[Question] : Has Security Advisory AR2022-003 been addressed ?

gb.123
Posts: 32
Joined: Thu May 20, 2021 9:56 pm

[Question] : Has Security Advisory AR2022-003 been addressed ?

Postby gb.123 » Fri Aug 18, 2023 12:39 pm

Hello,
Anyone knows if Security Advisory AR2022-003 been addressed ?
If yes, then what is the revision number of ESP32-S3 that addresses this issue ?
(I am specifically looking ESP32-S3-DevKitC which addresses this issue)
Thanks

ESP_Sprite
Posts: 9757
Joined: Thu Nov 26, 2015 4:08 am

Re: [Question] : Has Security Advisory AR2022-003 been addressed ?

Postby ESP_Sprite » Sat Aug 19, 2023 12:22 pm

Probably not on the S3 as that pre-dated the advisory and I don't believe we had a mask change related to this since then. However, if the S3 is vulnerable to this in the first place is unknown.

gb.123
Posts: 32
Joined: Thu May 20, 2021 9:56 pm

Re: [Question] : Has Security Advisory AR2022-003 been addressed ?

Postby gb.123 » Sun Aug 20, 2023 2:17 am

Well the Document states :
"SCA and BBI vulnerabilities reported in this advisory may be applicable for Espressif SoC's including ESP32, ESP32-S2, ESP32-C3 and ESP32-S3. We will incorporate hardware countermeasures in our future chips to address these vulnerabilities."

Also For ESP32, EMFI has been identified on Advisory No. AR2023-005.

I would love to use ESP32 since ESP32-S3 does not have DAC. Any chance you guys have released a newer release of ESP32 which has all these vulnerabilities addressed ?

What hardware would you suggest ? Security will be very crucial to me.

ESP_Sprite
Posts: 9757
Joined: Thu Nov 26, 2015 4:08 am

Re: [Question] : Has Security Advisory AR2022-003 been addressed ?

Postby ESP_Sprite » Sun Aug 20, 2023 3:49 am

gb.123 wrote:
Sun Aug 20, 2023 2:17 am
Well the Document states :
"SCA and BBI vulnerabilities reported in this advisory may be applicable for Espressif SoC's including ESP32, ESP32-S2, ESP32-C3 and ESP32-S3. We will incorporate hardware countermeasures in our future chips to address these vulnerabilities."
Yeah, as I said, 'may be vulnerable', it's unknown how the details of these vulnerabilities would work out on those chips.
Also For ESP32, EMFI has been identified on Advisory No. AR2023-005.

I would love to use ESP32 since ESP32-S3 does not have DAC. Any chance you guys have released a newer release of ESP32 which has all these vulnerabilities addressed ?

What hardware would you suggest ? Security will be very crucial to me.
No, sorry, from what I know said countermeasures are incorporated in 'future chips', as in as of yet unreleased ESP32-Cx, -Sx, -Hx etc models. I'm not sure if we'll backport these changes to the ESP32.

martins
Posts: 51
Joined: Tue Aug 24, 2021 8:58 am

Re: [Question] : Has Security Advisory AR2022-003 been addressed ?

Postby martins » Mon Aug 21, 2023 11:35 am

ESP_Sprite wrote:
Sun Aug 20, 2023 3:49 am
Also For ESP32, EMFI has been identified on Advisory No. AR2023-005.

I would love to use ESP32 since ESP32-S3 does not have DAC. Any chance you guys have released a newer release of ESP32 which has all these vulnerabilities addressed ?

What hardware would you suggest ? Security will be very crucial to me.
No, sorry, from what I know said countermeasures are incorporated in 'future chips', as in as of yet unreleased ESP32-Cx, -Sx, -Hx etc models. I'm not sure if we'll backport these changes to the ESP32.
The AR2022-003 also confirms that ESP32-PICO-V3 is better choice from ESP32 line as it has flash pins terminated internally, making the possible attack more difficult. Is there any possibility that we could see PICO-V3 with increased temperature range? Currently it is max. +85°C which may be limiting in some of our applications.

Who is online

Users browsing this forum: No registered users and 77 guests