SlideShare ist ein Scribd-Unternehmen logo

Analyzing the Security of Cars Efficiently

N
Niek Timmers

This are the slides for my presentation "Analyzing the Security of Cars Efficiently" at escar Asia 2018.

Automobil
1 von 139
Downloaden Sie, um offline zu lesen
1 Analyzing the Security of Cars Efficiently Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers
2 Today we are talking about
3 System Level Security
4 System Level Security
5 System Level Security
6 System Level Security In-vehicle network Electronic Control Unit (ECU) Microcontroller (MCU) Interfaces
7 Typical ECUs found in a car…
8 Typical ECUs found in a car…
9 Typical ECUs found in a car…
10 Typical ECUs found in a car…
11 Typical ECUs found in a car…
12 Typical ECUs found in a car…
13 Typical ECUs found in a car…
14Analyzing the Security of Modern Cars Efficiently They come in all forms, shapes and sizes!
15Analyzing the Security of Modern Cars Efficiently … and you can buy them cheaply! Lots of them are stuck in cars worldwide…
16Analyzing the Security of Modern Cars Efficiently
17Analyzing the Security of Modern Cars Efficiently Which ones are we interested in?
18 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc.
19 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote
20 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote Telematics
21 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote Telematics Gateway
22 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote Telematics Gateway Powertrain
23 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. An understanding of multiple ECUs is required! Wireless / Remote Telematics Gateway Powertrain
24Analyzing the Security of Modern Cars Efficiently Are all the ECUs the same?
25Analyzing the Security of Modern Cars Efficiently ECU Type 1: SoC-based • System-on-Chip (SoC) based • Firmware stored in external flash • Many interfaces • Multi-purpose • Large attack surface • Only a few implemented in a car
26Analyzing the Security of Modern Cars Efficiently • Microcontroller (MCU) based • Firmware stored inside the MCU • Few interfaces • Specific functionality • Small attack surface • Many implemented in a vehicle ECU Type 2: MCU-based
27Analyzing the Security of Modern Cars Efficiently Do hackers use a different approach?
28Analyzing the Security of Modern Cars Efficiently Typical approach for hacking embedded systems Understand target Identify vulnerability Exploit vulnerability
29Analyzing the Security of Modern Cars Efficiently Typical approach for hacking embedded systems ECUs found in cars! Understand target Identify vulnerability Exploit vulnerability
30Analyzing the Security of Modern Cars Efficiently Typical approach for hacking embedded systems But to understand, we need the firmware! ECUs found in cars! Understand target Identify vulnerability Exploit vulnerability
31Analyzing the Security of Modern Cars Efficiently Getting firmware
32Analyzing the Security of Modern Cars Efficiently Getting firmware
33Analyzing the Security of Modern Cars Efficiently Getting firmware
34Analyzing the Security of Modern Cars Efficiently Getting firmware
35Analyzing the Security of Modern Cars Efficiently We will focus on MCU-based ECUs!
36Analyzing the Security of Modern Cars Efficiently Obtaining ECU firmware
37Analyzing the Security of Modern Cars Efficiently Leaks Firmware upgrade Obtaining ECU firmware
38Analyzing the Security of Modern Cars Efficiently Leaks Firmware upgrade Obtaining ECU firmware
39Analyzing the Security of Modern Cars Efficiently Interfaces Leaks Software Firmware upgrade Obtaining ECU firmware Chips
40Analyzing the Security of Modern Cars Efficiently Interfaces Leaks Software Firmware upgrade Obtaining ECU firmware Chips Let’s open up an ECU!
41Analyzing the Security of Modern Cars Efficiently MCU
42Analyzing the Security of Modern Cars Efficiently MCU EEPROM Firmware is stored inside the MCU!
43Analyzing the Security of Modern Cars Efficiently MCU EEPROM I/O Firmware is stored inside the MCU!
44Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O Firmware is stored inside the MCU!
45Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN Firmware is stored inside the MCU!
46Analyzing the Security of Modern Cars Efficiently What can we speak on CAN?
47Analyzing the Security of Modern Cars Efficiently Unified Diagnostic Services (UDS) • Diagnostics • Data Transmission • And loads of more stuff…
48Analyzing the Security of Modern Cars Efficiently Unified Diagnostic Services (UDS) • Diagnostics • Data Transmission • And loads of more stuff… It’s everywhere! It’s standardized! It’s easy!
49Analyzing the Security of Modern Cars Efficiently Why are hackers interested?
50Analyzing the Security of Modern Cars Efficiently • Reprogramming • Programming new firmware Why are hackers interested?
51Analyzing the Security of Modern Cars Efficiently • Reprogramming • Programming new firmware • Read and write memory • Accessing device internals Why are hackers interested?
52Analyzing the Security of Modern Cars Efficiently • Reprogramming • Programming new firmware • Read and write memory • Accessing device internals • (Re)configuration • Adding keys, changing mileage, etc. Why are hackers interested?
53Analyzing the Security of Modern Cars Efficiently What protects all this juice from malicious use?
54Analyzing the Security of Modern Cars Efficiently Security Access
55Analyzing the Security of Modern Cars Efficiently Security Access
56Analyzing the Security of Modern Cars Efficiently It should not be possible to brute force or guess the key! Security Access
57Analyzing the Security of Modern Cars Efficiently Back-end system Tester Gateway ECU A DLC ECU B Diagnostics
58Analyzing the Security of Modern Cars Efficiently Back-end system Tester Gateway ECU A DLC ECU B Diagnostics Attacker has access!
59Analyzing the Security of Modern Cars Efficiently Back-end system Tester Gateway ECU A DLC ECU B Diagnostics The transformation algorithm and secret(s) are stored inside the ECU! Attacker has access!
60Analyzing the Security of Modern Cars Efficiently Let’s hack UDS!
61Analyzing the Security of Modern Cars Efficiently • Read/write memory functions • Protected Let’s hack UDS!
62Analyzing the Security of Modern Cars Efficiently • Read/write memory functions • Protected • Black-box vulnerability discovery • Possible; but too difficult Let’s hack UDS!
63Analyzing the Security of Modern Cars Efficiently • Read/write memory functions • Protected • Black-box vulnerability discovery • Possible; but too difficult • We want something easy… Let’s hack UDS!
64Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN
65Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
66 time
67 time
68 5.5V 1.8V time
69 5.5V 1.8V time
70 5.5V 1.8V time
71Analyzing the Security of Modern Cars Efficiently Fault Injection – Tooling ChipWhisperer® Fault Injection tooling is available to the masses! Open source Commercial Inspector FI
72Analyzing the Security of Modern Cars Efficiently
73Analyzing the Security of Modern Cars Efficiently What happens when we glitch? Things go wrong!
74Analyzing the Security of Modern Cars Efficiently Fault Injection breaks things! • We can change memory contents • We can change register contents • We can change the executed instructions
75Analyzing the Security of Modern Cars Efficiently Fault Injection breaks things! • We can change memory contents • We can change register contents • We can change the executed instructions We can change the intended behavior of software!
76Analyzing the Security of Modern Cars Efficiently ReadMemoryByAddress(0x00000000, 0x40)
77Analyzing the Security of Modern Cars Efficiently ReadMemoryByAddress(0x00000000, 0x40)
