Further information on ESP's vulnerability to hacking. This time without the possibility of removing the cause:

That is, it can be expected that, for security purposes, some future products with this controller will have the ability to change the software blocked.

This is how it can be understood, which will cause the problem of software swapping to address other security vulnerabilities. I think they have backed themselves into a corner especially as they have already sold over 100million units (January 2018 figures).

. Provided the manufacturers of these products with ESP32 wish to do so. . I suggest reading the current eFuse documentation for ESP32: (chapter 20), and

Repair the equipment by replacing it with a new one. In the next one they will correct old faults and make new ones .

. I just read the article indicated in the first post and in it: . I am not an ESP32 specialist, so please explain.

Well, that's exactly what it said, but it didn't include any more information, that it requires direct physical access to the MCU in the device in question and requires some modifications in the pcb itself and in some cases opening the metal case ESP32, if there is one - I'm not referring to the simple and cheap developer boards from AliExpress on which penetration tests have been performed, because that was simpler. Furthermore, Espressif's recommendations were and are clear on ESP32 security (as long as one needs, understands and uses them): • Use per-device unique keys for Secure Boot and Flash Encryption. • Generate per-device unique keys stored in flash for application uses, rather than using a single shared key across all devices. . Following the above rules ensures that breaking one ESP32 in one unit of a given device, will not result in breaking the security in all other ESP32s in the same devices i.e. with the same firmware. The wise will listen and the foolish will 'save'. This is what one of the 'hacking' steps looks like after removing the ESP32's metal casing: .

Did I understand correctly that the average user of an ESP32 programmed e.g. in an Arduino environment does not use the recommended security features and is thus vulnerable to attack without having to physically access the chip?

. No, the attack can be performed with physical access to the chip - the article you quoted in the first post states: A security researcher has identified a local-access technique I don't know who the average user of an ESP32 programmed in an Arduino environment for example is, I'm just crawling around myself. Familiarity with Arduino HAL, or lack thereof, is irrelevant. The Arduino HAL in ESP32 is based entirely on ESP-IDF. So knowledge of the ESP32 architecture and ESP-IDF is needed. It also doesn't matter whether one develops software in the Arduino IDE, VSC, Eclipse or any other IDE.

. It guarantees that an unauthorised person will be able to access the flash from a particular type of device, which significantly increases the chance of cloning the device or finding further vulnerabilities in the software itself. Unique keys for Secure Boot and Flash encryption become very problematic from a certain volume. Espressif's irresponsible design of the validation and the fact that they upset the LR guy with their policy/sneakiness has backfired.

ESP: Security gaps and bugs

dondu 1833 11

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply | New topic

#1 18316505 03 Dec 2019 09:05

dondu dondu

VIP Meritorious for electroda.pl

Posts: 13906

Help: 1292

Rate: 809
» | Topic author

Post #1
18316505 03 Dec 2019 09:05

Further information on ESP's vulnerability to hacking. This time without the possibility of removing the cause: https://www.infoq.com/news/2019/12/esp32-fatal-fury/

Moderated By dondu:
Hover topic, as this is important information and would be good to be collected in one topic.
ADVERTISEMENT
#2 18316879 03 Dec 2019 13:20

mipix mipix

Level 38

Posts: 4050

Help: 489

Rate: 1458
» | Helpful post? (0)

Post #2
18316879 03 Dec 2019 13:20

That is, it can be expected that, for security purposes, some future products with this controller will have the ability to change the software blocked.
#3 18316920 03 Dec 2019 13:43

dondu dondu

VIP Meritorious for electroda.pl

Posts: 13906

Help: 1292

Rate: 809
» | Topic author Helpful post? (0)

Post #3
18316920 03 Dec 2019 13:43

This is how it can be understood, which will cause the problem of software swapping to address other security vulnerabilities. I think they have backed themselves into a corner especially as they have already sold over 100million units (January 2018 figures).
ADVERTISEMENT
#4 18316929 03 Dec 2019 13:50

