-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

﻿Advisory ID:               SYSS-2025-033
Product:                   STM32L0 - ARM Cortex-M0+ ultra-low-power MCU
Manufacturer:              STMicroelectronics
Affected Version(s):       STM32L051K8
Tested Version(s):         STM32L051K8
Vulnerability Type:        Improper Protection Against Voltage and Clock Glitches (CWE-1247)
Risk Level:                High
Solution Status:           Open
Manufacturer Notification: 2025-04-07
Solution Date:             
Public Disclosure:         2025-05-23
CVE Reference:             Not yet assigned
Author of Advisory:        Dr. Matthias Kesenheimer, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The STM32L0 is a versatile and widely spread microcontroller that is used in
many industrial and consumer products. It offers a wide range of functions,
such as an AES-128 module or a memory protection unit (MPU), which also make
it interesting for security-relevant applications.

The manufacturer describes the product as follows (see [1]):

"The STM32L0 series is ST's entry-level range of 32-bit ultra-low-power MCUs
designed to achieve an outstandingly low power consumption level. The result
is a genuine ultra-low-power MCU with the world’s lowest power consumption
at 125 °C.

Since its mass market launch in February 2016, the STM32L0 MCU has become a
reference in the industry, as it provides key features that save energy in
battery-powered devices and in applications with an embedded energy-harvesting
system.

[...]

Other value-added features such as the 'read while write' capability, dual-
channel DAC, hardware encryption, and communication peripherals capable of
operating in ultra-low-power mode wake up for an unrivaled trade-off between
feature integration, performance and ultra-low-energy consumption."

Due to the lack of security features that prevent voltage glitching attacks,
the readout protection of the microcontroller can be bypassed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Voltage glitching is a type of side-channel attack where the power supply to
the target is reduced for a very short period of time. This usually results
in fault conditions in the microcontroller, and the microcontroller resets.
However, if timing and duration (glitch length) of the glitch are chosen
appropriately, the microcontroller can be made to skip certain instructions.

In particular, if timed correctly and if no further built-in security features
against glitching attacks exist, security-relevant function calls can be
skipped.

The STM32 microcontrollers implement a readout protection (RDP) to prevent
unauthorized access to the internal flash memory (see [2]). The user can choose
between three different levels. With RDP level 0, the flash is not protected.
With RDP level 1, access to the flash is protected. The flash memory cannot be
read via debug adapters and debugging is restricted to RAM access only. It is
possible to reduce RDP level 1 to RDP level 0, but reducing the readout
protection level triggers an automatic flash erase. The microcontroller can be
completely locked by applying RDP level 2. RDP level 2 is permanent.

In the case of the STM32L0 microcontroller, the readout protection can be
bypassed by attacking the readout protection downgrade routine. In this
method, a voltage glitch is emitted during the initialization of the readout
protection downgrade routine before the actual erase begins. If timed
correctly, the RDP level is reduced without erasing the flash memory.
This method is called a flash-erase suppression attack.

The firmware of the microcontroller, which is protected against unauthorized
access, can thus be read out.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The attack was carried out with the help of the Pico Glitcher and the Python
package "findus" (see [3]).

The hardware setup was minimal. The microcontroller was connected to the
voltage supply (VCC) and the reset line via a pull-up resistor to VCC. A 
debug probe (ST-Link-v2) was connected to the respective Serial Wire Debug
(SWD) pins.

For testing purposes, a simple program was flashed on the target to toggle an
LED. Readout protection level 1 (RDP1) was enabled (see [2]). With  this level
of RDP enabled, no access (read, erase, or program) to flash memory should be
possible while the debug probe is connected or while booting from RAM or the
system memory bootloader.

A second program was developed to trigger the RDP downgrade and simultaneously
toggle a general-purpose input/output (GPIO) pin when the downgrade is performed
(trigger signal). This program is loaded into RAM and executed from there. This
allows the timing of the glitch to be precisely controlled.

To get an overview of the parameter space, the Pico Glitcher was configured
to emit a glitch with a length of 135 to 170 ns and a delay of 0 to 70,000 ns
after the trigger signal. In this parameter range, about 7% of the attempts
were successful. By restricting the parameter space to a glitch length of 150
to 155 ns and a glitch delay of 40,000 to 41,000 ns after the trigger signal,
the success rate was increased to up to 30%.

With this setup, bypassing the readout protection was possible and the sample
firmware could be downloaded from the target. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-04-04: Vulnerability discovered
2025-04-07: Vulnerability reported to manufacturer
2025-05-23: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for STM32L0
    https://www.st.com/en/microcontrollers-microprocessors/stm32l0-series.html
[2] STM32 Readout Protection (RDP)
    https://stm32world.com/wiki/STM32_Readout_Protection_(RDP)
[3] Faulty Hardware's Pico Glitcher
    https://fault-injection-library.readthedocs.io/en/latest/
[4] SySS Security Advisory SYSS-2025-033
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-033.txt
[5] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dr. Matthias Kesenheimer of
SySS GmbH.

E-Mail: matthias.kesenheimer@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Kesenheimer.asc
Key ID: 0x15E203385E96D04E 
Key Fingerprint: B259 18D6 49F6 FD35 8F5E 485E 15E2 0338 5E96 D04E

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEslkY1kn2/TWPXkheFeIDOF6W0E4FAmguxQkACgkQFeIDOF6W
0E5uogv9HSmWDhsNJRzRsLmUr/naNbwq4ptcTCuXkHz0+XQ1bimgeZNMlQvcz3YZ
mHiv5rRJZ7jlx+rWVXQHXYQ7Ry5yyRMlXJsphsodVZSAovNErvDk/EpkxM1bPvGs
5K5FDb58gN6Y2OpHtDuvXKtOkhlBLNUcBOP8iP+7V7BCZERzdOJ8FBXoM1V2/95O
kaVUdVwpYD3s9AbpT1DDZ1uoXZF19lE6DzBwVxi+ctX9fjsYDeDzdI2BqSXGSe2b
yTBsgbl8J7j4fZT9SeLq5iJ59IEgbpK8m4DdkFHEYSt8Vs0st6IAurARSGdKD9IZ
WIYnRMYlPtp5Fc8JzofE75ByzWjT6eeSfVqRnWletK5emel3ZKNyMvFSywfod/yS
PpdOlTzTvxhCYLSebDRhIsIJqmoKGvx6mHVnT/FP4Nh+eycaZWeykGiF46DAaZgk
jNr4dYBlf3NAkjTF8SLN17kvH02RzENfhtdywYlSl7Ie+j73KjPHj7RNnDHUu/a7
eiSRvWT+
=3YCd
-----END PGP SIGNATURE-----