ESP32 facilitated this attack. First, the UART bootloader cannot be disabled and is always accessible. Second, the data loaded in SRAM is persistent across warm resets and can therefore be filled with arbitrary data using UART bootloader."
Espressif has confirmed the flaw, but notes that it affects ESP32 parts based on silicon revision 0 and 1, including the ESP32-D0WD, ESP32-D2WD, ESP32-S0WD, and ESP32-PICO-D4; devices based on newer silicon, including the ESP32-D0WD-V3, ESP32-D0WDQ6-V3, ESP32-PICO-V3, ESP32-WROOM-32E, ESP32-WROOM-32UE, ESP32-WROOM-32SE, ESP32-WROVER-E, and the ESP32-WROVER-IE use a newer RSA-based Secure Boot implementation which has the option to permanently disable the vulnerable UART Download Mode via eFuse and thus prevent the attack.
More details on the vulnerability can be found on the Raelize website, or in Espressif's PDF-format security advisory.