78Analyzing the Security of Modern Cars Efficiently ReadMemoryByAddress(0x00000000, 0x40) Two checks are bypassed using a single glitch!
79Analyzing the Security of Modern Cars Efficiently Glitching ReadMemoryByAddress • Successful on several different ECUs implementing UDS • Designed around different MCUs • Depending on the target… • Allows reading out N bytes from an arbitrary address • Complete firmware extracted in the order of days • Depended on flash size and success rate
80Analyzing the Security of Modern Cars Efficiently Demo time! (please visit our booth for a live demo)
81Analyzing the Security of Modern Cars Efficiently Randomization of parameters Glitch Parameters • Glitch Delay • Glitch Duration • Glitch Voltage VCC CAN Trigger Glitch (zoomed) CMD RSP Glitch
82Analyzing the Security of Modern Cars Efficiently Fault Injection video
83Analyzing the Security of Modern Cars Efficiently Can we do better?
84Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
85Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
86Analyzing the Security of Modern Cars Efficiently • Standard manufacturer tooling often publicly available • Reading, writing and programming internal memories • Debugging software • Software is often forcing any security measures Debug Interfaces MCUPC Debugger ECU USB Serial I2C JTAG
87Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
88Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
89 Being more efficient
90Analyzing the Security of Modern Cars Efficiently Electromagnetic Fault Injection ChipSHOUTER® Cheap and awesome: BADFET Inspector FI Electromagnetic fault injection available to the masses!
91Analyzing the Security of Modern Cars Efficiently Glitching Debug Interfaces • Successful on several different MCUs • Different types of debug interfaces • Depending on the target…. • Allows reading, writing, programming and debugging • Complete firmware extracted in seconds/minutes/hours • Depended on the debug interface
92Analyzing the Security of Modern Cars Efficiently We have access to firmware… now what?
93Analyzing the Security of Modern Cars Efficiently
94Analyzing the Security of Modern Cars Efficiently Getting firmware The goal: scaling up the attack
95Analyzing the Security of Modern Cars Efficiently Getting firmware The goal: scaling up the attack
96Analyzing the Security of Modern Cars Efficiently Getting firmware Reverse engineering The goal: scaling up the attack
97Analyzing the Security of Modern Cars Efficiently Getting firmware Reverse engineering Understanding The goal: scaling up the attack
98Analyzing the Security of Modern Cars Efficiently Getting firmware Secrets Hacking Reconfiguration Reverse engineering Understanding The goal: scaling up the attack
99Analyzing the Security of Modern Cars Efficiently How can we understand efficiently?
100Analyzing the Security of Modern Cars Efficiently Static analysis? Firmware
101Analyzing the Security of Modern Cars Efficiently Static analysis? Custom code OS code Firmware
102Analyzing the Security of Modern Cars Efficiently Static analysis? Generated code Custom code OS code Firmware Configuration Models
103Analyzing the Security of Modern Cars Efficiently
104Analyzing the Security of Modern Cars Efficiently Let’s do this more efficient!
105Analyzing the Security of Modern Cars Efficiently Firmware emulation • Firmware is executed without needing the ECU itself • Great tooling only available for common architectures • When tooling is not available, we need to make our own • We are emulating only the functionality we need
106Analyzing the Security of Modern Cars Efficiently MCU What do we need?
107Analyzing the Security of Modern Cars Efficiently MCU • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
108Analyzing the Security of Modern Cars Efficiently MCUI/O • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
109Analyzing the Security of Modern Cars Efficiently MCU EEPROMI2CI/O • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
110Analyzing the Security of Modern Cars Efficiently MCU EEPROMI2C CAN I/O • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
111Analyzing the Security of Modern Cars Efficiently Emulating the processor
112Analyzing the Security of Modern Cars Efficiently “Implementing” peripherals
113Analyzing the Security of Modern Cars Efficiently What cool stuff can we do? • Debugging using standard tooling (GDB) • Sending CAN messages using standard tooling (SocketCAN) • Execution tracing • Taint tracking
114Analyzing the Security of Modern Cars Efficiently Execution tracing 0x2920 cmp 0x2922 jmp to 0x292c 0x2926 add 0x2928 add 0x292c add 0x2930 add Do we take the jmp to 0x292c?
115Analyzing the Security of Modern Cars Efficiently Execution tracing 0x2920 cmp 0x2922 jmp to 0x292c 0x2926 add 0x2928 add 0x292c add 0x2930 add It’s too complex to figure this out statically!
116Analyzing the Security of Modern Cars Efficiently Execution tracing
117Analyzing the Security of Modern Cars Efficiently Execution tracing
118Analyzing the Security of Modern Cars Efficiently Execution tracing
119Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ??
120Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN message
121Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read()
122Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read()CAN message
123Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message
124Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message
125Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message Data[7] == calculateKey()
126Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message Data[7] == calculateKey() We found the calculateKey function!
127Analyzing the Security of Modern Cars Efficiently Wrap up
128Analyzing the Security of Modern Cars Efficiently Wrap up • Hardware cannot be trusted • No software vulnerabilities ≠ secure
129Analyzing the Security of Modern Cars Efficiently Wrap up • Hardware cannot be trusted • No software vulnerabilities ≠ secure • Hardware attacks are efficient and do scale • They are a stepping-stone for scalable attacks
130Analyzing the Security of Modern Cars Efficiently Wrap up • Hardware cannot be trusted • No software vulnerabilities ≠ secure • Hardware attacks are efficient and do scale • They are a stepping-stone for scalable attacks • Your firmware will be exposed and understood • Do not rely on its secrecy or its complexity
131 Is all hope lost?
132 Is all hope lost? No.
133Analyzing the Security of Modern Cars Efficiently Hardening ECUs
134Analyzing the Security of Modern Cars Efficiently • Don’t expose secrets to software • Use secure hardware (E.g. SHE, Evita, etc.) • Diversify keys between ECUs Hardening ECUs
135Analyzing the Security of Modern Cars Efficiently • Don’t expose secrets to software • Use secure hardware (E.g. SHE, Evita, etc.) • Diversify keys between ECUs • Avoid using pre-shared secrets • Use asymmetric cryptography (E.g. RSA) Hardening ECUs
136Analyzing the Security of Modern Cars Efficiently • Don’t expose secrets to software • Use secure hardware (E.g. SHE, Evita, etc.) • Diversify keys between ECUs • Avoid using pre-shared secrets • Use asymmetric cryptography (E.g. RSA) • Adjust the product’s threat model • Minimize the impact of hardware attacks Hardening ECUs
137Analyzing the Security of Modern Cars Efficiently Defense in depth is key!
138Analyzing the Security of Modern Cars Efficiently Thanks to… Santiago CordobaEloi Sanfelix Ramiro Pareja Nils Wiersma Our papers are available here, here and here! Alyssa Milburn
139Analyzing the Security of Modern Cars Efficiently Thank you! Any questions? (please visit our booth) Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers

Empfohlen

Undermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security ChecksUndermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security ChecksNiek Timmers
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systemsAlan Tatourian
 
Will future vehicles be secure?
Will future vehicles be secure?Will future vehicles be secure?
Will future vehicles be secure?Alan Tatourian
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA securityCysinfo Cyber Security Community
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureAlan Tatourian
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 

Empfohlen

Undermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security ChecksUndermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security ChecksNiek Timmers
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systemsAlan Tatourian
 
Will future vehicles be secure?
Will future vehicles be secure?Will future vehicles be secure?
Will future vehicles be secure?Alan Tatourian
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA securityCysinfo Cyber Security Community
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureAlan Tatourian
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
Proxicast LAN-Cell 3 User Guide
Proxicast LAN-Cell 3 User GuideProxicast LAN-Cell 3 User Guide
Proxicast LAN-Cell 3 User GuideProxicast, LLC
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignmentAlan Tatourian
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
CSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCanSecWest
 
System-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecuritySystem-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecurityCristofaro Mune
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat Security Conference
 
Authentication in Smart Grid
Authentication in Smart GridAuthentication in Smart Grid
Authentication in Smart GridSherif Abdelfattah
 
Smart Security Lock for Access Control Applications based on GSM
Smart Security Lock for Access Control Applications based on GSMSmart Security Lock for Access Control Applications based on GSM
Smart Security Lock for Access Control Applications based on GSMIRJET Journal
 
Microchip technology kit2 tutorial
Microchip technology kit2 tutorialMicrochip technology kit2 tutorial
Microchip technology kit2 tutorialMauro Cunha
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesDavid Shepherd
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Design reliability 2.0: Safety is Everything
Design reliability 2.0: Safety is Everything Design reliability 2.0: Safety is Everything
Design reliability 2.0: Safety is Everything Amir Rahat
 
Chapter 1-1.pptx
Chapter 1-1.pptxChapter 1-1.pptx
Chapter 1-1.pptxbiniyamgashaw2
 
journal
journaljournal
journalShubham Chauhan
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongOnBoard Security, Inc. - a Qualcomm Company
 
[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery
[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery
[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service deliveryRakuten Group, Inc.
 
Axessor_Brochure_US_04-16
Axessor_Brochure_US_04-16Axessor_Brochure_US_04-16
Axessor_Brochure_US_04-16Axel de Blok
 
hamaa2.pdf
hamaa2.pdfhamaa2.pdf
hamaa2.pdfMahamad Jawhar
 

Weitere ähnliche Inhalte

Was ist angesagt?

[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
Proxicast LAN-Cell 3 User Guide
Proxicast LAN-Cell 3 User GuideProxicast LAN-Cell 3 User Guide
Proxicast LAN-Cell 3 User GuideProxicast, LLC
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignmentAlan Tatourian
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
CSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCanSecWest
 
System-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecuritySystem-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecurityCristofaro Mune
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat Security Conference
 
Smart Security Lock for Access Control Applications based on GSM
Smart Security Lock for Access Control Applications based on GSMSmart Security Lock for Access Control Applications based on GSM
Smart Security Lock for Access Control Applications based on GSMIRJET Journal
 
Microchip technology kit2 tutorial
Microchip technology kit2 tutorialMicrochip technology kit2 tutorial
Microchip technology kit2 tutorialMauro Cunha
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesDavid Shepherd
 

Was ist angesagt? (13)

[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Proxicast LAN-Cell 3 User Guide
Proxicast LAN-Cell 3 User GuideProxicast LAN-Cell 3 User Guide
Proxicast LAN-Cell 3 User Guide
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignment
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
 
CSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detection
 
System-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecuritySystem-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product Security
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
 
Authentication in Smart Grid
Authentication in Smart GridAuthentication in Smart Grid
Authentication in Smart Grid
 
Smart Security Lock for Access Control Applications based on GSM
Smart Security Lock for Access Control Applications based on GSMSmart Security Lock for Access Control Applications based on GSM
Smart Security Lock for Access Control Applications based on GSM
 
Microchip technology kit2 tutorial
Microchip technology kit2 tutorialMicrochip technology kit2 tutorial
Microchip technology kit2 tutorial
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile Devices
 

Ähnlich wie Analyzing the Security of Cars Efficiently

Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Design reliability 2.0: Safety is Everything
Design reliability 2.0: Safety is Everything Design reliability 2.0: Safety is Everything
Design reliability 2.0: Safety is Everything Amir Rahat
 
[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery
[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery
[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service deliveryRakuten Group, Inc.
 