Anonymous Anonymous

Level 1

» |

Post #4
18316929 03 Dec 2019 13:50

mipix wrote:
some future products with this controller will be blocked from changing the software.
.
Provided the manufacturers of these products with ESP32 wish to do so.

dondu wrote:
This is how it can be understood, which will cause the problem of changing the software to address other security vulnerabilities. I think they have backed themselves into a corner all the more
.
I suggest reading the current eFuse documentation for ESP32:
https://www.espressif.com/sites/default/files...ation/esp32_technical_reference_manual_en.pdf (chapter 20), and
https://docs.espressif.com/projects/esp-idf/en/latest/api-reference/system/efuse.html
#5 18316937 03 Dec 2019 13:53

mipix mipix

Level 38

Posts: 4050

Help: 489

Rate: 1458
» | Helpful post? (0)

Post #5
18316937 03 Dec 2019 13:53

Repair the equipment by replacing it with a new one. In the next one they will correct old faults and make new ones .
#6 18317334 03 Dec 2019 17:38

dondu dondu

VIP Meritorious for electroda.pl

Posts: 13906

Help: 1292

Rate: 809
» | Topic author Helpful post? (0)

Post #6
18317334 03 Dec 2019 17:38

khoam wrote:

dondu wrote:
This can be understood, which will cause a problem with software substitutions to address other security vulnerabilities. I think they have backed themselves into a corner all the more
.
I suggest reading the current eFuse documentation for ESP32:
https://www.espressif.com/sites/default/files...ation/esp32_technical_reference_manual_en.pdf (chapter 20), and
https://docs.espressif.com/projects/esp-idf/en/latest/api-reference/system/efuse.html
.

I just read the article indicated in the first post and in it:

Quote:
The attack works against eFuse, a one-time programmable memory where data can be burned to the device. The ESP32 official documentation describes why the attack works: "Each eFuse is a one-bit field which can be programmed to 1 after which it cannot be reverted back to 0." By burning a payload into the device’s eFuse, no software update can ever reset the fuse and the chip must be physically replaced or the device discarded.
.

I am not an ESP32 specialist, so please explain.
#7 18317401 03 Dec 2019 18:18

Anonymous Anonymous

Level 1

» |

Post #7
18317401 03 Dec 2019 18:18

dondu wrote:
I just read the article indicated in the first post and in it:

Well, that's exactly what it said, but it didn't include any more information, that it requires direct physical access to the MCU in the device in question and requires "some" modifications in the pcb itself and in some cases opening the metal case ESP32, if there is one - I'm not referring to the simple and cheap developer boards from AliExpress on which "penetration" tests have been performed, because that was simpler.

Furthermore, Espressif's recommendations were and are clear on ESP32 security (as long as one needs, understands and uses them):
• Use per-device unique keys for Secure Boot and Flash Encryption.
• Generate per-device unique keys stored in flash for application uses, rather than using a single shared key across all devices. .

Following the above rules ensures that "breaking" one ESP32 in one unit of a given device, will not result in "breaking" the security in all other ESP32s in the same devices i.e. with the same firmware. The wise will listen and the foolish will 'save'.

This is what one of the 'hacking' steps looks like after removing the ESP32's metal casing:

.
ADVERTISEMENT
#8 18318542 04 Dec 2019 07:01

dondu dondu

VIP Meritorious for electroda.pl

Posts: 13906

Help: 1292

Rate: 809
» | Topic author Helpful post? (0)

Post #8
18318542 04 Dec 2019 07:01

Did I understand correctly that the average user of an ESP32 programmed e.g. in an Arduino environment does not use the recommended security features and is thus vulnerable to attack without having to physically access the chip?
#9 18318874 04 Dec 2019 11:18

Anonymous Anonymous

Level 1

» |

Post #9
18318874 04 Dec 2019 11:18

dondu wrote:
Did I understand correctly that the average user of an ESP32 programmed e.g. in the Arduino environment does not use the recommended security features and is thus vulnerable to attack without having to physically access the chip?
.
No, the attack can be performed with physical access to the chip - the article you quoted in the first post states:
" A security researcher has identified a local-access technique "

