GigaDevice GD32 Microcontrollers

GigaDevice is a global supplier of 32-bit microcontrollers, flash memory, intelligent HMI sensors, analog products and solutions.

2024: Vulnerability Discovery

Positive Technologies experts drew attention to the vulnerable microcontrollers of the Chinese manufacturer. Positive Technologies reported this on November 8, 2024.

Chip protection flaws can affect the safety of a wide range of equipment.

One of the major threats to endpoint developers is weak readout protection. Positive Technologies researchers have found that a potential attacker can bypass such protection in GigaDevice GD32 chips, extract the firmware, find vulnerabilities in it for attack, modify or steal the entire internal software to release the device under a different brand. GigaDevice GD32 microcontrollers are used in charging stations, automobile engines, batteries, indoor access systems and other equipment of vendors from different countries.

Many modern devices are assembled from typical components, the total cost of which, as a rule, is much lower than the price of the final device, - notes Alexey Usanov, head of security research for hardware solutions at Positive Technologies. - The main surplus cost has firmware that allows you to work smoothly with individual components. To protect this critical intellectual property, microcontrollers (in the flash memory of which the firmware is stored) use technologies that prohibit its reading. Using the chips of the Chinese manufacturer GigaDevice as an example, we found that this protection does not work as reliably as we would like. It is important to note that the ability to download the firmware in clear text makes it easier for an attacker to find vulnerabilities in the hardware. Over the past year and a half, these microcontrollers have often been used in products around the world to replace the popular 32-bit chips manufactured by STMicroelectronics.

The researchers found flaws in protection against reading firmware in one device, but to independently verify the security of such chips, 11 GigaDevice microcontrollers from the GD32 series were purchased and tested, having previously activated this protection technology in them. The experts were able to confirm the possibility of extracting the firmware in unencrypted form - all the investigated chips belonging to the GD32F1x0, GD32F3x0, GD32F4xx, GD32L23x, GD32E23x, GD32E50x, GD32C10x, GD32E10x, GD32F20x, GD32F30x, and GD32F403 families were affected by the vulnerabilities. Vendor was notified of the threat as part of the responsible disclosure policy.

Given the difficulty of fixing hardware vulnerabilities, Positive Technologies recommends that manufacturers use microcontrollers when designing end devices, the firmware download protection technology in which has been tested by independent researchers. Manufacturers can check the names of microcontrollers, and users, in turn, request such information from vendors or determine the marking of the chip themselves, disassembling the device.