Axessor_Brochure_US_04-16
Axessor_Brochure_US_04-16Axessor_Brochure_US_04-16
Axessor_Brochure_US_04-16Axel de Blok
 
What is AUTOSAR MCAL? Learn about the software module architecture and device...
What is AUTOSAR MCAL? Learn about the software module architecture and device...What is AUTOSAR MCAL? Learn about the software module architecture and device...
What is AUTOSAR MCAL? Learn about the software module architecture and device...Embitel Technologies (I) PVT LTD
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsRiscure
 
Pic 16f877a
Pic 16f877aPic 16f877a
Pic 16f877aKRNFORD
 
datasheet-micro.pdf
datasheet-micro.pdfdatasheet-micro.pdf
datasheet-micro.pdfXCristiianX
 
Maximize your business and machine performance
Maximize your business and machine performanceMaximize your business and machine performance
Maximize your business and machine performanceSchneider Electric
 

Ähnlich wie Analyzing the Security of Cars Efficiently (20)

Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
Design reliability 2.0: Safety is Everything
Design reliability 2.0: Safety is Everything Design reliability 2.0: Safety is Everything
Design reliability 2.0: Safety is Everything
 
Chapter 1-1.pptx
Chapter 1-1.pptxChapter 1-1.pptx
Chapter 1-1.pptx
 
journal
journaljournal
journal
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go Wrong
 
[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery
[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery
[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery
 
Axessor_Brochure_US_04-16
Axessor_Brochure_US_04-16Axessor_Brochure_US_04-16
Axessor_Brochure_US_04-16
 
hamaa2.pdf
hamaa2.pdfhamaa2.pdf
hamaa2.pdf
 
What is AUTOSAR MCAL? Learn about the software module architecture and device...
What is AUTOSAR MCAL? Learn about the software module architecture and device...What is AUTOSAR MCAL? Learn about the software module architecture and device...
What is AUTOSAR MCAL? Learn about the software module architecture and device...
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Fault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis ProtocolsFault Injection on Automotive Diagnosis Protocols
Fault Injection on Automotive Diagnosis Protocols
 
16f88
16f8816f88
16f88
 
Pic 16f877a
Pic 16f877aPic 16f877a
Pic 16f877a
 
Pic18f4550
Pic18f4550Pic18f4550
Pic18f4550
 
ISO 26262: Automotive Functional Safety
ISO 26262: Automotive Functional SafetyISO 26262: Automotive Functional Safety
ISO 26262: Automotive Functional Safety
 
ritesh (3)
ritesh (3)ritesh (3)
ritesh (3)
 
datasheet-micro.pdf
datasheet-micro.pdfdatasheet-micro.pdf
datasheet-micro.pdf
 
Training report on embedded sys_AVR
Training report on embedded sys_AVRTraining report on embedded sys_AVR
Training report on embedded sys_AVR
 
Maximize your business and machine performance
Maximize your business and machine performanceMaximize your business and machine performance
Maximize your business and machine performance
 

Kürzlich hochgeladen

一比一原版(PU学位证书)普渡大学毕业证学历认证加急办理
一比一原版(PU学位证书)普渡大学毕业证学历认证加急办理一比一原版(PU学位证书)普渡大学毕业证学历认证加急办理
一比一原版(PU学位证书)普渡大学毕业证学历认证加急办理ezgenuh
 
Top Rated Call Girls Mumbai Central : 9920725232 We offer Beautiful and sexy ...
Top Rated Call Girls Mumbai Central : 9920725232 We offer Beautiful and sexy ...Top Rated Call Girls Mumbai Central : 9920725232 We offer Beautiful and sexy ...
Top Rated Call Girls Mumbai Central : 9920725232 We offer Beautiful and sexy ...amitlee9823
 
Hot Modals Call Girls (Delhi) Dwarka9711199171✔️ High Class Service 100% Saf...
Hot Modals Call Girls (Delhi) Dwarka9711199171✔️ High Class Service 100% Saf...Hot Modals Call Girls (Delhi) Dwarka9711199171✔️ High Class Service 100% Saf...
Hot Modals Call Girls (Delhi) Dwarka9711199171✔️ High Class Service 100% Saf...shivangimorya083
 
Delhi Call Girls Mayur Vihar 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Mayur Vihar 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Mayur Vihar 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Mayur Vihar 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls in Malviya Nagar Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts Ser...
Call Girls in Malviya Nagar Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts Ser...Call Girls in Malviya Nagar Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts Ser...
Call Girls in Malviya Nagar Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts Ser...Delhi Call girls
 
Sanjay Nagar Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalor...
Sanjay Nagar Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalor...Sanjay Nagar Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalor...
Sanjay Nagar Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalor...amitlee9823
 
Bangalore Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore E...
Bangalore Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore E...Bangalore Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore E...
Bangalore Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore E...amitlee9823
 
Call Girls Bangalore Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Bangalore Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Bangalore Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Bangalore Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...amitlee9823
 
Why Won't Your Subaru Key Come Out Of The Ignition Find Out Here!
Why Won't Your Subaru Key Come Out Of The Ignition Find Out Here!Why Won't Your Subaru Key Come Out Of The Ignition Find Out Here!
Why Won't Your Subaru Key Come Out Of The Ignition Find Out Here!AutoScandia
 
