Chip Vulnerabilities and STM32 Hacking

AFuller · ‎2022-07-30

Hi - I am new to hardware security researching, so I thought start with a simple STM32 MCU to improve my skills.

I can develop simple applications and upload it to flash, everything is ok so far. But I wonder how can I hack the device I developed. For example, last time I achieved to get a memory dump with OpenOCD and it was a big happiness for me. Now, I need to look at it closer, at the hardware level.

My question is: May you tell me previously announced STM32F4 vulnerabilities, please? (Especially chip vulnerabilities with PoC if possible �?��?)

(As I know ARM Cortex-M is not affected from Meltdown & Spectre, for example.)

And finally, how can I improve myself on hardware security? Is it possible with my STM32F429 board? What would you recommend me to do, what to learn, what to research or maybe a roadmap etc. ?

Thank you!

waclawek.jan · ‎2022-07-30

Start by reading the RM, focusing on general overview and FLASH chapters, and try to understand the built-in mechanisms protecting against code readout. Understand, why are there multiple options, what are the tradeoffs and especially why are they made. Look at the evolution of these mechanisms across STM32 families ('G0/'G4/'L5/'U5 are newer and missing from there; there are also the wireless families which may have thier own bunch of issues in this regard).

Then look up known vulnerabilities, perhaps starting at the CVE database.

Note, that these are no dedicated security chips, and security against code readout is relatively low. You cannot do anything better to prevent the usual attacker with physical access (i.e. "the far-eastern guy who promises to extract firmware if you send him a couple of samples and some $$$"), without changing the chip itself. What you can then do is systems solution, i.e. encapsulation, tamper protection and tamper-evidence recording. That's something which can be investigated on a given device, too. There are some basic works out there, try to look around the cambridge uni security lab and their publications. There may be more there, I am not that interested.

Code readout is not the only security issue, there are broader issues related to security of data transmission (i.e. "what are ramifications of implementing xyz protocol on STM32"), handling of keys and similar "secrets", etc.

JW

AFuller · ‎2022-08-01

Thank you for explanation, sir. So, may you also tell me previous vulnerabilities (especially which is related to chips) for STM32F4?

waclawek.jan · ‎2022-08-01

I don't collect them, I'm not interested.

JW

Tesla DeLorean · ‎2022-08-01

Do you have a background in IC Design and QA? Any RE experience on the HW/SW side?

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

AFuller · ‎2022-08-03

What is "RE Experience" ? I have no experince on IC Design/QA.

AFuller · ‎2022-08-03

I need known/previously disclosed chip vulnerabilities which is exploitable on STM32 :') does not anybody have knowledge about it, really?

Tesla DeLorean · ‎2022-08-03

Remind me what the first two rules of Fight Club are? Actual don't I know them.

I don't think you're in the right place for this.

RE - Reverse Engineering, perhaps encompassing what people call "Digital Forensics"

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..