I don't know who the "average user of an ESP32 programmed in an Arduino environment for example" is, I'm just crawling around myself. Familiarity with Arduino HAL, or lack thereof, is irrelevant. The Arduino HAL in ESP32 is based entirely on ESP-IDF. So knowledge of the ESP32 architecture and ESP-IDF is needed. It also doesn't matter whether one develops software in the Arduino IDE, VSC, Eclipse or any other IDE.
#10 18329481 09 Dec 2019 17:59

vagteile vagteile

Level 2

Posts: 3

Rate: 3
» | Helpful post? (0)

Post #10
18329481 09 Dec 2019 17:59

khoam wrote:

dondu wrote:
I only read the article indicated in the first post and in it:
.
Well, that's exactly what it said, but it didn't include any more information, that this requires direct physical access to the MCU in the device in question and requires "some" modifications in the pcb itself and in some cases opening the metal case ESP32, if there is one - I'm not referring to the simple and cheap developer boards from AliExpress on which "penetration" tests have been done, because that was simpler.

Furthermore, Espressif's recommendations were and are clear on ESP32 security (as long as one needs, understands and uses them):
• Use per-device unique keys for Secure Boot and Flash Encryption.
• Generate per-device unique keys stored in flash for application uses, rather than using a single shared key across all devices. .

Following the above rules ensures that 'breaking' one ESP32 in one unit of a given device, will not result in 'breaking' the security in all other ESP32s in the same devices i.e. with the same firmware. The wise will listen and the foolish will 'save'.

This is what one of the 'hacking' steps looks like after removing the ESP32's metal casing:

.

It guarantees that an unauthorised person will be able to access the flash from a particular type of device, which significantly increases the chance of cloning the device or finding further vulnerabilities in the software itself. Unique keys for Secure Boot and Flash encryption become very problematic from a certain volume. Espressif's irresponsible design of the validation and the fact that they upset the LR guy with their policy/sneakiness has backfired.

ADVERTISEMENT

#11 18329702 09 Dec 2019 19:29

Anonymous Anonymous

Level 1

» |

Post #11
18329702 09 Dec 2019 19:29

vagteile wrote:
Espressif irresponsibly designed the validation and additionally upset the LR guy with its policy/curiosity, which hiccuped
.
Espressif has already designed and will release new versions of the ESP32-D0WD-V3 this quarter that are resistant to this local attack. As for corridor rumours, I won't comment, as I don't frequent Espressif corridors.

vagteile wrote:
Unique keys for Secure Boot and Flash encryption get very kludgy from a certain volume.

Either it is easier or it is more secure.

#12 18378724 03 Jan 2020 19:31

Anonymous Anonymous

Level 1

» |

Post #12
18378724 03 Jan 2020 19:31

khoam wrote:
Espressif has already designed and will release new versions of ESP32-D0WD-V3 this quarter that are resistant to this local attack.

For those interested, attached is a manufacturer's document describing the changes in the new V3 version.

Attachments:

ESP32_ECO_V3_User_Guide__EN.pdf (569.57 KB) You must be logged in to download this attachment.

Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply | New topic

Report a violation of the law

Home page

/

Forum

/

Smart Home

/

Smart Home IoT

/

ESP8266 and ESP32

/

ESP: Security gaps and bugs

Today's popular

Controlling a 12V relay directly from a 5V MCU using a Zener diode and a PNP transistor

Wi-Fi module in an electric kettle, what does it do? Interior and programming of Harmony 50

Tuya XR806 RT-WT501 flashed with OpenXR806 via phoenixMC, no AP or logs?