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagardollysharma2066
 
What Could Cause Your Subaru's Touch Screen To Stop Working
What Could Cause Your Subaru's Touch Screen To Stop WorkingWhat Could Cause Your Subaru's Touch Screen To Stop Working
What Could Cause Your Subaru's Touch Screen To Stop WorkingBruce Cox Imports
 
Rekha Agarkar Escorts Service Kollam ❣️ 7014168258 ❣️ High Cost Unlimited Har...
Rekha Agarkar Escorts Service Kollam ❣️ 7014168258 ❣️ High Cost Unlimited Har...Rekha Agarkar Escorts Service Kollam ❣️ 7014168258 ❣️ High Cost Unlimited Har...
Rekha Agarkar Escorts Service Kollam ❣️ 7014168258 ❣️ High Cost Unlimited Har...nirzagarg
 
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Saket 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
John Deere Tractors 6130M 6140M Diagnostic Manual
John Deere Tractors 6130M 6140M Diagnostic ManualJohn Deere Tractors 6130M 6140M Diagnostic Manual
John Deere Tractors 6130M 6140M Diagnostic ManualExcavator
 
Sales & Marketing Alignment_ How to Synergize for Success.pptx.pdf
Sales & Marketing Alignment_ How to Synergize for Success.pptx.pdfSales & Marketing Alignment_ How to Synergize for Success.pptx.pdf
Sales & Marketing Alignment_ How to Synergize for Success.pptx.pdfAggregage
 
一比一原版(UVic学位证书)维多利亚大学毕业证学历认证买留学回国
一比一原版(UVic学位证书)维多利亚大学毕业证学历认证买留学回国一比一原版(UVic学位证书)维多利亚大学毕业证学历认证买留学回国
一比一原版(UVic学位证书)维多利亚大学毕业证学历认证买留学回国ezgenuh
 
Vip Hot Call Girls 🫤 Mahipalpur ➡️ 9711199171 ➡️ Delhi 🫦 Whatsapp Number
Vip Hot Call Girls 🫤 Mahipalpur ➡️ 9711199171 ➡️ Delhi 🫦 Whatsapp NumberVip Hot Call Girls 🫤 Mahipalpur ➡️ 9711199171 ➡️ Delhi 🫦 Whatsapp Number
Vip Hot Call Girls 🫤 Mahipalpur ➡️ 9711199171 ➡️ Delhi 🫦 Whatsapp Numberkumarajju5765
 
What Causes BMW Chassis Stabilization Malfunction Warning To Appear
What Causes BMW Chassis Stabilization Malfunction Warning To AppearWhat Causes BMW Chassis Stabilization Malfunction Warning To Appear
What Causes BMW Chassis Stabilization Malfunction Warning To AppearJCL Automotive
 

Kürzlich hochgeladen (20)

一比一原版(PU学位证书)普渡大学毕业证学历认证加急办理
一比一原版(PU学位证书)普渡大学毕业证学历认证加急办理一比一原版(PU学位证书)普渡大学毕业证学历认证加急办理
一比一原版(PU学位证书)普渡大学毕业证学历认证加急办理
 
Top Rated Call Girls Mumbai Central : 9920725232 We offer Beautiful and sexy ...
Top Rated Call Girls Mumbai Central : 9920725232 We offer Beautiful and sexy ...Top Rated Call Girls Mumbai Central : 9920725232 We offer Beautiful and sexy ...
Top Rated Call Girls Mumbai Central : 9920725232 We offer Beautiful and sexy ...
 
Hot Modals Call Girls (Delhi) Dwarka9711199171✔️ High Class Service 100% Saf...
Hot Modals Call Girls (Delhi) Dwarka9711199171✔️ High Class Service 100% Saf...Hot Modals Call Girls (Delhi) Dwarka9711199171✔️ High Class Service 100% Saf...
Hot Modals Call Girls (Delhi) Dwarka9711199171✔️ High Class Service 100% Saf...
 
Delhi Call Girls Mayur Vihar 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Mayur Vihar 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Mayur Vihar 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Mayur Vihar 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls in Malviya Nagar Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts Ser...
Call Girls in Malviya Nagar Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts Ser...Call Girls in Malviya Nagar Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts Ser...
Call Girls in Malviya Nagar Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts Ser...
 
Sanjay Nagar Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalor...
Sanjay Nagar Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalor...Sanjay Nagar Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalor...
Sanjay Nagar Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalor...
 
Bangalore Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore E...
Bangalore Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore E...Bangalore Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore E...
Bangalore Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore E...
 
Call Girls Bangalore Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Bangalore Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Bangalore Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Bangalore Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
 
Why Won't Your Subaru Key Come Out Of The Ignition Find Out Here!
Why Won't Your Subaru Key Come Out Of The Ignition Find Out Here!Why Won't Your Subaru Key Come Out Of The Ignition Find Out Here!
Why Won't Your Subaru Key Come Out Of The Ignition Find Out Here!
 
Call Girls in Shri Niwas Puri Delhi 💯Call Us 🔝9953056974🔝
Call Girls in Shri Niwas Puri Delhi 💯Call Us 🔝9953056974🔝Call Girls in Shri Niwas Puri Delhi 💯Call Us 🔝9953056974🔝
Call Girls in Shri Niwas Puri Delhi 💯Call Us 🔝9953056974🔝
 
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
83778-77756 ( HER.SELF ) Brings Call Girls In Laxmi Nagar
 
What Could Cause Your Subaru's Touch Screen To Stop Working
What Could Cause Your Subaru's Touch Screen To Stop WorkingWhat Could Cause Your Subaru's Touch Screen To Stop Working
What Could Cause Your Subaru's Touch Screen To Stop Working
 
Rekha Agarkar Escorts Service Kollam ❣️ 7014168258 ❣️ High Cost Unlimited Har...
Rekha Agarkar Escorts Service Kollam ❣️ 7014168258 ❣️ High Cost Unlimited Har...Rekha Agarkar Escorts Service Kollam ❣️ 7014168258 ❣️ High Cost Unlimited Har...
Rekha Agarkar Escorts Service Kollam ❣️ 7014168258 ❣️ High Cost Unlimited Har...
 
