The Ledger Donjon team, who is responsible for boosting the security of our products, discovered a hardware vulnerability in the Blockstream hardware wallet (Jade). An attacker with a stolen Blockstream hardware wallet can decrypt the encrypted firmware that is stored in the external flash, using side-channel attacks (SCAs) to inject a malicious code. An example could be a malicious code that performs transactions to substituted addresses. It can be called an evil maid attack.
Blockstream Jade1 is a hardware wallet dedicated to securing cryptocurrencies and its transactions. It supports Bitcoin and its leading sidechains. This hardware wallet is an open-source and open-hardware project2. The following two figures show the Jade wallet before and after opening its plastic package, respectively. The wallet has ESP32-V33 (in red) as the main microcontroller and an external flash memory (in yellow) to store the encrypted firmware. The encrypted firmware is decrypted during the power-up with a key stored in the ESP32-V3 chip. It doesn’t store the user PIN in the external flash. The PIN verification is performed remotely on the Blockstream’s server. However, the external flash contains the user’s private and public keys to communicate with this server.
ESP32-V3 vs ESP32-V1
ESP324 is one of the most widely used microcontrollers and is present in hundreds of millions of devices such as IoT applications, mobile devices, hardware wallets, etc. In 2019, Limited Results5 published a fault injection attack at Black Hat Europe which resulted in breaking the security of ESP32-V1. Therefore, Espressif patched this vulnerability and then advised its customers to use ESP32-V33, which is a hardened silicon revision against fault injection attacks.
In order to investigate the difference between ESP32-V3 and ESP32-V1, we fabricated two PCBs for the two chips to monitor the boot ROM activity during the power-up. We used the following setup which has the several components:
- A Scaffold board6 with the device under test (DUT)
- A PC to communicate with the Scaffold-based DUT
- A Tektronix MSO54 1 GHz digital oscilloscope with a maximum sampling rate of 6.25 GS/s, used to measure and capture the instantaneous power consumption of the DUT
We started to monitor the power consumption of the two chips during the power-up (boot ROM). The following figure shows the difference between ESP32-V3 and ESP32-V1 during the power up. We can observe that the power-up of ESP32-V3 has additional blocks compared to ESP32-V1. It looks like verification blocks against fault injection as highlighted by Espressif. These countermeasures are performed by the ROM bootloader.
Breaking Firmware Encryption of ESP32-V3 Using SCAs
Due to the added countermeasures on the level of boot ROM, we decided to explore another attack path instead of using fault injection. Therefore, we started to investigate SCAs on the firmware decryption mechanism. Espressif uses AES-256 encryption in order to decrypt the flash content during the power-up.
We followed the following steps in order to achieve this attack:
- Localizing the AES decryption process during the power-up
- Controlling the flash content in order to perform a correlation power analysis (CPA7) to attack all the key bytes
First, we looked at the power consumption of the chip during the power-up by monitoring the SPI clock signal of the external flash to find where flash data was manipulated. According to the reference manual4, data is loaded from the flash as 32 bytes blocks which are decrypted using the same key in case of activating the flash encryption. From the following figure, there are two zones where the flash data is manipulated (flash communication 1 and flash communication 2). Therefore, the firmware decryption should be located in zone A or zone B.
During the power-up, the ROM bootloader loads the firmware bootloader which is stored at address
0x1000 as shown in the reference manual4. Hence, the first 32 bytes stored at
0x1000 should be manipulated during flash communication 1 or flash communication 2. To locate the manipulation of the firmware bootloader data, we collected traces during the two zones under the scenario shown in the following algorithm.
After collecting 50K traces, we performed the SNR of the first 32 bytes stored at
0x1000, on the two zones (flash communication 1 and flash communication 2) to identify which zone is relevant. We performed the SNR of the 32-bytes stored at address
0x1000 on the two zones. We found that the 32-bytes are manipulated during the zone of flash communication 2 as shown in the following figure which indicates 32 different patterns related to the 32 bytes stored at address
0x1000. Therefore, the AES decryption should be performed just after the SNR of the last byte.
Being more confident about the zone of the AES decryption, we used a flash emulator on Scaffold to avoid the limitation of writing to the external flash. So, we can collect an unlimited number of traces during the execution of the firmware decryption under the variation of the bootloader data. We registered 2M traces during the power-up in order to perform the correlation power analysis (CPA7). After aligning them carefully, we managed to perform the CPA7 successfully as shown in the following figures.
Our success metric (key rank) indicates that with 300K traces all the key bytes except Key are recovered. Key can be recovered either using more side-channel traces or through brute-force.
We carried out the attack we described previously on a Jade wallet. We removed the ESP32-V3 from the wallet and plugged it into our setup. Within 2 hours, we collected around 500K traces and we were able to attack the stored key which is stored in the ESP32-V3 chip. We used this key to decrypt the encrypted firmware stored in the external flash. This decrypted firmware contains the user’s private and public keys which are used to communicate with Blockstream’s server. The following figures show the encrypted and decrypted firmware of Jade. An attacker can benefit from the discovered vulnerability to perform an evil maid attack that puts the Jade’s user in a real danger.
For more technical details, this work was presented at Black Hat USA 20228 and the technical paper has been recently added online (https://eprint.iacr.org/2023/090.pdf).
Using MCUs in hardware wallets as the main controller is not a safe solution even if the MCU is patched such as ESP32-V3. Espressif patched it against fault injection but they left the side-channel part out. We showed how an attacker can attack the firmware encryption key in a few hours. This vulnerability was reported to Blockstream and Espressif in October 2021. Espressif published a security advisory9 in May 2022 showing that future products will contain countermeasures against the reported attack.
- Blockstream, Jade ↩
- Blockstream, Open Source of Jade wallet ↩
- Espressif, ESP32 Chip Revision v3.0 User Guide ↩ ↩2
- Espressif, ESP32 Technical Reference Manual ↩ ↩2 ↩3
- LimitedResults, Fatal Fury On ESP32: Time To Release Hardware Exploits ↩
- Olivier Hériveaux, Scaffold ↩
- Eric Brier, Christophe Clavier, and Francis Olivier, Correlation power analysis with a leakage model, CHES 2004. ↩ ↩2 ↩3
- Karim M. Abdellatif, Olivier Hériveaux, and Adrian Thillard, Unlimited Results: Breaking Firmware Encryption of ESP32-V3 ↩
- Espressif, Security advisory ↩