Man
Professional
- Messages
- 3,063
- Reaction score
- 586
- Points
- 113
Hackers can steal and sell software from chips.
Positive Technologies specialists have identified significant flaws in the firmware read-protection system used in the GigaDevice GD32 microcontrollers. The results of the study show that potential attackers can easily bypass this protection, extract the firmware, identify vulnerabilities, and even modify or steal the device's software. These microcontrollers are actively used in a variety of devices, such as charging stations, car engines, batteries, and access systems, which are manufactured by many companies around the world.
As noted in Positive Technologies, modern devices largely consist of standard components, and it is the firmware that gives them the main value, allowing the components to work in concert. It is important that this critical intellectual property is stored in the flash memory of microcontrollers, where technologies that prevent unauthorized reading are used to protect it. However, experts found that the protection mechanisms in the GigaDevice microcontrollers do not function effectively enough. The ease of firmware extraction gives attackers access to identify hardware vulnerabilities. Over the past year and a half, GigaDevice microcontrollers have often replaced popular 32-bit chips manufactured by STMicroelectronics in various products around the world.
To independently assess the safety of these chips, the researchers tested 11 GigaDevice GD32 models after activating security technologies in them. All tested devices belonging to the GD32F1x0, GD32F3x0, GD32F4xx, GD32L23x, GD32E23x, GD32E50x, GD32C10x, GD32E10x, GD32F20x, GD32F30x, and GD32F403 families demonstrated the ability to extract the firmware in unencrypted form. Information about the identified threats was transferred to the vendor as part of the responsible disclosure policy.
Given the complexity of fixing hardware vulnerabilities, Positive Technologies recommends that manufacturers choose microcontrollers that have passed independent tests for firmware readout protection. Manufacturers can check the labeling of microcontrollers, and users can request information from vendors or determine the chip marking themselves when disassembling the device.
Source
Positive Technologies specialists have identified significant flaws in the firmware read-protection system used in the GigaDevice GD32 microcontrollers. The results of the study show that potential attackers can easily bypass this protection, extract the firmware, identify vulnerabilities, and even modify or steal the device's software. These microcontrollers are actively used in a variety of devices, such as charging stations, car engines, batteries, and access systems, which are manufactured by many companies around the world.
As noted in Positive Technologies, modern devices largely consist of standard components, and it is the firmware that gives them the main value, allowing the components to work in concert. It is important that this critical intellectual property is stored in the flash memory of microcontrollers, where technologies that prevent unauthorized reading are used to protect it. However, experts found that the protection mechanisms in the GigaDevice microcontrollers do not function effectively enough. The ease of firmware extraction gives attackers access to identify hardware vulnerabilities. Over the past year and a half, GigaDevice microcontrollers have often replaced popular 32-bit chips manufactured by STMicroelectronics in various products around the world.
To independently assess the safety of these chips, the researchers tested 11 GigaDevice GD32 models after activating security technologies in them. All tested devices belonging to the GD32F1x0, GD32F3x0, GD32F4xx, GD32L23x, GD32E23x, GD32E50x, GD32C10x, GD32E10x, GD32F20x, GD32F30x, and GD32F403 families demonstrated the ability to extract the firmware in unencrypted form. Information about the identified threats was transferred to the vendor as part of the responsible disclosure policy.
Given the complexity of fixing hardware vulnerabilities, Positive Technologies recommends that manufacturers choose microcontrollers that have passed independent tests for firmware readout protection. Manufacturers can check the labeling of microcontrollers, and users can request information from vendors or determine the chip marking themselves when disassembling the device.
Source
