A security researcher has identified a local-access technique that enables a complete bypass of all security within the popular ESP32 IoT chip, where malware can be implanted and never removed. Espressif has confirmed the vulnerability with an advisory. The same attack also extracts cryptographic keys and works against the device's most secure configuration.
The ESP32 chipset is significant to the industry, as it offers a dual core chip with WiFi and bluetooth to underly many devices. In January 2018, the manufacturer Espressif announced its milestone of having shipped over 100 million devices. ESP32 is a key component of many devices, including LiFX lightbulbs, and is also featured as a compatible device with AWS FreeRTOS within AWS IoT as well as Microsoft Azure IoT.
The security researcher, LimitedResults, coordinated disclosure with Espressif on their advisory and details of the exploit. The attack works against eFuse, a one-time programmable memory where data can be burned to the device. The ESP32 official documentation describes why the attack works: "Each eFuse is a one-bit field which can be programmed to 1 after which it cannot be reverted back to 0." By burning a payload into the device’s eFuse, no software update can ever reset the fuse and the chip must be physically replaced or the device discarded. A key risk is that the attack does not fully replace the firmware, so the device may appear to work as normal. The persistent nature of the attack is most problematic in a supply chain or re-sale situation where one party in the chain places a new payload into the ESP32 eFuse and fully compromises the device forever. A similar supply chain attack took place in 2010 against Cisco routers during shipping, where they were flashed with a custom payload.
The impact of this attack goes beyond simple hobbyist devices or low-cost IoT gear. LimitedResults informed InfoQ,
devices using ESP32 built-in security are not lightbulbs or connected thermostats. Your thermostat has 0 protection against hackers having physical access… I identified maximum secure ESP32 in quite expensive devices, where a hack will compromise the device itself but also the possibility to use unauthenticated resources and sub-systems to compromise the full environment.
CVE-2019-17391 attacks the device cryptography through voltage glitching, a well-known attack where an adversary strategically sends HIGH/LOW pulses to device pins that cause confusion with the chip’s instructions. For example, during security checks, sending a HIGH signal to a CPU’s RESET pin can cause instructions to be discarded. LimitedResults estimated that this attack can reproduced in under a day with approximately $1,000 USD in hardware.
Mitigation techniques in hardware are limited. The common technique of using a Trusted Platform Module (TPM) has also been cracked, with TPM Fail in 2019, TPM Genie in 2018, and more. AWS IoT Core security recommendations can limit scale of this or any other local access attack. In particular, the recommendation to use a single identity per device would enable IoT providers to disable the identity or limit the scope for known-compromised devices as well as devices that have not been updated over a long time.
Without the ability to restore the device, organizations whose devices rely on ESP32 should consider a firmware update that checks eFuses in addition to a device recycling program that does not re-introduce ESP32 chips back into the supply chain.