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Saket 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Saket 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
John Deere Tractors 6130M 6140M Diagnostic Manual
John Deere Tractors 6130M 6140M Diagnostic ManualJohn Deere Tractors 6130M 6140M Diagnostic Manual
John Deere Tractors 6130M 6140M Diagnostic Manual
 
Sales & Marketing Alignment_ How to Synergize for Success.pptx.pdf
Sales & Marketing Alignment_ How to Synergize for Success.pptx.pdfSales & Marketing Alignment_ How to Synergize for Success.pptx.pdf
Sales & Marketing Alignment_ How to Synergize for Success.pptx.pdf
 
一比一原版(UVic学位证书)维多利亚大学毕业证学历认证买留学回国
一比一原版(UVic学位证书)维多利亚大学毕业证学历认证买留学回国一比一原版(UVic学位证书)维多利亚大学毕业证学历认证买留学回国
一比一原版(UVic学位证书)维多利亚大学毕业证学历认证买留学回国
 
(ISHITA) Call Girls Service Jammu Call Now 8617697112 Jammu Escorts 24x7
(ISHITA) Call Girls Service Jammu Call Now 8617697112 Jammu Escorts 24x7(ISHITA) Call Girls Service Jammu Call Now 8617697112 Jammu Escorts 24x7
(ISHITA) Call Girls Service Jammu Call Now 8617697112 Jammu Escorts 24x7
 
Vip Hot Call Girls 🫤 Mahipalpur ➡️ 9711199171 ➡️ Delhi 🫦 Whatsapp Number
Vip Hot Call Girls 🫤 Mahipalpur ➡️ 9711199171 ➡️ Delhi 🫦 Whatsapp NumberVip Hot Call Girls 🫤 Mahipalpur ➡️ 9711199171 ➡️ Delhi 🫦 Whatsapp Number
Vip Hot Call Girls 🫤 Mahipalpur ➡️ 9711199171 ➡️ Delhi 🫦 Whatsapp Number
 
What Causes BMW Chassis Stabilization Malfunction Warning To Appear
What Causes BMW Chassis Stabilization Malfunction Warning To AppearWhat Causes BMW Chassis Stabilization Malfunction Warning To Appear
What Causes BMW Chassis Stabilization Malfunction Warning To Appear
 

