readout protection cracked on STM32

dieter 123 · ‎2018-01-08

Posted on January 08, 2018 at 10:21

Am I correct that readout protection has a major issue and is not working at all? Are all STM32s affected? Any comments on this from ST?

See here:

https://www.aisec.fraunhofer.de/en/FirmwareProtection.html

#stm32-rdp-read-protection

Note: this post was migrated and contained many threaded conversations, some content may be missing.

stm322399 · ‎2018-01-08

Posted on January 08, 2018 at 11:40

'not working at all' is a bit unfair.

1/ imho, cold boot stepping exploits a weakness of the bootloader, of course, any SRAM data is at risk (at RDP level1). Well lets use RDP level2.

2/ security downgrade from level2 uses probing. Are there any generic purpose MCU protected against probing ? Anyway, I agreed that the encoding of RDP is problematic.

3/ debug interface exploit looks really unreliable (how to sort FW from garbage?), even the author only says 'practically feasible'.

Security is often a trade-off between protection and effort (money). Imho RDP is (not perfect, but) good enough for a lot of needs, and probably brings more protection to your product than many software (unchecked user input, fw upgrade etc ...).

dieter 123 · ‎2018-01-08

Posted on January 08, 2018 at 13:23

Is there any official statement from ST on this? Are all STM32 series affected?

Does it also affect RDP level 2?

>> how to sort FW from garbage?

quite simple, no?: flash it on a second stm32 and check functionality

AvaTar · ‎2018-01-08

Posted on January 08, 2018 at 13:55

Is there any official statement from ST on this?

I'd wonder if there is/comes anything substantial.

Usually, a great part of 'security by obscurity' is involved.

Only large customers are informed and receive support.

Ask Microchip ...

As said by gonzales.laurent, this is a cost-benefit consideration. Blocking the casual hacker/copyist, even commercial, is mostly deemed sufficient.

Attacks with >1000k equipment and teams with unlimited pocket depth are not covered.

At least for short-lived consumer electronics.

dieter 123 · ‎2018-01-08

Posted on January 09, 2018 at 08:35

Hi

st.mcu

would you please comment on this? Is there an official statement from ST about this?

Thx

Amel NASRI · ‎2018-01-09

Posted on January 09, 2018 at 10:50

Hi,

We will come back to you with our official statement regarding this issue.

-Amel

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

re.wolff9 · ‎2018-01-11

Posted on January 11, 2018 at 14:07

gonzalez.laurent wrote:

2/ security downgrade from level2 uses probing. Are there any generic purpose MCU protected against probing ? Anyway, I agreed that the encoding of RDP is problematic.

***************************************** -end-of-quote ************************

Yes, the simple 'Any other combination is RDP2' would have made 'amateur' breaking of the protection close to impossible. Decapping a chip is easy enough, exposing to UV too.

***************************************** -restart-of-quote ************************

3/ debug interface exploit looks really unreliable (how to sort FW from garbage?), even the author only says 'practically feasible'.

The debug interface reports ERROR (permission denied, try again) or OK (you got your data, store it, and go to the next location). So this is completely easy.

The fact that the debug interface exploit works, together with openocd only supporting lock level 1, probably means that lots of people are not protected, when they thought they were.....

These guys are just some students that have tried a bunch of tricks to break this and report on the three tricks that worked. They probably aslo tried a few things that didn't work. But with such sloppy design (the encoding of lock-level-2 is wrong, everybody can see that!) it is likely that someone else may find another bug.

For example, it is clear that these guys are not good at controlling the power to their target. They claim 45 bytes per minute. So that means 11 succesful 32-bit attempts per minute, or about 22 raw tries. That translates to about 3 seconds per attempt. With a mosfet I can apply power to a CPU in less than a microsecond. Hold the reset line for a microsecond, and then release. Now start doing the SWD stuff, and a few microseconds later you have your results. Several hundred or thousand attempts per second should be possible. But if they use a mechanical relay to power up the device, then have to wait for big capacitors to drain then that can lead to a cycle time of several seconds.

But indeed. The result is that you can read a lockec STM32F0 at AT LEAST 45 bytes per second. But unless you're starting a business doing this and have tens of clients a day, that is not worth the further engineering effort.

Code Wrangler · ‎2018-01-11

Posted on January 11, 2018 at 18:46

AvaTar wrote:

Attacks with >1000k equipment and teams with unlimited pocket depth are not covered.

It is not just companies with >1000k equipment. There are companies on a certain popular Chinese website that will crack any ST chip for $750 - $6000 USD (depending on part number). They also crack every other companies' microprocessors as well. (I don't want to post links to encourage anyone)

Bunnie (Andrew Huang) wrote a tutorial on cracking PIC chips for $50.

Anyone who counts on hardware locks for code protection is a fool.

Steve H · ‎2018-01-12

Posted on January 12, 2018 at 17:00

I am very interested in that response, especially as regards the STM32F2 series MCUs, since we use them in our products. It would be a shame to have to migrate to another vendor because your security model was irretrievably broken.

Philipp Krause · ‎2018-01-12

Posted on January 12, 2018 at 18:53

I'd recommend not to rely too much on readout protection. While it is nice to have attacks on the STM32F0 well-documented (I assume the other STM32 variants will follow soon - seems like good projects to hand out to interested students), that doesn't mean that other controllers are that much safer. Readout protection is just a small obstacle to increase readout time and effort a bit.

Look at the vendor list at the bottom of

https://www.cl.cam.ac.uk/~sps32/mcu_lock.html

. Practically every microcontroller vendor known is listed there as having their readout protection broken some way (by the author of that page - no doubt others have broken plenty of readout protections, too). And then there probably are people who directly make money from their findings instead of publishing them.

There are companies providing the service of reading data from protected microcontrollers. They typically operate in jurisdictions where it is legal for the owner of a device to read the data (i.e. those places have no law equivalent to the US DMCA). Examples:

https://russiansemiresearch.com/

,

http://www.ic-cracker.com/

. From their public price lists and what I've read on

https://www.mikrocontroller.net/

, they charge less than 2000â‚¬ for reading the flash from a controller.

Philipp

P.S.: There are, however some security-oriented microcontrollers in the market that are harder, but still not impossible to read out (or at least have part of their memory hardened against attacks). But you'll have to pay the price (both monetary by getting a worse performance/proce trade-off than for controllers with less protection, and often also in reliability as their self-destruct functionality might trigger on a false positive).

P.P.S.: Edited to fix a typo.