Breaking The Flash Encryption Feature Of Espressif’s Microcontrollers

Espressif’s ESP32 microcontrollers come with a Flash encryption feature that when enabled ensures that the data and code stored on the (usually external) Flash chip is encrypted with AES-256 (ESP32) or better (ESP32-C3, -C6). For the ESP32 this encryption feature has been shown to be vulnerable to side channel attacks (SCA), leading [courk] to not only replicate this result with a custom ESP Correlation Power Analysis (CPA) board (pictured) that captures power usage of the MCU, but also to try his luck with the ESP32-C3 and ESP32-C6 parts that should be tougher nuts to crack.

Whereas the ESP32 uses a fairly straightforward AES-256 encryption routine that together with the exposed Flash communication lines on the QSPI bus make for a textbook SCA example, the ESP32-C3 ups the encryption to XTS-AES, which uses two 128-bit keys on the -C3 part (XTS-256). This particular MCU is still susceptible to the same SCA attack with CPA, making it somewhat harder to attack than the ESP32, but by no means impossible.

Following the advisory from Espressif (PDF) regarding the cracked ESP32 Flash encryption, anti-SCA measures were said to be implemented in future Espressif designs, which includes the ESP32-C6. These measure serve mostly to mask and obfuscate the internal operations in order make power trace data less useful. These countermeasures can be enabled in stages, which [courk] did, to see how much they affect a CPA-based SCA. Perhaps shockingly, none of these seemed to affect the CPA attack much, if at all.

As a bonus round, [courk] then decided to speed up the painfully slow process of recovering the encryption keys by fault injection, which just requires the first 128 bytes (one block) on the -C3 and -C6 parts. Using a voltage fault injection the Secure Boot feature is bypassed. The essential idea is that through a buffer overflow custom code can be run, which dumps the entire Flash content. After demonstrating this and report it to Espressif, an advisory was published that notes that there’s no defense against this SCA and fault injection attack, other than using an ESP32 part that has internal Flash and no access to the QSPI bus from the outside.

It would seem that with how leaky the Flash encryption is on these ESP32-family parts, placing your bets on an attacker having an aversion to decapping an IC might indeed be your best defense.

Top image: Block Diagram of the ESP CPA Board (Credit: Courk at courk.cc)

By