ESP32 Bluetooth - 40 kHz pulse for dog barking transmitter

Read more new topics

How to flash and dump firmware for mini-camera BK7252NQN481 INO-A9-v2.5?
05 May 2026 22:49 (4)
Hello, I’m new to the forum and I’m trying to dump the firmware from a mini camera based on the BK7252NQN481. The PCB is marked INO-A9-v2.5. I managed to get access to the RT-Thread shell through the UART pads, but when I use BK7231Flasher / Easy Flasher to back up the firmware, I get an error message, as shown in the attached screenshot My setup is: - camera connected to a USB-UART adapter, - camera... [Read more]
Can this AliExpress smart fuse be flashed with OpenBeken or Tasmota?
05 May 2026 21:57 (0)
Is there anyone upload a openbeken or tasmota on this smart fuse for house?? I like to know if that is possible. or this one or this smaller one [Read more]
£1 Re-Use smart bulb finds: IKEA Tradfri LED2003G1, Ener-J SHA5262, unbranded PIR, Yichip YC1166 BT
05 May 2026 18:47 (4)
In the city where I live we have "Re-Use" shops alongside standard recycling centres (aka tips, dumps, household waste disposal facilities). These re-use centres are packed with donations and finds that would otherwise have gone into the general waste or recycled. Of course there's some stuff for sale that should probably have been binned, but a lot is fairly decent. This Re-Use centre in particular... [Read more]
Rain-Bird ESP-RZXe after winter: STOP and code 71 despite working sensor
04 May 2026 19:22 (0)
Hello I have a problem with the Rain-Bird irrigation controller model ESP-RZXe After switching it on after winter, it shows non-stop "STOP" and code 71 It behaves as if the sensor gives a signal that it is raining and should not water. The problem is that the sinsor is ok, I also did a short circuit and it did not help. Can someone measure the resistance on the sensor pins after disconnecting from... [Read more]
Which silent lighting controller on Zigbee? Two-channel LZWSM16-2 without neutral wire
03 May 2026 11:34 (1)
Not everyone likes the distinctive loud click of relays accompanying the switching on of lights in most home automation products available. Nor does everyone have a neutral wire available in the box - in old installations it may have been unnecessary, and its absence makes it difficult to connect some of the 'smart' controls. The product shown here solves both of these problems at the same time. I... [Read more]

FAQ

TL;DR: ESP32 hardening relies on eFuses—"Each eFuse is a one-bit field … cannot be reverted." Burnt fuses can’t be undone in software, so fixes may require hardware replacement. [Elektroda, dondu, post #18317334]

Why it matters: Makers and teams shipping ESP32 products need clear steps to harden devices and plan realistic remediation without wishful OTA fixes.

Quick Facts

Exploit class: Local-access. It needs direct physical access and often PCB tweaks or shield opening. [Elektroda, khoam, post #18317401]

eFuses are one-time programmable; writing 1 can’t be reverted to 0 via firmware. [Elektroda, dondu, post #18317334]

Hardening baseline: “Use per-device unique keys for Secure Boot and Flash Encryption” plus unique app keys. [Elektroda, khoam, post #18317401]

Silicon mitigation: ESP32‑D0WD‑V3 revisions address this specific local attack. [Elektroda, khoam, post #18329702]

Operational caveat: Unique-key provisioning becomes cumbersome at volume—plan secure key management. [Elektroda, vagteile, post #18329481]

What exactly is the ESP32 eFuse vulnerability?

The issue targets ESP32’s eFuse design. eFuses are one-time bits; once set to 1, they cannot return to 0. An attacker who burns a malicious payload into eFuse settings blocks any software-only recovery. You cannot reset those fuses by updating firmware. In worst cases, the chip must be replaced or the device discarded. That irreversibility is why update-only mitigation fails. Treat eFuse programming as permanent, and audit provisioning carefully before shipping. "Each eFuse is a one-bit field … cannot be reverted." [Elektroda, dondu, post #18317334]

Is this a remote attack or do attackers need physical access?

