The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.
Fuses are often used to store secret data, including security configuration data. When not blown, a fuse is considered to store a logic 0, and, when blown, it indicates a logic 1. Fuses are generally considered to be one-directional, i.e., once blown to logic 1, it cannot be reset to logic 0. However, if the logic used to determine system-security state (by leveraging the values sensed from the fuses) uses negative logic, an attacker might blow the fuse and drive the system to an insecure state.
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
N/A
| Phase | Note |
|---|---|
| Architecture and Design | N/A |
| Implementation | N/A |
Intro: A chip implements a secure boot and uses the sensed value of a fuse "do_secure_boot" to determine whether to perform a secure boot or not. If this fuse value is "0", the system performs secure boot. Otherwise, it does not perform secure boot. An attacker blows the "do_secure_boot" fuse to "1". After reset, the attacker loads a custom bootloader, and, since the fuse value is now "1", the system does not perform secure boot, and the attacker can execute their custom firmware image. Since by default, a fuse-configuration value is a "0", an attacker can blow it to a "1" with inexpensive hardware. If the logic is reversed, an attacker cannot easily reset the fuse. Note that, with specialized and expensive equipment, an attacker with full physical access might be able to "unblow" the fuse value to a "0".