Shedding too much light on a microcontroller’s firmware protection

Johannes Obermaier, Stefan Tatschner

Research output: Contribution to conferencePaperpeer-review

Abstract

Almost every microcontroller with integrated flash features firmware readout protection. This is a form of content protection which aims at securing intellectual property (IP) as well as cryptographic keys and algorithms from an adversary. One series of microcontrollers are the STM32 which have recently gained popularity and thus are increasingly under attack. However, no practical experience and information on the resilience of STM32 microcontrollers is publicly available. The paper presents the first investigation of the STM32 security concept, especially targeting the STM32F0 sub-series. Starting with a conceptual analysis, we discover three weaknesses and develop them to vulnerabilities by demonstrating corresponding Proofs-of-Concept. At first, we discover that a common security configuration provides low protection which can be exploited using our Cold-boot Stepping approach to extract critical data or even readout-protected firmware. Secondly, we reveal a design weakness in the security configuration storage which allows an attacker to downgrade the level of firmware protection, thereby enabling additional attacks. Thirdly, we discover and analyze a hardware flaw in the debug interface, attributed to a race condition, that allows us to directly extract read-protected firmware using an iterative approach. Each attack requires only low-priced equipment, thereby increasing the impact of each weakness and resulting in a severe threat altogether.

Original languageEnglish
Publication statusPublished - 2017
Externally publishedYes
Event11th USENIX Workshop on Offensive Technologies, WOOT 2017, co-located with USENIX Security 2017 - Vancouver, Canada
Duration: 14 Aug 201715 Aug 2017

Conference

Conference11th USENIX Workshop on Offensive Technologies, WOOT 2017, co-located with USENIX Security 2017
Country/TerritoryCanada
CityVancouver
Period14/08/1715/08/17

Fingerprint

Dive into the research topics of 'Shedding too much light on a microcontroller’s firmware protection'. Together they form a unique fingerprint.

Cite this