[LeifCarrotson]

This is an interesting attack, and certainly looks highly successful in terms of allowing a determined hardware hacker to gain root/bootloader access to a device that the manufacturer has attempted to lock them out of. Glitching with a 6V supply on a 3.3V bus is certainly something I'd want to be a little cautious of if the hardware was more expensive than a $10 dev board - I wouldn't buy a $800 IoT fridge and use this to install alternate firmware just for fun, but it's nice to know it's possible in case my fridge stops working because the manufacturer declares it end-of-life. It's just not clear to me if or how this is a bad thing. The author writes:

> This FATAL exploit allows an attacker to decrypt an encrypted firmware because he is now in possession of the AES Flash Encryption Key.

> Worst case scenario, he is now able to forge his own valid firmware (using the Secure Boot Key) then encrypt it (using the Flash Encryption Key) to replace the original firmware PERMANENTLY.

> This last post closes my security investigation on ESP32, which I consider now as a broken platform.

Isn't that a good thing for me as a consumer? I like the ability to decrypt and modify my own devices. I like that this is a permanent modification, unlike eg. dd-wrt where you have to prevent the bootloader from overwriting your software with that of the manufacturer.

The only thing I can think of that would be really bad is if I had a device with an ESP32 inside physically stolen then reinstalled by an attacker (or a counterfeit sold to me with malicious code from the vendor) and this exploit allowed them to get private data from my network to an Internet location. But they could already just buy or build their own device, ESP32 or not, to do that.

This is only bad for draconian IoT manufacturers who want to enforce their terms of service and artificial limitations on hardware they think consumers are leasing but consumers think they are buying.

[michaelt]

> Isn't that a good thing for me as a consumer? I like the ability to decrypt and modify my own devices.

If you're the sort of person who buys wifi-based-internet-enabled door bells, but you don't want someone who steals your doorbell to (a) be able to extract your wifi password or (b) be able to get the thing to work at all, you might appreciate resistance to the thief's attacks.

Of course, you can also address this security concern by just not buying an internet-enabled doorbell.

[zaarn]

This could still be addressed by not putting the wifi part of the doorbell into the doorbell itself or alternatively using something like LoRaWAN where at worst someone could compromise the device keys (which you can reprovision) so your Wifi isn't compromised at all.

Another solution is to use a second gateway inside the house that manages the Wifi part and secure communication with the doorbell via short range radio.

[labawi]

Or you could use a dedicated SSID (vlan) with AP client isolation enabled.

[lvturner]

Or reduce the severity of a breach by using a limited guest network for your IoT devices

[zigzaggy]

This is how I handle all the IoT devices in my household. It’s one of the first things I implemented after I flashed my router over to DDWRT.

[jdnenej]

Might as well call the PC a broken platform since you can install your own OS.

Imo a platform is broken if the user can't control it.

[derefr]

One user's self is another user's attacker. This attack isn't one-time; if I can break into the hardware and change the keys such that I now control it, then someone else with temporary physical access can then break into my hardware and change the keys again, suborning "my" IoT device into e.g. a subtle wiretap.

A computer anyone—not just the owner—can root given physical access, is like a lock that anyone—not just the owner—can non-tamper-evidently pick open. It really is broken.

[jdnenej]

Almost all computing devices are broken when given physical access. And if they aren't it's just because someone hasn't worked it out yet or is broken secretly by governments.

[wildmusings]

This is kind of a myth. There is such thing as tamperproof hardware components and they can protect against plenty of threats.

Security isn’t all or nothing, it’s about understanding what the different threats are and adequately protecting against them. Not everyone is trying to protect against attackers with millions of dollars at their disposal. There is plenty of value to deterring 99% of attackers with physical access.

The idea of security as all or nothing, and that physical access thus defeats all security measures, are security tropes that need to die. You can see how obviously wrong they are when you consider that just about every security system depends on proper behavior by trusted human beings, who are never 100% reliable.

[userbinator]

when you consider that just about every security system depends on proper behavior by trusted human beings, who are never 100% reliable

...and I think that's perfectly fine and IMHO required. I've long been a proponent of the philosophy that a little bit of insecurity is what keeps society in general from turning into complete dystopia; but unfortunately, paranoia and the search of "perfect security" is driving it in that direction.

In other words, striving for perfect security is treacherous precisely because humans are not 100% reliable. The same way you would probably not want "perfect" law enforcement by the government.

[pas]

Yes, but no. I mean you are probably familiar with FIPS-140-2's security levels [0], and the ESP32 is probably on neither. (Not even Level 1. Which is roughly something that you can do almost purely at just in software, that's why OpenSSL has this mode.)

