To use our site, you agree to the use of cookies and data processing according to our privacy statement.
Close
Search

The threat of Fault Injection: Riscure discovers a vulnerability in an affordable IoT solution

Riscure has discovered a serious vulnerability in an affordable ESP32 IoT solution developed by Espressif Systems. Using an attack technique known as Fault Injection, the vulnerability may be exploited to bypass security mechanisms and allow arbitrary code execution. The impact of this issue can be minimized by applying built-in security measures (a combination of Secure Boot and Flash Encryption), however full mitigation will be provided by a vendor with the upcoming hardware revision of the SoC.

Advisory by Espressif Systems is available here.

The pitfalls of hardware security

Securing IoT solutions increasingly becomes an essential practice, for a number of reasons. It allows to protect a vendor’s intellectual property by encrypting the firmware. It reduces impact on customers, who, in the event of a remotely exploitable vulnerability, risk losing sensitive data. In other cases IoT becomes a point of entry to access business and consumer local networks.

The security industry is primarily focused on finding and mitigating vulnerabilities in software, while the robustness of hardware is often overlooked. We have previously shown how attacks on hardware can help extract secrets. Notable IoT implementations often lack basic security measures which allows effortless analysis of firmware for further exploitation.

Even if IoT firmware is properly protected, a vulnerable implementation of Secure Boot may render other security mechanisms useless. In some cases, secure initialization of a device can be circumvented by a power glitch. This is exactly what happened with ESP32.

The vulnerability

The problem was discovered by Riscure researchers Yashin Mehaboobe and Santiago Cordoba Pellicer in April 2019. An analysis of the ESP32 chip using Riscure Inspector solution revealed a set of parameters (such as voltage and timing) that allowed to bypass the Secure Boot verification mechanisms and, ultimately, execute unverified code stored on flash. The issue could be mitigated by enabling a built-in Flash Encryption feature of ESP32. Espressif Systems also plans to release the updated revision of an SoC with further improvements to harden against Fault Injection attacks.

As an expert in Side Channel Analysis and Fault Injection techniques, Riscure can help you make your device robust against increasingly affordable and widespread hardware attacks. We specialize in security of embedded and connected devices, including Smart Cards and IoT. To learn how we can help you achieve better security in your development process, feel free to get in touch with us via inforequest@riscure.com.