TID-220: Unpatchable Hardware Root of Trust
Threat Description
Hardware roots of trust can be used to support many desirable device security functions, such as secure key and secret storage, secure boot, and firmware integrity measurement. These functions often rely on the root of trust being immutable, preventing a threat actor from making changes to code or data in the root of trust that would undermine the security functions built atop them. However, if the root of trust implementation is flawed, immutability prevents the revocation and replacement of compromised keys, and prevents patching vulnerable code. Therefore, if threat actors have access to a mechanism to obtain the secret data or code, and/or those secrets and code are shared over multiple devices and threat actors can obtain them, then devices will remain vulnerable past threat disclosure and may have to be removed from operation and replaced with new patched versions.
Threat Maturity and Evidence
Known Exploitable Weakness
Glitching the Switch
The researchers show how they identified an exploitable flaw in the immutable 1st stage boot ROM code of the Nvidia Tegra X1 SoC, which the Nintendo Switch game console is built upon. The secret boot ROM code serves as the root of trust for secure verified boot on the Tegra X1 platform. A buffer overflow vulnerability in the recovery mode of the boot ROM allows a threat actor to bypass firmware verification and execute unauthorize custom or modified firmware on the device. Because the flawed code is stored in unmodifiable memory within the X1 system-on-chip, this vulnerability cannot be patched in hardware revisions that contain it and could only be fixed on newly manufactured Switch consoles.
Proof of Concept
Uprooting Trust: Learnings from an Unpatchable Hardware Root-of-Trust Vulnerability in Siemens S7-1500 PLCs
“The vulnerable ATECC-based RoT hardware implementation is deployed across the Siemens S7-1500 series product line. Because each device is loaded with the exact same cryptographic material used to generate decryption seeds and keys, adversaries may abuse the hardware RoT to decrypt, modify, and re-encrypt firmware for all devices within this family. For example, an ATECC RoT chip may be removed or instrumented from one specific S7-1500 series device, and used to generate valid tampered firmware for a separate device.”
CWE
CWE-1329: Reliance on Component That is Not Updateable
“The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.”