Computing > Security

Pwn the ESP32 Forever

(1/3) > >>

bitwelder:
Cool, security researchers are beginning to dig deep into ESP32 architecture as well,
finding h/w flaws:

https://limitedresults.com/2019/11/pwn-the-esp32-forever-flash-encryption-and-sec-boot-keys-extraction/


--- Quote ---In this report, I disclose a full readout of protected E-Fuses storing two secret keys, one used for Flash Encryption (BLK1) and the other for the Secure Boot (BLK2).

This attack cannot be patched by the vendor on existing devices. It’s a FOREVER pwn.
--- End quote ---

GeorgeOfTheJungle:
Paper courtesy of NXP/ST/TI/ARM :-)

OwO:
I can't think of any MCU where code encryption isn't broken though. It is an inherently hard problem and any sane engineer should assume physical access = root. I'm only concerned about remote code execution or other privilege escalation vulnerabilities.

artag:
Totally agree.

This might be a problem to those neanderthals that still think keeping their code secret is both viable and useful, but the only way it exposes end users is with the possibility of replacing code on their device with an unauthorised trojan. Which could be done just as easily, if physical access is available, by simply replacing the  device.

janoc:

--- Quote from: artag on November 14, 2019, 12:54:58 pm ---Totally agree.

This might be a problem to those neanderthals that still think keeping their code secret is both viable and useful, but the only way it exposes end users is with the possibility of replacing code on their device with an unauthorised trojan. Which could be done just as easily, if physical access is available, by simply replacing the  device.


--- End quote ---

Do you mean 90% of the software world by those "neanderthals"? Because having the software out in the open is not that common.

The issue is that that a trojan could be potentially deployed remotely, through another, remotely exploitable and by itself not a very dangerous flaw. Such attacks are pretty routine these days. That something requires local access to exploit doesn't make it any less problematic.

Also, not every exploit is there to turn the device into a botnet zombie or to steal the end user's data. Sometimes stealing the firmware or breaking into the device itself is more valuable. People on this forum regularly complain about Chinese cloners ripping them off, so I would assume something like that could be quite an issue? Also, the flash on these devices often contains things such as wifi keys/passwords, making an easy-to-break IoT device an ideal target for gaining access into the network.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version