Breaking Bootloaders on the Cheap

Presented at Black Hat Europe 2019, Dec. 5, 2019, 4:35 p.m. (25 minutes)

One of the challenges in securing embedded devices is to protect the flash memory storing code, data, and cryptographic secrets against malicious read/write access. Therefore, most microcontroller vendors decided to implement code read protection mechanisms (usually controlled by some security bits or fuses) in order to prevent such attacks.

Most modern microcontrollers include a bootloader (stored in ROM) that allows for in-circuit programming via USB, UART, or another link. The bootloader is also responsible for enforcing potentially configured readout protections. So far, attacks against embedded bootloaders were based on hardware attacks, e.g. using voltage glitching or UV light. Logical vulnerabilities (e.g. buffer overflows) in the bootloader code have received less attention.

For this presentation, we reverse-engineered and analysed the bootloaders of three widely used microcontrollers (NXP LPC1343, ST STM32F4, and ST STM8) in order to assess if the readout protection can be overcome with software-based attacks.

Our analysis shows that the bootloader of the LPC1343 (and other chips from the same family) contains a critical vulnerability in the "Write to RAM" command. While the command prevents writing to bootloader RAM, without the Memory Management Unit, it does not protect the stack (located at the other end of memory). This allows an attacker to break code readout protection level 1 by overwriting return addresses on the stack and chaining gadgets of code as in Return-Oriented Programming. The attack can be carried out with any cheap serial-to-USB converter.

We responsibly disclosed this to NXP, and they acknowledged the issue. Although NXP had cautioned users about limitations of using CRP level 1, they updated their developer guidance and now recommend to set CRP level 2 or 3, where this exploit is not possible.

While we did not find similar issues in the code of the STM32 and STM8 bootloaders, we point out that analysis on the assembly level can be useful in developing other attacks, e.g. for pinpointing the correct locations for voltage glitching.

Presenters:

• David Oswald - Senior Lecturer, Security and Privacy Group, University of Birmingham
  David Oswald is a senior lecturer (associate professor) in the Security and Privacy Group at the University of Birmingham, UK. His main field of research is the security of embedded systems in the real world. His research on vulnerabilities of various wide-spread systems (e.g. DESFire RFID smartcards, Yubikey two-factor authentication tokens, electronic locks, and VW/Hitag2 keyless entry systems) has created awareness for the crucial importance of security among developers of embedded devices.
• Qais Temeiza - Independent Security Researcher, \  
  Qais Temeiza is an Information Security Engineer with an MSc in Cyber Security from the University of Birmingham. He has strong skills in low-level security research and embedded systems. He is also proficient in programming languages like C, C#, and Assembly Language.

Links:

• https://www.blackhat.com/eu-19/briefings/schedule/#breaking-bootloaders-on-the-cheap-17518
• https://www.youtube.com/watch?v=QJwLjfhYiLE

Similar Presentations:

• DEF CON 29 (2021) / Breaking Secure Bootloaders
• Black Hat USA 2021 / Breaking Secure Bootloaders
• REcon Brussels 2017 / Breaking Code Read Protection on the NXP LPC-family Microcontrollers