Protect modem certificate

Hi,

I have the following issue, maybe I have an error in thinking:

For Access MQTT the Device has a Certificate in a storage slot, lets say 20. If now someone can gain access to the device, knows about the endpoints and the commands and also finds the slot with the cert, he is able to access at least this device specific endpoint with a new custom firmware and can write everything.

Is there a workflow to prevent this? So for example if a firmware with a non matching mcuboot key is written, it can not access this certificates. I am aware the ota will be blocked with wrong key so what I mean is really the SWD Flash variant.

Thanks for your help and best regards

Daniel

Parents

0 danielboe over 4 years ago

Hi, are there any Ideas here how I can protect the certificate slot agains re-usage?. It would be great to close this door, even if its not that big
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind over 4 years ago in reply to danielboe

Hello,

This is the answer I got from one of our certificate experts:

The certificate is stored in the modem domain and the modem only acts based on commands it receives from the application. Modem does not validate the application, so even if the application is changed, the modem still responds to the commands it receives. Neither has the modem any way of detecting application ERASEALL.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Øyvind over 4 years ago in reply to danielboe

Hello,

This is the answer I got from one of our certificate experts:

The certificate is stored in the modem domain and the modem only acts based on commands it receives from the application. Modem does not validate the application, so even if the application is changed, the modem still responds to the commands it receives. Neither has the modem any way of detecting application ERASEALL.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 danielboe over 4 years ago in reply to Øyvind

Okay good we have a final answer here. Still I see this as a big security issue on device level. What is next? Is it usefull to open a ticket here:

https://www.nordicsemi.com/About-us/PSIRT

Best regards

Daniel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind over 4 years ago in reply to danielboe

Hi Daniel,

Yes, I believe that is the next step. Please link to this ticket as well.

Thank you!

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind over 4 years ago in reply to Øyvind

Hello again Daniel,

First of all, thank you for bringing this to our attention. The PSIRT team has assessed your PSIRT report. They write that the "official response to the DevZone request is to configure eraseprotect to mitigate this attack vector"

The team acknowledges the scenario, and will discuss further measures to counter similar scenarios in the future products. That said the ERASPROTECT should be the countermeasure to use in your scenario as this will prevent others from erasing the device and thus programming another custom FW.

Let me know if you have any further questions.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 danielboe over 4 years ago in reply to Øyvind

Thanks for the response and investigation. We will consider this for our final product to close this attack weak point.

best regards

daniel
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind over 4 years ago in reply to danielboe

Daniel, sounds good! Let us know if you have any issues with this solution.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel