The recent flurry of media attention on the ESP32 IoT device attack piqued my interest in secure boot on IoT devices. Espressif has already announced CVE-2019–17391(here) and published a Security Advisory from Espressif here which can protect against future devices but existing designs in the field will remain vulnerable.
The purpose of this article isn’t a comment on Espressif or it’s secure boot design but it a look at what would happen if one piece of the secure boot chain is compromised.
What is the attack and should I worry?
The attack was discovered by the security researcher, LimitedResults, and details of his attack can be seen here. The original article is excellent and I’d highly recommend reading it, this is just a brief summary.
To start with, the hack requires you to have physical access to the device which can be a deterrent to most common consumer use cases. After physical access, you will need (somewhat) specialized equipment to glitch the voltage across the chip to fool it into skipping the protection settings of the keys so you can read them out.
While there are some set of circumstances which must be met, the real damage comes from the fact that the first key used to validate the first stage bootloader is a symmetric AES 256 key. The ability to freely read this key enables attackers to do a full replacement of firmware virtually undetected.
I couldn’t find a good visual flow for the Secure Boot flow of ESP32, so I put together something based on the original source write-up.
In addition to the Secure Boot Key(SBK), there also exists a Flash Encryption Key(FEK) but that can be recovered using the same attack so it isn’t necessary to understand the fundamental attack.
The attack involves glitching the voltage of the chip at ‘just the right time’ where the read protection of the boot key area is being established during initialization. It will take some statistical analysis to get the key(see original article for this) but the attack is very achievable with the provided scripts.
Once you have access to this key, you can simply re-sign any firmware of your choosing, flash it and you have permanently taken over the device.
Let’s do a thought experiment. Let’s say you take a long vacation in the sunny beaches of San Diego and come back to find your house was broken into.
After the unauthorized entry, it would be far more dangerous if someone actually took the time to replace firmware on your local device to gain entry into your trusted network. You would have a decent chance to notice, say a debugger/black box hanging off your devices. Far harder to notice a hack which doesn’t involve something physically ‘new’ in your living space.
So, what can we learn?
Voltage glitching is a powerful technique to fool the processor and while there are some mitigation techniques for it, the unfortunate truth is that these will likely be too expensive to implement for this class of device. Due to the nature of the attack, I suspect other vendors will be susceptible to the general attack; but the damage can be limited significantly if an asymmetric key scheme is used throughout the secure boot flow.
The security advisory published by Espressif indicates that the newer chip-line ESP32-D0WD-V3 ROM is based on asymmetric key cryptography which means that worst case, they can get access and read the public key but shouldn’t easily be able to replace the firmware in the chip as the private key is not physically located on the chip.
The one key take-away I’d like to leave you with is that ‘Secure Boot’ isn’t a catch-all and care must be taken to investigate a vendor’s specific flow to ensure you understand and are comfortable with the risk associated if a individual device is compromised in the field.
Please note that this article reflects my personal views only and is not representative of my employer.