Author Topic: Pwn the ESP32 Forever  (Read 1254 times)

0 Members and 1 Guest are viewing this topic.

Offline bitwelder

  • Frequent Contributor
  • **
  • Posts: 851
  • Country: fi
Pwn the ESP32 Forever
« on: November 14, 2019, 10:00:50 am »
Cool, security researchers are beginning to dig deep into ESP32 architecture as well,
finding h/w flaws:

https://limitedresults.com/2019/11/pwn-the-esp32-forever-flash-encryption-and-sec-boot-keys-extraction/

Quote
In this report, I disclose a full readout of protected E-Fuses storing two secret keys, one used for Flash Encryption (BLK1) and the other for the Secure Boot (BLK2).

This attack cannot be patched by the vendor on existing devices. It’s a FOREVER pwn.
 
The following users thanked this post: I wanted a rude username

Offline GeorgeOfTheJungle

  • Super Contributor
  • ***
  • Posts: 2690
  • Country: tr
Re: Pwn the ESP32 Forever
« Reply #1 on: November 14, 2019, 10:39:08 am »
Paper courtesy of NXP/ST/TI/ARM :-)
« Last Edit: November 14, 2019, 12:09:59 pm by GeorgeOfTheJungle »
 

Offline OwO

  • Super Contributor
  • ***
  • Posts: 1211
  • Country: cn
  • RF Engineer @ OwOComm. Discord: スメグマ#2236
Re: Pwn the ESP32 Forever
« Reply #2 on: November 14, 2019, 12:50:54 pm »
I can't think of any MCU where code encryption isn't broken though. It is an inherently hard problem and any sane engineer should assume physical access = root. I'm only concerned about remote code execution or other privilege escalation vulnerabilities.
Discord: スメグマ#2236
Email: OwOwOwOwO123@outlook.com
GitHub: gabriel-tenma-white
 

Offline artag

  • Frequent Contributor
  • **
  • Posts: 520
  • Country: gb
Re: Pwn the ESP32 Forever
« Reply #3 on: November 14, 2019, 12:54:58 pm »
Totally agree.

This might be a problem to those neanderthals that still think keeping their code secret is both viable and useful, but the only way it exposes end users is with the possibility of replacing code on their device with an unauthorised trojan. Which could be done just as easily, if physical access is available, by simply replacing the  device.
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 3137
  • Country: fr
Re: Pwn the ESP32 Forever
« Reply #4 on: November 14, 2019, 01:41:10 pm »
Totally agree.

This might be a problem to those neanderthals that still think keeping their code secret is both viable and useful, but the only way it exposes end users is with the possibility of replacing code on their device with an unauthorised trojan. Which could be done just as easily, if physical access is available, by simply replacing the  device.


Do you mean 90% of the software world by those "neanderthals"? Because having the software out in the open is not that common.

The issue is that that a trojan could be potentially deployed remotely, through another, remotely exploitable and by itself not a very dangerous flaw. Such attacks are pretty routine these days. That something requires local access to exploit doesn't make it any less problematic.

Also, not every exploit is there to turn the device into a botnet zombie or to steal the end user's data. Sometimes stealing the firmware or breaking into the device itself is more valuable. People on this forum regularly complain about Chinese cloners ripping them off, so I would assume something like that could be quite an issue? Also, the flash on these devices often contains things such as wifi keys/passwords, making an easy-to-break IoT device an ideal target for gaining access into the network.
 

Offline Twoflower

  • Frequent Contributor
  • **
  • Posts: 566
  • Country: de
Re: Pwn the ESP32 Forever
« Reply #5 on: November 14, 2019, 01:58:24 pm »
Paper courtesy of NXP/ST/TI/ARM :-)
I think ST, like Intel, has currently its own problems with the security of the keys in the TPM devices: http://tpm.fail
 
The following users thanked this post: GeorgeOfTheJungle

Offline artag

  • Frequent Contributor
  • **
  • Posts: 520
  • Country: gb
Re: Pwn the ESP32 Forever
« Reply #6 on: November 14, 2019, 05:37:47 pm »
@janoc  : all true, but that doesn't make me wrong.

