Breaking Espressif's ESP32 V3: Program Counter Control with Computed Values Using Fault Injection

Watch a 21-minute conference talk from USENIX WOOT '24 demonstrating the first successful fault injection attack that bypasses security features on the Espressif ESP32 V3 microcontroller. Learn how researchers from the Technology Innovation Institute and Raelize managed to circumvent both Secure Boot and Flash Encryption protections using a single electromagnetic glitch. Discover the technical details of how they manipulated encrypted flash contents to modify a CRC value on the bootloader signature, enabling arbitrary code execution through Download Mode in ROM. Understand the implications of these hardware-level vulnerabilities that led to Security Advisory AR2023-005 and CVE-2023-35818, requiring a new hardware revision for remediation.