Side Channel AttackWhat is Side Channel Attack (SCA)?Body Biasing InjectionWhat is Body Biasing Injection (BBI)? Impact Analysis1) Hardware AES-256 Core Vulnerability2) Hardware Flash Encryption VulnerabilitySoftware CountermeasuresHardware CountermeasuresApplication Countermeasures
1/6Security AdvisoryTitleSecurity Advisory Concerning Breaking the Hardware AESCore and Firmware Encryption of ESP32 Chip Revision v3.0Issue date2022/11/18Advisory NumberAR2022-003Serial NumberNAVersionV2.0Issue SummaryThere are two hardware vulnerabilities of the ESP32 Chip Revision v3.0 reportedby security researchers at Ledger (Donjon).The first vulnerability is about the hardware AES core, and second vulnerability isof the Flash Encryption feature of the ESP32 Chip Revision v3.0. Thesevulnerabilities can be exploited through Side Channel Attack or Body BiasingInjection methods. Side Channel AttackIn the attack of both vulnerabilities, an attacker with physical access to thedevice is able to mount a Side Channel Attack (SCA), to obtain the encryptionkey from hardware AES core and the Flash Encryption key that resides in theeFuse of the chip.For a successful SCA attack of the chip, an attacker needs to collect severaltens of thousands of power traces and apply an appropriate signal-to-noise ratiocomputation, to identify the temporal locality of the AES operations. They wouldthen apply a CPA technique with Hamming Weight as the leakage model on thesame locations to obtain the key used in the AES operation.What is Side Channel Attack (SCA)?
2/6An electronic device when functioning, may leak the information related to itsinternal operations. The information leak may exhibit in the form of variations indevice power consumption or generated electromagnetic radiation.When a device is processing some security sensitive data, e.g., a cryptographickey, this leaked information may be used to extract the key from the device,resulting in device security compromise. This is a non-invasive attack as it doesnot require to open the chip packaging, but it does require to open the device totap the instantaneous power consumption traces. It is a real threat to the device,but it needs some skills from an attacker side to mount successful attack.Some well-known SCA techniques are: Simple Power Analysis (SPA)Differential Power Analysis (DPA) Correlation Power Analysis (CPA) Body Biasing InjectionAdditionally, in the attack of the first vulnerability of the hardware AES core, anattacker with physical access to the device can also mount a Body BiasingInjection (BBI) attack, to obtain the encryption key from the hardware AES core.For a successful BBI attack of the chip, an attacker needs to: first, preciselyidentify the position of the AES core on the chip die; second, collect tons ofpower trace and apply an appropriate signal-to-noise ratio computation, toidentify the temporal locality of the AES operations. Also, this attacker needs torepeat huge numbers of BBI attacks at the same position before being able toobtain the encryption key used for the AES operation.What is Body Biasing Injection (BBI)?Body Biasing Injection (BBI) is a novel attack method that was first introduced in2012. It controls a voltage applied with a physical micro-probe onto the backsideof the chip die. BBI is a real threat to devices, but also requires extensive effortand skills to implement, for example, the ability to open the chip package andapply a voltage onto the backside of the chip die.The work principles of BBI: Applying a voltage pulse of appropriate amplitude to a certain point onthe backside of the chip die causes some logic in the chip circuit to flipfrom 0 to 1 (or vice visa).
3/6Essentially, the AES algorithm is an iterative operation, which means asingle-byte error in one iteration will expand into a four-byte error at acorrelated position in the next iteration, and this correlation, in turns,reveals the position of the single-byte error.Also, the AES algorithm includes non-linear operation based on theGalois Field and the characteristic of the encryption key is implied in thefour-byte error, which allows the attacker to obtain the encryption keythrough pure mathematical reverse statistics.Impact Analysis1) Hardware AES-256 Core VulnerabilityBoth SCA and BBI attacks compromise systems where the AES keys are longlived or permanently reside within the device.In such use cases where AES keys are short lived, e.g., TLS session keys, bothattacks do not have any direct impact.2) Hardware Flash Encryption VulnerabilityWith flash encryption key extracted, an SCA attacker may be able to extractconfidential information from the device’s encrypted flash.Using some other exploits, an SCA attacker would be able to replace the entireencrypted flash content with their sophisticatedly manipulated content and takeover the device.However, if recommended practice is followed, and a unique flash encryptiondevice key is provisioned in the eFuse then this SCA attack would be devicespecific and scaling it to a class level attack would be cumbersome.MitigationAt present there is no hardware fix available for this issue. Future products willincorporate hardware countermeasures in the chip to address these issues.Following are some recommendations to mitigate these issues.
4/6 Software CountermeasuresIt is possible to mask the actual AES operation on AES Core with dummy AESoperations. This would make it difficult to identify the actual AES operation in thecollected power traces. This countermeasure would however impact AESoperation performance.We will evaluate software countermeasures along with its performance impactand if it looks reasonable, we may integrate under additional project menuconfigoption in future ESP-IDF release. Hardware CountermeasuresSCA attack: protect the device from physical access by enclosing it with atamper resistant mechanism which could not be broken without detection.Device should respond to tamper detection as per the predetermined action, e.g.,reset the device, clear-out the secret information on the device.BBI attack: there is no hardware fix available for this issue at present.Application CountermeasuresLong lived encryption keys that are common between the devices ormanufacturing batch should be avoided at all costs.These attacks need significant effort, skill, expensive and sophisticated labequipment to be carried out successfully on a device. If each device isprovisioned with a unique secret tied to that specific device identity, then theattacker cannot scale it to an entire class of devices, making this attack lessattractive. In addition, we recommend that chip users enable Flash Encryptionand Secure Boot at the same time, which can minimize the risk of attackerrewriting with the firmware.Several Espressif products are available in System-in-Package (SiP) form-factorwith flash pins terminated internally. These SiP (such as ESP32-PICO-V3) canprotect against this type of attack better. This prevents usage of any externalflash emulator or monitoring of flash pins as was used in the Flash Encryptionrelated attack discussed in this advisory.Related Espressif Products
5/6SCA and BBI vulnerabilities reported in this advisory may be applicable forEspressif SoC's including ESP32, ESP32-S2, ESP32-C3 and ESP32-S3. We willincorporate hardware countermeasures in our future chips to address thesevulnerabilities.For hardware Flash encryption of ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C2,the encryption algorithm has been upgraded to a more complex XTS-AESscheme; it increases the difficulty and cost of mounting an SCA, and hence,reduces security risks.CreditsWe would like to thank Karim M. Abdellatif, Olivier Hériveaux, and Adrian Thillardfrom Ledger, Donjon for reporting these vulnerabilities and assisting us with thedisclosure.
6/6Revision HistoryDateVersionRelease notes2022/11/18V2.0Added description about BBI attack2022/05/23V1.1Updated full name of SPA in ChapterSideChannel Attack2022/05/18V1.0Initial release.