Neanderthals were still neanderthals even when in the majority. They got out-evolved. Similarly, relying on locked up firmware to protect your IP when you ship kit that contains it (ie physical access) is doomed to failure. It's an obsolete business model.


 

Offline OwO

  • Super Contributor
  • ***
  • Posts: 1211
  • Country: cn
  • RF Engineer @ OwOComm. Discord: スメグマ#2236
Re: Pwn the ESP32 Forever
« Reply #7 on: November 14, 2019, 06:07:46 pm »
The issue is that that a trojan could be potentially deployed remotely, through another, remotely exploitable and by itself not a very dangerous flaw. Such attacks are pretty routine these days. That something requires local access to exploit doesn't make it any less problematic.
Doesn't apply in this case because you have to glitch the power supply at just the right time...
Discord: スメグマ#2236
Email: OwOwOwOwO123@outlook.com
GitHub: gabriel-tenma-white
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 3137
  • Country: fr
Re: Pwn the ESP32 Forever
« Reply #8 on: November 14, 2019, 09:15:36 pm »
The issue is that that a trojan could be potentially deployed remotely, through another, remotely exploitable and by itself not a very dangerous flaw. Such attacks are pretty routine these days. That something requires local access to exploit doesn't make it any less problematic.
Doesn't apply in this case because you have to glitch the power supply at just the right time...

Fair enough, I saw the paper after I wrote that.
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 3137
  • Country: fr
Re: Pwn the ESP32 Forever
« Reply #9 on: November 14, 2019, 09:17:46 pm »
@janoc  : all true, but that doesn't make me wrong.

Neanderthals were still neanderthals even when in the majority. They got out-evolved. Similarly, relying on locked up firmware to protect your IP when you ship kit that contains it (ie physical access) is doomed to failure. It's an obsolete business model.

Except that obsolete business model is still powering most of the world's economy. And will be for the foreseable future, because not everything can be stuffed in the cloud or totally locked down like an ATM machine. Open sourcing things is not a solution neither, for both economic and regulatory reasons in many cases.

So this pontificating about "neanderthals" is cute as a soundbite, but that's about all it is.
 
The following users thanked this post: thm_w

Offline artag

  • Frequent Contributor
  • **
  • Posts: 520
  • Country: gb
Re: Pwn the ESP32 Forever
« Reply #10 on: November 15, 2019, 03:42:21 pm »
As is pretending that something that worked for a limited time will work forever.
See dinosaurs, music industry, etc. for practical examples.

It might take a while, but open source will ultimately win because of 'standing on the shoulders of giants'. Designs that are closed and eventually thrown away rather than evolve and grow are a dead end. They may have short-term wins but they don't scale.

Regulatory issues are irrelevant : open source does not necessarily mean that uncontrolled installations happen and regulatory regimes will adapt to keep themselves relevant.

« Last Edit: November 15, 2019, 03:47:58 pm by artag »
 

Offline Marco

  • Super Contributor
  • ***
  • Posts: 4815
  • Country: nl
Re: Pwn the ESP32 Forever
« Reply #11 on: November 15, 2019, 11:32:58 pm »
Secure boot should be protected by pki, not symmetric encryption ... wtf were they thinking?
 

Offline thm_w

  • Super Contributor
  • ***
  • Posts: 2213
  • Country: ca
Re: Pwn the ESP32 Forever
« Reply #12 on: November 16, 2019, 12:36:36 am »
As is pretending that something that worked for a limited time will work forever.
See dinosaurs, music industry, etc. for practical examples.

It might take a while, but open source will ultimately win because of 'standing on the shoulders of giants'. Designs that are closed and eventually thrown away rather than evolve and grow are a dead end. They may have short-term wins but they don't scale.

Regulatory issues are irrelevant : open source does not necessarily mean that uncontrolled installations happen and regulatory regimes will adapt to keep themselves relevant.

"Dinosaurs" is not even close to being a relevant example.
"Music industry" still exists so not sure what your point is there, I assume you mean the transition from physical to software media?

https://www.musicbusinessworldwide.com/global-recorded-music-industry-revenues-grew-8-1-in-2017-to-reach-17-3bn/
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf