(ST|GD)32V?F103 flash readout

NIIBE Yutaka gniibe at fsij.org
Fri Oct 2 03:21:10 CEST 2020


In February, Tom Li kindly shared about Flash Readout Attack.  Since
then, attack technology have been improved (to the direction: worse for
our use case).

This week, during testing GD32VF103, I also found a vulnerability of its
firmware (if my analysis and understanding are correct).  Currently, I
am asking help of my Chinese friends to contact the vendor.  And, then,
I found more about recent vulnerabilities around (ST|GD)32V?F103.

Basically, now in 2020, when you allow physical access to your token,
it's somehow easy for attackers (with enough skill) to readout its flash
content, for both of cost and time.

I'd recommend some sort of tamper resistance or tamper-evident for case
of Gnuk Token.  For my own, I use a metal case with FST-01SZ Kit, and
something like this:


Here are two of reports.  If you don't have time, just read the second,
which also explains about the first.

(1) A report on STM32F1 (CVE-2020-8004):

Exception(al) Failure - Breaking the STM32F1 Read-Out Protection:

(2) Another report (CVE-2020-13463, CVE-2020-13464, CVE-2020-13465,
CVE-2020-13466, CVE-2020-13467, CVE-2020-13470, CVE-2020-13471,
CVE-2020-13472) which also refers (1) of CVE-2020-8004.

One Exploit to Rule them All? On the Security of Drop-in Replacement and
Counterfeit Microcontrollers:

Also, another work in 2017 by Johannes Obermaier and Stefan Tatschner is
worth to read.

(0) An attack to STM32F0 (CVE-2017-18347):

Shedding too much Light on a Microcontroller's Firmware Protection:

More information about the Gnuk-users mailing list