Unlimited Results: Breaking Firmware Encryption of ESP32-V3

The presentation discusses the security features of the ESP32 chip and explores different attack scenarios, including fault injection and side channel attacks, to break the firmware encryption. The speaker also demonstrates a homemade fault injection setup and applies the attack on a hardware wallet.

• ESP32 chip has secure boot, flash encryption, and OTP for storing secrets and crypto hardware accelerators
• Ifuse organization has four slots, with block one and block two protected by ifuse protection bits
• Secure boot uses a public key to encrypt the bootloader and a digest is generated for comparison during power up
• Flash encryption uses es decryption and key tweak to change the key every 32 bytes
• Side channel attacks can be used to break the firmware encryption by measuring power consumption during execution of crypto operations
• A homemade fault injection setup is demonstrated to reproduce limited results using electromagnetic fault injection
• The attack scenario is applied on a hardware wallet to gain control of the flash content
• The speaker stresses the importance of leakage detection to localize the ES and reduce evaluation time

The speaker describes how they discovered a new attack path by switching the attack scenario to side channel attacks and targeting the flash decryption. By measuring the power consumption during execution of the crypto operation, they were able to build an offline model to assume all the keys and perform correlation power analysis to attack the flash encryption or decryption key. They also emphasize the need for a high-end oscilloscope to capture power traces during power up and the importance of targeting the bootloader data stored at address 1K in the external flash to gain control of the flash content.

ESP32 is one of the most widely used microcontrollers, and is present in hundreds of million devices such as IoT applications, mobile devices, hardware wallets, etc. In 2019, Limited Results published a fault injection attack at Black Hat Europe which resulted in breaking the security of ESP32-V1 chip family. Therefore, Espressif patched this vulnerability and then advised its customers to use ESP32-V3, which is a hardened silicon revision.In this talk, we present an in-depth hardware security evaluation for ESP32-V3. The main goal of this evaluation is to extract the firmware encryption key in order to decrypt the encrypted flash content that may possibly contain secret data.First, we use Fault Injection (FI), using our homemade electromagnetic fault injector, in an attempt to access the flash encryption keys stored in the read-protected eFuses. We show by experimental results that this new silicon revision contains a bootloader protected against these attacks.Therefore, we then explore a different attack path using Side-Channel Attacks (SCAs) on the firmware decryption mechanism, by measuring the information leakage of the firmware decryption operation during the power up. Using this knowledge, we demonstrate that the full 256-bit AES firmware encryption key can be recovered using Side-Channel (SC) analysis in a few hours with a 100% success rate. Finally, as a practical example, we apply our attack to decrypt the contents of a hardware wallet.