I'd argue that if you want to use some kind of device as part of your security system, and that part has to endure temporary physical access from unauthorized third parties, then you need something that is designed for that. Considering a software broken when it's clearly not designed to withstand physical tampering ... is a bit silly. (Though considering it broken in terms of IP protection is not surprising, it was never really designed for that either.)

Though, of course, you're absolutely correct that compared to its price (or cost), it's a lot more secure than an empty floppy (yet similarly simple - except you can't toggle an efuse with hand), or early smart phones (or early anything, that was complex, ran every kind of software as root, and so naturally was full of holes).

[0] https://en.wikipedia.org/wiki/FIPS_140#Security_levels

[Wowfunhappy]

I don't disagree with other parts of your post, but I still think protecting against the scenario where an attacker has physical access to your computer is basically pointless. Especially if it comes with a very significant loss of freedom.

If a malicious person has entered your home or workplace, access to your computer should be low on the list of worries.

[derefr]

Not every system is inside a home or workplace.

ATMs. Parking meters. Building security/intercom systems. Digital billboards and transit information signage.

These are the IoT devices that need to be hardened against physical access.

[baroffoos]

Android handles this decently well it allows you to install whatever you want to the device but to unlock the device for custom firmware the device is first wiped so user data is perfectly safe.

[vorpalhex]

This would be more akin to jailbreaking your nintendo switch and installing linux. An IOT platform that's intended to be secure can be tricked into revealing it's key.

Most consumers aren't going to write custom firmware for their lightbulbs.

Of course, I think this exploit is impractical for a lot of cases given how the ESP32 is typically used, but, ymmv.

[jdnenej]

I didn't have to write Linux to benefit from an open platform. I didn't write openwrt either but benefit hugely from it.

[jdc]

The point of locking out game consoles owners is to protect the software vendors. What's the point with IoT?

[monocasa]

To protect against clones that just install your software.

[Rebelgecko]

> Might as well call the PC a broken platform since you can install your own OS.

More like calling a PC broken if you can install your own OS even after you've enabled Secure Boot and a TPM (in which case, the security features are objectively broken)

[userbinator]

This is only bad for draconian IoT manufacturers who want to enforce their terms of service and artificial limitations on hardware they think consumers are leasing but consumers think they are buying.

No kidding. What really grinds my gears is the fact that these authoritarian "security" people are effectively helping to tighten the nooses around everyone else, and very eager to do it too. It's one thing to post about an exploit you've found and help the community, but I'll never agree or help anyone who goes snitching to the company about it. In the "old school" hacking culture you would be called a corporate sellout, or worse, for doing that.

[sigmaprimus]

I think most people are assuming that the user breaking this device is the owner and therefore don't see the potential threats this hack realizes.

A perfect example of how this could be a problem would be the modification of a utility providers smart meter. The home owner hacks the firmware of their electicity meter to show a 10% reduction of power consumption.

Im sure there are several more applications of this exploit that would allow end users who are not the owners of the hardware to make it a threat large enough for manufacturers to consider using a more secure device.

[mindslight]

It's easy enough to tap into the service ahead of the meter. Or if you've taken the meter apart, adjust the analog signal conditioning. And so power companies monitor aggregate usage per neighborhood, and if there is a discrepancy, go looking.

In general most people are honest, most of the others are deterred by stiff penalties, and these issues are kept in check at "human scale". DRM schemes are more likely to be used to erode long-held precepts, rather than being needed to enforce them.

[noonespecial]

If I'm not mistaken, buying one of a device and tearing it down like this would yield keys that would let you create "official" firmwares for all of the other ones of their kind and set up a fake update site allowing you to remote exploit all of the others, yes?

If so this is a fairly serious hack especially for devices that auto-update OTA.

[jeremyjh]

They should be permitting OTA only if the website they download from over TLS has a cert signed by the developer/manufacturer or at least a public CA with a CN matching the host name...so you'd have to physically access each device and not just MITM them.

[brokenmachine]

I'm not 100% sure but doesn't each device have its own keys burned at the factory?

So this hack will only work on a single esp32.

[glennpratt]

That's not how public/private encryption works, which is what comes to mind when you say keys. Not that I have any clue how this actually works!

[peterwwillis]

Some hardware comes with firmware that can't be overwritten unless it's properly signed by the manufacturer to prevent an attacker from being able to get low-level control of devices that couldn't otherwise be detected. Example: https://www.cisco.com/c/en/us/products/collateral/security/c...

It is, of course, possible to replace an entire physical device with your own hacked one, and have nobody be the wiser. But the theory goes, that would be a lot harder than just copying rooted firmware into a device remotely. (The above system was hacked this year, though)