readout protection cracked on STM32

Is there any official statement from ST on this?  Are all STM32 series affected?

Does it also affect RDP level 2? 

>> how to sort FW from garbage?

quite simple, no?: flash it on a second stm32 and check functionality

Hi,

We will come back to you with our official statement regarding this issue.

-Amel

MANI Christophe wrote:

After verification, the publication on that “Practically feasible� debug access is anyhow limited to the STM32F0 only.

All other STM32 platforms are not affected by that mechanism.

That, my friend is completely bullshit. Even though the institute has a billion dollar budget, they can't spend all that on this single project. They have indicated that they were time and budget limited to the STM32F0 family. So that's what they tested. So for scientific correctness they only claim they verified their findings on STM32F0xx. 

But it would be very unwise that given this evidence, you would think you are safe because you're running an STM32F411 that was not tested. 

In security you must always assume the worst. So in this case: It has been proven that ST can get things wrong as to the security of your IP when loaded on a locked device. This extends to the other STM32 families and possibly other ST microprocessor families. 

In the past I've run/moderated a security mailing list. I have experimented with having a club of beta-testers who would beta-test the holes that were reported. When someone publishes a security hole, complete with demo code, about six out of ten security wizzes would report: 'Nope that hole is bullshit, the report is false, we're safe, the exploit does not work at all', about two would report: 'maybe'. and two would report: 'Yup hole verified, we're vulnerable!'. So when vulnerabilities are reported you really should err to the side of caution.

These guys who reported this issue are good, but not brilliant. They hint at: 'these are all the bugs that exist'. This is likely not true. Everybody who has researched such a subject for 6 months will think they have covered everything. The same holds for the ST engineers who designed this. They think they covered everything, but a hole was found. The only thing we can do is to fix this one and continue improving the hardware as more and more issues are found. 

For example, in the old days, you'd write crypto code as: if (bit_of_key (n)) do something.  Now with power-analysis you can find that the loop takes different amounts of time depending on the key bit. So once you figure out the time differences you have all the key bits. oops! So now you should write: if (bit_of_key(n)) do something else do something but discard the result. 

haha: This posting reads just fine even with the censorship. 

The article, and again this remark you report hint at too much confidence. They say they tried everything (they could think of) and that only these attacks work. The part in the parentheses is important. They cannot have thought of everything. They do not have all possible equipment. etc etc. It is entirely possible that someone with a different machine or a slightly modified way of doing things will get a different result. 

So for the 'more metal layers, you cannot see the option bits from above'... What if you shine an UV laser on a specific spot? With the proper optics you can aim pretty good. I find it plausible that the gaps in the metal layers will leak enough to flip a few bits. If there is a solid layer on top specifically to try to thwart this attack, you can blast away the metal with a pulse of just the right amount of energy. 

This then becomes an attack where the first time it costs quite some money: You will blast a few CPUs away before you find the right energy setting and spot. 

If I understand and remember correctly, the problem can be triggered in RDP level 1.

However, they also showed that they can almost target a single bit erase. But that "almost" is enough to ALWAYs cause a level 2 -> level 1 downgrade.

As a user a level 2 protected device is "almost bricked". If you find a software bug, the device is bricked and can no longer be used. To prevent this from happening accidentally, a very specific bit pattern is used to enable level 2. So any single bit change in IIRC 16 bits of configuration flash bits will downgrade the level 2 to level 1.

All this depends on quite some effort of the attacker. Level 1 or level 2 will keep most hobbyist "lets read the code and see what it is doing" away. But bigger players, can spend the "a week to reproduce the findings in the article" or "$500 to have it done commercially", What the commercial "read protected chips" guys can do beyond what the article describes is unknown.