It’s a local-access technique. The researcher’s method requires physical access to the target MCU. IDE choice or HAL does not change that requirement. Remote exploitation is not described in the cited discussion of this flaw. Focus your defenses on preventing tampering and securing the hardware boundary. "A security researcher has identified a local-access technique." [Elektroda, khoam, post #18318874]

Will manufacturers lock firmware updates on ESP32 devices?

They can. Vendors can configure Secure Boot, Flash Encryption, and eFuses to prevent end-user reflashing. That choice strengthens integrity but limits field service flexibility. Whether a given product is locked depends on the manufacturer’s policy and risk model. Planning for secure OTA with proper keying is essential if updates must remain possible. Provisioning choices are under the vendor’s control. [Elektroda, khoam, post #18316929]

What happens if an attacker burns malicious eFuses?

You cannot reverse it in software. eFuses are one-time programmable, so there is no OTA rollback. The practical remedy becomes hardware-level: replace the chip or retire the device. This permanence raises the stakes around factory provisioning and physical device security. Plan detection, blocking, and tamper evidence. [Elektroda, dondu, post #18317334]

What protections should I enable right now on ESP32?

Follow Espressif’s guidance: “Use per-device unique keys for Secure Boot and Flash Encryption” and use unique app keys per device. How-To: 1. Enable Secure Boot and burn a per-device boot key in eFuse. 2. Enable Flash Encryption with a per-device key. 3. Generate per-device application keys stored securely, not shared fleet-wide. These steps confine any breach to a single unit instead of your entire fleet. [Elektroda, khoam, post #18317401]

Are Arduino‑ESP32 projects less secure than ESP‑IDF builds?

No. Security depends on configuration, not the IDE or HAL. The Arduino core for ESP32 sits on ESP‑IDF, so the same security controls apply. The attack discussed remains a local-access technique regardless of development environment. Focus on enabling Secure Boot, Flash Encryption, and unique keys. [Elektroda, khoam, post #18318874]

How hard is the attack in real products?

It requires direct hardware access. Attackers often need to modify the PCB and sometimes open the ESP32’s metal shield. Developer boards without shielding are easier targets, which is an important edge case. Harden enclosures and add tamper evidence where possible. Difficulty increases with robust mechanical design. [Elektroda, khoam, post #18317401]

Did Espressif issue a silicon fix for this? Which revision?

Yes. Espressif designed a new ESP32‑D0WD‑V3 silicon revision to resist this specific local attack. Roll these parts into new builds when available. Validate boot and encryption flows again during migration. Check markings and part documentation to ensure you receive V3 units. [Elektroda, khoam, post #18329702]

Will tighter security make field updates harder?

Locking firmware changes can hinder later vulnerability fixes. If Secure Boot and eFuses block reflashing, patching becomes complicated. Balance integrity with maintainability by designing a secure OTA pipeline from day one. Otherwise, you back yourself into a corner with unserviceable devices. [Elektroda, dondu, post #18316920]

Could attackers read my flash and clone devices?

Forum practitioners warn this technique enables unauthorized flash access on the targeted device type. That raises cloning risk and helps attackers research additional software flaws. Per-device keys and Flash Encryption limit exposure, but provisioning at scale must be managed carefully. Treat flash content as sensitive IP. [Elektroda, vagteile, post #18329481]

How many ESP32 units are out there, and does that amplify risk?

ESP32 shipments exceeded “over 100million units” by January 2018. That scale increases incentive for attackers and magnifies fleet risk from poor key hygiene. Secure Boot and per-device keys prevent one compromise from dooming the entire fleet. Plan uniquely keyed provisioning from the start. [Elektroda, dondu, post #18316920]

Where can I find official eFuse and ESP‑IDF security docs?

Start with Espressif’s ESP32 Technical Reference Manual (eFuse chapter) and the ESP‑IDF eFuse API reference. These documents explain eFuse fields, burning procedures, and how to integrate Secure Boot and Flash Encryption. Review them before setting production fuses. [Elektroda, khoam, post #18316929]

Generated by the language model.

ADVERTISEMENT