25. 25Analyzing the Security of Modern Cars Efficiently
ECU Type 1: SoC-based
• System-on-Chip (SoC) based
• Firmware stored in external flash
• Many interfaces
• Multi-purpose
• Large attack surface
• Only a few implemented in a car
26. 26Analyzing the Security of Modern Cars Efficiently
• Microcontroller (MCU) based
• Firmware stored inside the MCU
• Few interfaces
• Specific functionality
• Small attack surface
• Many implemented in a vehicle
ECU Type 2: MCU-based
28. 28Analyzing the Security of Modern Cars Efficiently
Typical approach for hacking
embedded systems
Understand
target
Identify
vulnerability
Exploit
vulnerability
29. 29Analyzing the Security of Modern Cars Efficiently
Typical approach for hacking
embedded systems
ECUs found in cars!
Understand
target
Identify
vulnerability
Exploit
vulnerability
30. 30Analyzing the Security of Modern Cars Efficiently
Typical approach for hacking
embedded systems
But to understand, we need the firmware!
ECUs found in cars!
Understand
target
Identify
vulnerability
Exploit
vulnerability
47. 47Analyzing the Security of Modern Cars Efficiently
Unified Diagnostic Services (UDS)
• Diagnostics
• Data Transmission
• And loads of more stuff…
48. 48Analyzing the Security of Modern Cars Efficiently
Unified Diagnostic Services (UDS)
• Diagnostics
• Data Transmission
• And loads of more stuff…
It’s everywhere! It’s standardized! It’s easy!
50. 50Analyzing the Security of Modern Cars Efficiently
• Reprogramming
• Programming new firmware
Why are hackers interested?
51. 51Analyzing the Security of Modern Cars Efficiently
• Reprogramming
• Programming new firmware
• Read and write memory
• Accessing device internals
Why are hackers interested?
52. 52Analyzing the Security of Modern Cars Efficiently
• Reprogramming
• Programming new firmware
• Read and write memory
• Accessing device internals
• (Re)configuration
• Adding keys, changing mileage, etc.
Why are hackers interested?
53. 53Analyzing the Security of Modern Cars Efficiently
What protects all this juice from malicious use?
56. 56Analyzing the Security of Modern Cars Efficiently
It should not be possible to
brute force or guess the key!
Security Access
57. 57Analyzing the Security of Modern Cars Efficiently
Back-end system
Tester
Gateway
ECU A
DLC
ECU B
Diagnostics
58. 58Analyzing the Security of Modern Cars Efficiently
Back-end system
Tester
Gateway
ECU A
DLC
ECU B
Diagnostics
Attacker has access!
59. 59Analyzing the Security of Modern Cars Efficiently
Back-end system
Tester
Gateway
ECU A
DLC
ECU B
Diagnostics
The transformation algorithm and secret(s) are stored inside the ECU!
Attacker has access!
71. 71Analyzing the Security of Modern Cars Efficiently
Fault Injection – Tooling
ChipWhisperer®
Fault Injection tooling is available to the masses!
Open source Commercial
Inspector FI
73. 73Analyzing the Security of Modern Cars Efficiently
What happens when we glitch?
Things go wrong!
74. 74Analyzing the Security of Modern Cars Efficiently
Fault Injection breaks things!
• We can change memory contents
• We can change register contents
• We can change the executed instructions
75. 75Analyzing the Security of Modern Cars Efficiently
Fault Injection breaks things!
• We can change memory contents
• We can change register contents
• We can change the executed instructions
We can change the intended behavior of software!
78. 78Analyzing the Security of Modern Cars Efficiently
ReadMemoryByAddress(0x00000000, 0x40)
Two checks are bypassed using a single glitch!
79. 79Analyzing the Security of Modern Cars Efficiently
Glitching ReadMemoryByAddress
• Successful on several different ECUs implementing UDS
• Designed around different MCUs
• Depending on the target…
• Allows reading out N bytes from an arbitrary address
• Complete firmware extracted in the order of days
• Depended on flash size and success rate
80. 80Analyzing the Security of Modern Cars Efficiently
Demo time!
(please visit our booth for a live demo)
81. 81Analyzing the Security of Modern Cars Efficiently
Randomization of parameters
Glitch Parameters
• Glitch Delay
• Glitch Duration
• Glitch Voltage
VCC
CAN
Trigger
Glitch (zoomed)
CMD RSP
Glitch
86. 86Analyzing the Security of Modern Cars Efficiently
• Standard manufacturer tooling often publicly available
• Reading, writing and programming internal memories
• Debugging software
• Software is often forcing any security measures
Debug Interfaces
MCUPC Debugger
ECU
USB
Serial
I2C
JTAG
90. 90Analyzing the Security of Modern Cars Efficiently
Electromagnetic Fault Injection
ChipSHOUTER®
Cheap and awesome:
BADFET
Inspector FI
Electromagnetic fault injection available to the masses!
91. 91Analyzing the Security of Modern Cars Efficiently
Glitching Debug Interfaces
• Successful on several different MCUs
• Different types of debug interfaces
• Depending on the target….
