Exception(al) Failure - Breaking the STM32F1 Read-Out Protection

The firmware of microcontrollers usually contains valuable data such as intellectual property and, in some cases, even cryptographic material. In order to protect the confidentiality of these assets, most microcontrollers feature some kind of firmware read-out protection. This security feature shall prevent adversaries with physical access to a device from reading out the internal flash memory. Nevertheless, security researchers as well as hobbyists showed repeatedly that these security features can be circumvented. In this research article, we examine the flash read-out protection (RDP) of the STM32F1 series from STMicroelectronics. We discuss a novelly discovered vulnerability whose exploitation would be the first non-invasive way to circumvent the feature. The issue results from an insufficient access restriction: flash data reads via the debug interface are blocked but the CPU's exception handling process is still able to read from flash memory via the ICode bus. We explain in detail why and how this vulnerability exposes major parts of the internal memory, thereby affecting device security.


Coming soon: Breaking the STM32F1 Read-Out Protection

We identified a vulnerability in the read-out protection (RDP) mechanism of the STM32F1 series from STMicroelectronics. CVE-2020-8004 has been assigned to this issue.

An attacker with access to the debug interface can exploit this vulnerability and extract large amount of data from the flash memory. If you rely on this security feature, we highly recommend you to take appropriate action. The only way to avoid exploitation and thus keep the entire flash memory content confidential is to physically prevent an attacker from gaining access to the debug interface.

This announcement is part of a coordinated vulnerability disclosure process. An extensive article with technical details about the vulnerability will be published here on the 15 March 2020.

Contact: Marc Schink, Johannes Obermaier