The Technology Innovation Institute (TII), a leading global scientific research center and the applied research pillar of Abu Dhabi’s Advanced Technology Research Council (ATRC), and Raelize, a globally-renowned cybersecurity entity, have reported a new vulnerability in Espressif’s ESP32 revision v3.0. The two entities identified the vulnerability by deploying an Electromagnetic Fault Injection (EMFI) attack to gain unauthorized access to the ROM’s Download Mode.
This is the first example of a successful Fault Injection (FI) attack where both Secure Boot and Flash Encryption are bypassed using a single glitch on a target specifically hardened against FI attacks.
Espressif is a multinational semiconductor company responsible for the creation and design of low-cost chipsets including the ESP32, a System-on-Chip (SoC) used in millions of devices that supports notable security features such as Secure Boot and Flash Encryption. In recent years, several security compromises due to FI attacks have been reported. Following the attack orchestrated by TII and Raelize, Espressif acknowledged the vulnerability and published a security advisory (AR2023-005), and in turn, CVE-2023-35818 was assigned by the CVE numbering authority. This assigned ID is a number that uniquely identifies the vulnerability discovered in the Common Vulnerabilities and Exposures (CVE) database, which is a list of publicly disclosed security vulnerabilities.
While Espressif’s ESP32 revision v3.0 was initially developed as a hardened solution to FI attacks, through a joint initiative, TII and Raelize carried out this novel FI attack against the SoC, which chains multiple vulnerabilities and utilizes a single EM glitch to infiltrate and further exploit the ROM’s Download Mode. The attack facilitates access to the unencrypted flash contents.
Highlighting the significance of this groundbreaking initiative, Dr. Najwa Aaraj, Chief Researcher, Cryptography Research Center (CRC) at TII, said “We are pleased to report that our work leading to this CVE attests to our continuing efforts to enhance our cryptography ecosystem, thanks in part to our state-of-the-art Hardware Security Research lab – among the first in the MENA region capable of performing such highly advanced attacks and analyses. We are encouraged by the outcomes of this latest experiment and hope to continue building our capability and research know-how in the thriving domain of hardware security.”
Niek Timmers, Co-Founder, Raelize, said “Similar to sophisticated software exploits, we regard Fault Injection attacks as a form of art, demanding a highly imaginative and creative mindset. At Raelize, we channel our technical expertise to pioneer the field of hardware security research, pushing the boundaries of innovation and excellence.”
The findings are part of TII and Raelize’s collaborative efforts in strengthening the cybersecurity landscape and driving robust cryptographic solutions – demonstrating their unbeatable credibility and capabilities as global leaders in the field of hardware security research.