Professional Documents
Culture Documents
US 22 ABDELLATIF Unlimited Results Breaking Firmware Encryption
US 22 ABDELLATIF Unlimited Results Breaking Firmware Encryption
1
Espressif, ”Espressif Achieves the 100-Million Target for IoT Chip Shipments”, 2018
2
https://blockstream.com/jade/ 2
Motivation
1
Espressif, ”Espressif Achieves the 100-Million Target for IoT Chip Shipments”, 2018
2
https://blockstream.com/jade/ 2
ESP32-V1 vs ESP32-V3
ESP32-V1
3
LimitedResults, ”Fatal Fury On ESP32: Time to Release HW Exploits”, Blackhat Europe 2019 3
ESP32-V1 vs ESP32-V3
ESP32-V1 ESP32-V3
• Flash encryption and secure boot were • In the market since 2020 as a reaction
broken by LimitedResults3 in 2019 against the previous attack
• During the power-up eFuse protection • New secure boot mechanism
bits are manipulated • It is hardened against fault injection
• The main idea is to glitch the chip attacks in hardware and software as
during the power-up announced by the vendor
3
LimitedResults, ”Fatal Fury On ESP32: Time to Release HW Exploits”, Blackhat Europe 2019 3
Outline
EMFI on ESP32-V1
EMFI on ESP32-V3
Practical Attack
• Secure boot
• Flash memory encryption
• 1024-bit OTP, up to 768 bits for
customers
• Cryptographic hardware accelerators:
AES, SHA-2, RSA, Elliptic Curve
Cryptography (ECC), and Random
Number Generator (RNG)
• esptool4 can be used to configure the
above features
Source: Espressif
4
https://github.com/espressif/esptool 6
eFuse organization
7
Secure boot V1
0x1000
0x00
Digest
Bootloader || Public key
Digest = SHA-512(AES-256((Bootloader ∥ public key ), BLK 2)))
Flash
(1)
1 b u r n e f u s e ABS DONE 0
SHA-512 AES-256 Key
CMP
eFuse BLK2
Continue or Not
Signature verification
8
Flash encryption
SPI Interface
Cache
performed ESP32 CPU AES-256
Bootloader = ota_data_initial =
1 b u r n k e y f l a s h e n c r y p t i o n encKey . b i n Firmware =
partition-table =
2 b u r n e f u s e FLASH CRYPT CONFIG 0 x f
3 b u r n e f u s e FLASH CRYPT CNT
Flash decryption
9
LimitedResults attack
10
FAULT INJECTION SETUP
Fault attacks
5
Albert Spruyt and Niek Timmers, ”Bypassing Secure Boot Using Fault Injection”, Black Hat
Europe 2016.
6
Yifan Lu, ”Attacking Hardware AES of PlayStation with DFA”, 2019 12
Electromagnetic injection
7
Karim Abdellatif and Olivier Hériveaux , ”SiliconToaster: A Cheap and Programmable EM Injector
for Extracting Secrets”, FDTC 2020. 13
A PCB for ESP32
Fabricated PCB
14
Setup
EM setup
8
Olivier Heriveaux, ”https://github.com/Ledger-Donjon/scaffold” 15
Attack Plan
16
EMFI ON ESP32-V1
Glitchable application
18
Successful faults
• EM pulse = 500V
• Positive polarity
• 500 trials per spot
• Motor step = 0.2mm
Vulnerable spots
After being sure from the setup settings, next step is to attack the eFuse slots.
19
eFuse attack of ESP32-V1
1 b u r n k e y f l a s h e n c r y p t i o n encKey .
bin
2 b u r n e f u s e FLASH CRYPT CONFIG 0 x f
3 b u r n e f u s e FLASH CRYPT CNT
20
Attack scenario
Attack scenario
21
Successful faults
Experiment log
22
Successful faults
23
Discussion on ESP32-V1
24
EMFI ON ESP32-V3
Recapping Espressif’s countermeasures
26
Glitchable application
Glitchable code
27
Successful faults
• EM pulse = 500V
• Positive polarity
• 500 trials per spot
• Motor step = 0.2mm
Vulnerable spots
This confirms that ESP32-V3, is not hardened against fault injection attacks.
28
eFuse attack of ESP32-V3
1 b u r n k e y f l a s h e n c r y p t i o n encKey .
bin
2 b u r n e f u s e FLASH CRYPT CONFIG 0 x f
3 b u r n e f u s e FLASH CRYPT CNT
29
eFuse attack of ESP32-V3
1 b u r n k e y f l a s h e n c r y p t i o n encKey .
bin Power-up of ESP32-V3
2 b u r n e f u s e FLASH CRYPT CONFIG 0 x f
3 b u r n e f u s e FLASH CRYPT CNT
29
eFuse attack of ESP32-V3
1 b u r n k e y f l a s h e n c r y p t i o n encKey .
bin Power-up of ESP32-V3
2 b u r n e f u s e FLASH CRYPT CONFIG 0 x f
3 b u r n e f u s e FLASH CRYPT CNT
Power-up of ESP32-V1
29
Attack plan
Multiple faults
30
Multiple Faults
Spots of Timeout
31
Discussion on ESP32-V3
32
BREAKING FIRMWARE ENCRYPTION BY SCAS
Moving to another attack path
• Motivation
• A difficult attack using fault injection because
of the boot ROM countermeasures
• Another attack path
• A SCA on the flash encryption mechanism
• Targeting the encryption process during the
power up
• Controlling the flash content to perform a
CPA
34
Leakage detection
Var (E (x|y ))
SNR = (2)
E (Var (x|y ))
9
S. Bhasin, J. Danger, and S. Guilley , ”NICV: Normalized Inter-Class Variance for Detection of
Side-Channel Leakage”, SEC 2014 35
Correlation Power Analysis (CPA10 )
Measurements
m
T#1
T1 0 1 L
T#2 T2 0 1 L
Key = 0 0 1 L
255
T#n Tn 0 1 L
Key = 1 0 1 L
Model Correlation
Key = 0
Key = 1 m1 0 1 255 Key = 255 0 1 L
Key = 256
+ S-box HW m2 0 1 255
Max()
Plaintext 1
Plaintext 2
Plaintext n
mn 0 1 255
Key = 0xAA
10
E. Brier, C. Clavier, and F. Olivier , ”Correlation Power analysis with a leakage model”, CHES 2004 36
Side-channel attack setup
SC setup
37
Flash encryption
Flash
SPI Interface
performed
Cache
ESP32 CPU AES-256
Flash decryption
38
Flash decryption during power-up
39
Scenario
40
SNR on zone A
SNR on Ciphertexts
43
CPA results
45
Power traces with flash emulator
46
CPA result
Success rate
48
Activating all security features
1 Secure boot
2 UART disable
49
Success rate
50
PRACTICAL ATTACK
Jade wallet
11
https://github.com/Blockstream/Jade
12
https://github.com/Blockstream/blind pin server 52
Success rate
53
Jade wallet
54
Jade wallet
54
VENDOR REPLY AND CONCLUSION
Espressif’s reply
Espressif’s advisory
56
Conclusion
57
Conclusion
57
Conclusion
57
THANK YOU. QUESTIONS?
58