Analyzing the Security of Cars Efficiently

  • 1. 1 Analyzing the Security of Cars Efficiently Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers
  • 2. 2 Today we are talking about
  • 6. 6 System Level Security In-vehicle network Electronic Control Unit (ECU) Microcontroller (MCU) Interfaces
  • 7. 7 Typical ECUs found in a car…
  • 8. 8 Typical ECUs found in a car…
  • 9. 9 Typical ECUs found in a car…
  • 10. 10 Typical ECUs found in a car…
  • 11. 11 Typical ECUs found in a car…
  • 12. 12 Typical ECUs found in a car…
  • 13. 13 Typical ECUs found in a car…
  • 14. 14Analyzing the Security of Modern Cars Efficiently They come in all forms, shapes and sizes!
  • 15. 15Analyzing the Security of Modern Cars Efficiently … and you can buy them cheaply! Lots of them are stuck in cars worldwide…
  • 16. 16Analyzing the Security of Modern Cars Efficiently
  • 17. 17Analyzing the Security of Modern Cars Efficiently Which ones are we interested in?
  • 18. 18 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc.
  • 19. 19 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote
  • 20. 20 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote Telematics
  • 21. 21 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote Telematics Gateway
  • 22. 22 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote Telematics Gateway Powertrain
  • 23. 23 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. An understanding of multiple ECUs is required! Wireless / Remote Telematics Gateway Powertrain
  • 24. 24Analyzing the Security of Modern Cars Efficiently Are all the ECUs the same?
  • 25. 25Analyzing the Security of Modern Cars Efficiently ECU Type 1: SoC-based • System-on-Chip (SoC) based • Firmware stored in external flash • Many interfaces • Multi-purpose • Large attack surface • Only a few implemented in a car
  • 26. 26Analyzing the Security of Modern Cars Efficiently • Microcontroller (MCU) based • Firmware stored inside the MCU • Few interfaces • Specific functionality • Small attack surface • Many implemented in a vehicle ECU Type 2: MCU-based
  • 27. 27Analyzing the Security of Modern Cars Efficiently Do hackers use a different approach?
  • 28. 28Analyzing the Security of Modern Cars Efficiently Typical approach for hacking embedded systems Understand target Identify vulnerability Exploit vulnerability
  • 29. 29Analyzing the Security of Modern Cars Efficiently Typical approach for hacking embedded systems ECUs found in cars! Understand target Identify vulnerability Exploit vulnerability
  • 30. 30Analyzing the Security of Modern Cars Efficiently Typical approach for hacking embedded systems But to understand, we need the firmware! ECUs found in cars! Understand target Identify vulnerability Exploit vulnerability
  • 31. 31Analyzing the Security of Modern Cars Efficiently Getting firmware
  • 32. 32Analyzing the Security of Modern Cars Efficiently Getting firmware
  • 33. 33Analyzing the Security of Modern Cars Efficiently Getting firmware
  • 34. 34Analyzing the Security of Modern Cars Efficiently Getting firmware
  • 35. 35Analyzing the Security of Modern Cars Efficiently We will focus on MCU-based ECUs!
  • 36. 36Analyzing the Security of Modern Cars Efficiently Obtaining ECU firmware
  • 37. 37Analyzing the Security of Modern Cars Efficiently Leaks Firmware upgrade Obtaining ECU firmware
  • 38. 38Analyzing the Security of Modern Cars Efficiently Leaks Firmware upgrade Obtaining ECU firmware
  • 39. 39Analyzing the Security of Modern Cars Efficiently Interfaces Leaks Software Firmware upgrade Obtaining ECU firmware Chips
  • 40. 40Analyzing the Security of Modern Cars Efficiently Interfaces Leaks Software Firmware upgrade Obtaining ECU firmware Chips Let’s open up an ECU!
  • 41. 41Analyzing the Security of Modern Cars Efficiently MCU
  • 42. 42Analyzing the Security of Modern Cars Efficiently MCU EEPROM Firmware is stored inside the MCU!
  • 43. 43Analyzing the Security of Modern Cars Efficiently MCU EEPROM I/O Firmware is stored inside the MCU!
  • 44. 44Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O Firmware is stored inside the MCU!
  • 45. 45Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN Firmware is stored inside the MCU!
  • 46. 46Analyzing the Security of Modern Cars Efficiently What can we speak on CAN?
  • 47. 47Analyzing the Security of Modern Cars Efficiently Unified Diagnostic Services (UDS) • Diagnostics • Data Transmission • And loads of more stuff…
  • 48. 48Analyzing the Security of Modern Cars Efficiently Unified Diagnostic Services (UDS) • Diagnostics • Data Transmission • And loads of more stuff… It’s everywhere! It’s standardized! It’s easy!
  • 49. 49Analyzing the Security of Modern Cars Efficiently Why are hackers interested?
  • 50. 50Analyzing the Security of Modern Cars Efficiently • Reprogramming • Programming new firmware Why are hackers interested?
  • 51. 51Analyzing the Security of Modern Cars Efficiently • Reprogramming • Programming new firmware • Read and write memory • Accessing device internals Why are hackers interested?
  • 52. 52Analyzing the Security of Modern Cars Efficiently • Reprogramming • Programming new firmware • Read and write memory • Accessing device internals • (Re)configuration • Adding keys, changing mileage, etc. Why are hackers interested?
  • 53. 53Analyzing the Security of Modern Cars Efficiently What protects all this juice from malicious use?
  • 54. 54Analyzing the Security of Modern Cars Efficiently Security Access
  • 55. 55Analyzing the Security of Modern Cars Efficiently Security Access
  • 56. 56Analyzing the Security of Modern Cars Efficiently It should not be possible to brute force or guess the key! Security Access
  • 57. 57Analyzing the Security of Modern Cars Efficiently Back-end system Tester Gateway ECU A DLC ECU B Diagnostics
  • 58. 58Analyzing the Security of Modern Cars Efficiently Back-end system Tester Gateway ECU A DLC ECU B Diagnostics Attacker has access!
  • 59. 59Analyzing the Security of Modern Cars Efficiently Back-end system Tester Gateway ECU A DLC ECU B Diagnostics The transformation algorithm and secret(s) are stored inside the ECU! Attacker has access!
  • 60. 60Analyzing the Security of Modern Cars Efficiently Let’s hack UDS!
  • 61. 61Analyzing the Security of Modern Cars Efficiently • Read/write memory functions • Protected Let’s hack UDS!
  • 62. 62Analyzing the Security of Modern Cars Efficiently • Read/write memory functions • Protected • Black-box vulnerability discovery • Possible; but too difficult Let’s hack UDS!
  • 63. 63Analyzing the Security of Modern Cars Efficiently • Read/write memory functions • Protected • Black-box vulnerability discovery • Possible; but too difficult • We want something easy… Let’s hack UDS!
  • 64. 64Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN
  • 65. 65Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  • 71. 71Analyzing the Security of Modern Cars Efficiently Fault Injection – Tooling ChipWhisperer® Fault Injection tooling is available to the masses! Open source Commercial Inspector FI
  • 72. 72Analyzing the Security of Modern Cars Efficiently
  • 73. 73Analyzing the Security of Modern Cars Efficiently What happens when we glitch? Things go wrong!
  • 74. 74Analyzing the Security of Modern Cars Efficiently Fault Injection breaks things! • We can change memory contents • We can change register contents • We can change the executed instructions
  • 75. 75Analyzing the Security of Modern Cars Efficiently Fault Injection breaks things! • We can change memory contents • We can change register contents • We can change the executed instructions We can change the intended behavior of software!
  • 76. 76Analyzing the Security of Modern Cars Efficiently ReadMemoryByAddress(0x00000000, 0x40)
  • 77. 77Analyzing the Security of Modern Cars Efficiently ReadMemoryByAddress(0x00000000, 0x40)
  • 78. 78Analyzing the Security of Modern Cars Efficiently ReadMemoryByAddress(0x00000000, 0x40) Two checks are bypassed using a single glitch!
