Espressif Security Advisory Concerning Fault Injection and Secure Boot (CVE-2019-15894)

An attacker who uses fault injection to physically disrupt the ESP32 CPU can bypass the Secure Boot digest verification at startup and boot unverified code from flash. To protect devices with Flash Encryption and Secure Boot enabled against this attack, a firmware change must be made to permanently enable Flash Encryption in the field.

Issue Summary

An attacker who uses fault injection to physically disrupt the ESP32 CPU can bypass the Secure Boot digest verification at startup and boot unverified code from flash.

The fault injection attack does not disable the Flash Encryption feature, so if the ESP32 is configured with the recommended combination of Secure Boot and Flash Encryption then the impact is minimized. If the ESP32 is configured without Flash Encryption then successful fault injection allows arbitrary code execution.

To protect devices with Flash Encryption and Secure Boot enabled against this attack, a firmware change must be made to permanently enable Flash Encryption in the field if it is not already permanently enabled (see “Recommendation for ESP32 Users”, below).

This issue has been found and disclosed to Espressif by two security analysts at Riscure, Yashin Mehaboobe and Santiago Cordoba Pellicer. It was also independently found and disclosed by LimitedResults. Espressif thanks both parties for responsibly disclosing this issue.

What is fault injection?

Fault injection is a technique for disrupting the behaviour of a hardware system by injecting faults via physical means, often by carefully timed voltage or clock fluctuations. To deploy fault injection an attacker must have physical access to the hardware to modify it and inject faults.

Following a fault, the system will usually crash. However sometimes a carefully timed fault may cause the CPU to skip a particular instruction or corrupt the result of a particular calculation. By repeating the fault injection process a large number of times, an attacker may eventually get a result which bypasses a security measure.

All electronic hardware is vulnerable to some types of physical fault injection, although the difficulty of inducing the fault varies.

Further Work

In May, Espressif worked with security analysts from Riscure in order to review the ESP32 boot ROM code including modifications made to harden it against fault injection. An ESP32 revision with updated Secure Boot ROM code will be available in Q4.

The forthcoming ESP32-S2 SoC has additional provisions added to harden it against fault injection, and in April the ESP32-S2 Secure Boot ROM code was also reviewed by an external security analyst.

Disclosure History

April 8: Espressif was contacted by security analysts from Riscure to report results found using fault injection against ESP32 Secure Boot in ROM.

May 14: Riscure commence review of existing ESP32 ROM boot code and Secure Boot features.

June 5: Received a video from LimitedResults showing fault injection against ESP32 Secure Boot.

August 2: LimitedResults provided a proof of concept report demonstrating fault injection against ESP32 Secure Boot.

Recommendations for ESP32 Users

All existing users of Secure Boot and Flash Encryption on the ESP32 should upgrade ESP-IDF to versions 3.0.9, 3.1.6, 3.2.3, 3.3.1 as soon as these versions are available. These versions, and ESP-IDF v4.0 and newer, will contain a patch to permanently enable Flash Encryption when Secure Boot is used, preventing it from ever being temporarily disabled.

The updated app can be delivered to devices in the field via OTA and does not require any update of the ESP-IDF bootloader.

Users who do not wish to wait for the new ESP-IDF release can patch ESP-IDF V3.2.x apps to call the following API as part of startup in the app_main() function or similar:

#include <esp_flash_encrypt.h>

void app_main()

{

if (esp_flash_encryption_enabled()) {

esp_flash_write_protect_crypt_cnt();

}

// continue normal startup

}

ESP-IDF versions prior to v3.2 can either update ESP-IDF, or copy the esp_flash_write_protect_crypt_cnt() function from newer ESP-IDF into the firmware app and then call it as shown above. Please contact Espressif if you require technical assistance with this process.