• Allows reading, writing, programming and debugging
• Complete firmware extracted in seconds/minutes/hours
• Depended on the debug interface
94. 94Analyzing the Security of Modern Cars Efficiently
Getting
firmware
The goal: scaling up the attack
95. 95Analyzing the Security of Modern Cars Efficiently
Getting
firmware
The goal: scaling up the attack
96. 96Analyzing the Security of Modern Cars Efficiently
Getting
firmware
Reverse
engineering
The goal: scaling up the attack
97. 97Analyzing the Security of Modern Cars Efficiently
Getting
firmware
Reverse
engineering
Understanding
The goal: scaling up the attack
98. 98Analyzing the Security of Modern Cars Efficiently
Getting
firmware
Secrets
Hacking
Reconfiguration
Reverse
engineering
Understanding
The goal: scaling up the attack
105. 105Analyzing the Security of Modern Cars Efficiently
Firmware emulation
• Firmware is executed without needing the ECU itself
• Great tooling only available for common architectures
• When tooling is not available, we need to make our own
• We are emulating only the functionality we need
107. 107Analyzing the Security of Modern Cars Efficiently
MCU
• Instruction set emulator
• Timers, interrupts, …
• Peripherals
What do we need?
108. 108Analyzing the Security of Modern Cars Efficiently
MCUI/O
• Instruction set emulator
• Timers, interrupts, …
• Peripherals
What do we need?
109. 109Analyzing the Security of Modern Cars Efficiently
MCU EEPROMI2CI/O
• Instruction set emulator
• Timers, interrupts, …
• Peripherals
What do we need?
110. 110Analyzing the Security of Modern Cars Efficiently
MCU EEPROMI2C
CAN
I/O
• Instruction set emulator
• Timers, interrupts, …
• Peripherals
What do we need?
113. 113Analyzing the Security of Modern Cars Efficiently
What cool stuff can we do?
• Debugging using standard tooling (GDB)
• Sending CAN messages using standard tooling (SocketCAN)
• Execution tracing
• Taint tracking
114. 114Analyzing the Security of Modern Cars Efficiently
Execution tracing
0x2920 cmp
0x2922 jmp to 0x292c
0x2926 add
0x2928 add
0x292c add
0x2930 add
Do we take the jmp to 0x292c?
115. 115Analyzing the Security of Modern Cars Efficiently
Execution tracing
0x2920 cmp
0x2922 jmp to 0x292c
0x2926 add
0x2928 add
0x292c add
0x2930 add
It’s too complex to figure this out statically!
119. 119Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
120. 120Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN message
121. 121Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()
122. 122Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()CAN message
123. 123Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()
Data[7] = Data[2]
CAN message
124. 124Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()
Data[7] = Data[2]
CAN message
CAN message
125. 125Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()
Data[7] = Data[2]
CAN message
CAN message
Data[7] == calculateKey()
126. 126Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()
Data[7] = Data[2]
CAN message
CAN message
Data[7] == calculateKey()
We found the calculateKey function!
128. 128Analyzing the Security of Modern Cars Efficiently
Wrap up
• Hardware cannot be trusted
• No software vulnerabilities ≠ secure
129. 129Analyzing the Security of Modern Cars Efficiently
Wrap up
• Hardware cannot be trusted
• No software vulnerabilities ≠ secure
• Hardware attacks are efficient and do scale
• They are a stepping-stone for scalable attacks
130. 130Analyzing the Security of Modern Cars Efficiently
Wrap up
• Hardware cannot be trusted
• No software vulnerabilities ≠ secure
• Hardware attacks are efficient and do scale
• They are a stepping-stone for scalable attacks
• Your firmware will be exposed and understood
• Do not rely on its secrecy or its complexity
134. 134Analyzing the Security of Modern Cars Efficiently
• Don’t expose secrets to software
• Use secure hardware (E.g. SHE, Evita, etc.)
• Diversify keys between ECUs
Hardening ECUs
135. 135Analyzing the Security of Modern Cars Efficiently
• Don’t expose secrets to software
• Use secure hardware (E.g. SHE, Evita, etc.)
• Diversify keys between ECUs
• Avoid using pre-shared secrets
• Use asymmetric cryptography (E.g. RSA)
Hardening ECUs
136. 136Analyzing the Security of Modern Cars Efficiently
• Don’t expose secrets to software
• Use secure hardware (E.g. SHE, Evita, etc.)
• Diversify keys between ECUs
• Avoid using pre-shared secrets
• Use asymmetric cryptography (E.g. RSA)
• Adjust the product’s threat model
• Minimize the impact of hardware attacks
Hardening ECUs
138. 138Analyzing the Security of Modern Cars Efficiently
Thanks to…
Santiago CordobaEloi Sanfelix Ramiro Pareja Nils Wiersma
Our papers are available here, here and here!
Alyssa Milburn
139. 139Analyzing the Security of Modern Cars Efficiently
Thank you! Any questions?
(please visit our booth)
Niek Timmers
Principal Security Analyst, Riscure
niek@riscure.com / @tieknimmers