  • 79. 79Analyzing the Security of Modern Cars Efficiently Glitching ReadMemoryByAddress • Successful on several different ECUs implementing UDS • Designed around different MCUs • Depending on the target… • Allows reading out N bytes from an arbitrary address • Complete firmware extracted in the order of days • Depended on flash size and success rate
  • 80. 80Analyzing the Security of Modern Cars Efficiently Demo time! (please visit our booth for a live demo)
  • 81. 81Analyzing the Security of Modern Cars Efficiently Randomization of parameters Glitch Parameters • Glitch Delay • Glitch Duration • Glitch Voltage VCC CAN Trigger Glitch (zoomed) CMD RSP Glitch
  • 82. 82Analyzing the Security of Modern Cars Efficiently Fault Injection video
  • 83. 83Analyzing the Security of Modern Cars Efficiently Can we do better?
  • 84. 84Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  • 85. 85Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  • 86. 86Analyzing the Security of Modern Cars Efficiently • Standard manufacturer tooling often publicly available • Reading, writing and programming internal memories • Debugging software • Software is often forcing any security measures Debug Interfaces MCUPC Debugger ECU USB Serial I2C JTAG
  • 87. 87Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  • 88. 88Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  • 90. 90Analyzing the Security of Modern Cars Efficiently Electromagnetic Fault Injection ChipSHOUTER® Cheap and awesome: BADFET Inspector FI Electromagnetic fault injection available to the masses!
  • 91. 91Analyzing the Security of Modern Cars Efficiently Glitching Debug Interfaces • Successful on several different MCUs • Different types of debug interfaces • Depending on the target…. • Allows reading, writing, programming and debugging • Complete firmware extracted in seconds/minutes/hours • Depended on the debug interface
  • 92. 92Analyzing the Security of Modern Cars Efficiently We have access to firmware… now what?
  • 93. 93Analyzing the Security of Modern Cars Efficiently
  • 94. 94Analyzing the Security of Modern Cars Efficiently Getting firmware The goal: scaling up the attack
  • 95. 95Analyzing the Security of Modern Cars Efficiently Getting firmware The goal: scaling up the attack
  • 96. 96Analyzing the Security of Modern Cars Efficiently Getting firmware Reverse engineering The goal: scaling up the attack
  • 97. 97Analyzing the Security of Modern Cars Efficiently Getting firmware Reverse engineering Understanding The goal: scaling up the attack
  • 98. 98Analyzing the Security of Modern Cars Efficiently Getting firmware Secrets Hacking Reconfiguration Reverse engineering Understanding The goal: scaling up the attack
  • 99. 99Analyzing the Security of Modern Cars Efficiently How can we understand efficiently?
  • 100. 100Analyzing the Security of Modern Cars Efficiently Static analysis? Firmware
  • 101. 101Analyzing the Security of Modern Cars Efficiently Static analysis? Custom code OS code Firmware
  • 102. 102Analyzing the Security of Modern Cars Efficiently Static analysis? Generated code Custom code OS code Firmware Configuration Models
  • 103. 103Analyzing the Security of Modern Cars Efficiently
  • 104. 104Analyzing the Security of Modern Cars Efficiently Let’s do this more efficient!
  • 105. 105Analyzing the Security of Modern Cars Efficiently Firmware emulation • Firmware is executed without needing the ECU itself • Great tooling only available for common architectures • When tooling is not available, we need to make our own • We are emulating only the functionality we need
  • 106. 106Analyzing the Security of Modern Cars Efficiently MCU What do we need?
  • 107. 107Analyzing the Security of Modern Cars Efficiently MCU • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
  • 108. 108Analyzing the Security of Modern Cars Efficiently MCUI/O • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
  • 109. 109Analyzing the Security of Modern Cars Efficiently MCU EEPROMI2CI/O • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
  • 110. 110Analyzing the Security of Modern Cars Efficiently MCU EEPROMI2C CAN I/O • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
  • 111. 111Analyzing the Security of Modern Cars Efficiently Emulating the processor
  • 112. 112Analyzing the Security of Modern Cars Efficiently “Implementing” peripherals
  • 113. 113Analyzing the Security of Modern Cars Efficiently What cool stuff can we do? • Debugging using standard tooling (GDB) • Sending CAN messages using standard tooling (SocketCAN) • Execution tracing • Taint tracking
  • 114. 114Analyzing the Security of Modern Cars Efficiently Execution tracing 0x2920 cmp 0x2922 jmp to 0x292c 0x2926 add 0x2928 add 0x292c add 0x2930 add Do we take the jmp to 0x292c?
  • 115. 115Analyzing the Security of Modern Cars Efficiently Execution tracing 0x2920 cmp 0x2922 jmp to 0x292c 0x2926 add 0x2928 add 0x292c add 0x2930 add It’s too complex to figure this out statically!
  • 116. 116Analyzing the Security of Modern Cars Efficiently Execution tracing
  • 117. 117Analyzing the Security of Modern Cars Efficiently Execution tracing
  • 118. 118Analyzing the Security of Modern Cars Efficiently Execution tracing
  • 119. 119Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ??
  • 120. 120Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN message
  • 121. 121Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read()
  • 122. 122Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read()CAN message
  • 123. 123Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message
  • 124. 124Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message
  • 125. 125Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message Data[7] == calculateKey()
  • 126. 126Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message Data[7] == calculateKey() We found the calculateKey function!
  • 127. 127Analyzing the Security of Modern Cars Efficiently Wrap up
  • 128. 128Analyzing the Security of Modern Cars Efficiently Wrap up • Hardware cannot be trusted • No software vulnerabilities ≠ secure
  • 129. 129Analyzing the Security of Modern Cars Efficiently Wrap up • Hardware cannot be trusted • No software vulnerabilities ≠ secure • Hardware attacks are efficient and do scale • They are a stepping-stone for scalable attacks
  • 130. 130Analyzing the Security of Modern Cars Efficiently Wrap up • Hardware cannot be trusted • No software vulnerabilities ≠ secure • Hardware attacks are efficient and do scale • They are a stepping-stone for scalable attacks • Your firmware will be exposed and understood • Do not rely on its secrecy or its complexity
  • 131. 131 Is all hope lost?
  • 132. 132 Is all hope lost? No.
  • 133. 133Analyzing the Security of Modern Cars Efficiently Hardening ECUs
  • 134. 134Analyzing the Security of Modern Cars Efficiently • Don’t expose secrets to software • Use secure hardware (E.g. SHE, Evita, etc.) • Diversify keys between ECUs Hardening ECUs
  • 135. 135Analyzing the Security of Modern Cars Efficiently • Don’t expose secrets to software • Use secure hardware (E.g. SHE, Evita, etc.) • Diversify keys between ECUs • Avoid using pre-shared secrets • Use asymmetric cryptography (E.g. RSA) Hardening ECUs
  • 136. 136Analyzing the Security of Modern Cars Efficiently • Don’t expose secrets to software • Use secure hardware (E.g. SHE, Evita, etc.) • Diversify keys between ECUs • Avoid using pre-shared secrets • Use asymmetric cryptography (E.g. RSA) • Adjust the product’s threat model • Minimize the impact of hardware attacks Hardening ECUs
  • 137. 137Analyzing the Security of Modern Cars Efficiently Defense in depth is key!
  • 138. 138Analyzing the Security of Modern Cars Efficiently Thanks to… Santiago CordobaEloi Sanfelix Ramiro Pareja Nils Wiersma Our papers are available here, here and here! Alyssa Milburn
  • 139. 139Analyzing the Security of Modern Cars Efficiently Thank you! Any questions? (please visit our booth) Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers