SlideShare a Scribd company logo

Fault Injection on Automotive Diagnosis Protocols

Riscure
Riscure

In this work we present fault injection as a technique to bypass the security of automotive diagnosis (UDS) protocol implementations that do not contain any logical vulnerabilities. Therefore, they are protected against traditional logical attacks. Our tests proved that it is possible for an attacker to inject faults and bypass the UDS authentication, obtaining access to the internal Flash and SRAM memories of the targets. By analyzing the dumped firmware, the keys and algorithm that protect the UDS have also been extracted, giving full access to the diagnosis services without requiring the use of fault injection techniques. Originally presented by Riscure's Niek Timmers at the 2018 ESCAR USA conference.

Technology
1 of 37
Download to read offline
1 Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers
2 Big shout out to Ramiro and Santiago! • Security Analysts at Riscure’s Automotive Security Team • Riscure • Services • E.g. Penetration Testing, Security Architecture Review, and more. • Tools • E.g. Automotive Security Test Tools, Fault Injection, and more. • Training • E.g. Embedded Security for Automotive, Fault Injection, and more. • Offices in the Netherlands, USA and China Combining services and tools for fun and profit!
3 The hacker’s approach for hacking embedded systems Access to the firmware is a tremendous convenience for an attacker! Target exploration Vulnerability finding Exploitation Profit ECUs
4 Obtaining ECU Firmware • Firmware is available through official channels • Firmware is stored in an external memory chip • Firmware upgrades are not encrypted • Firmware is leaked / distributed illegally • Code protection features are not enabled • Firmware is extracted using a software-based attack What if all of the above is not applicable? Attackers will resort to something else…
5 Reference: https://derrekr.github.io/3ds/33c3/#/18 Hackers nowadays use Fault Injection! Others came to similar conclusions…
6 Fault Injection – Introduction “Introducing faults in a target to alter its intended behavior.” How can we introduce these faults?
7 Fault Injection – Techniques Clock Voltage Electromagnetic Laser • A controlled environmental change leads to altered behavior in the target • They leverage a vulnerability in hardware
8 Fault Injection – Why does it work?
9 Fault Injection – Basic concept 5.5V time 1.8V
10 Fault Injection – Typical faults • Instruction corruption • Executing different instructions • Skipping instructions • Data corruption • Reading different data • Writing different data These faults change the intended behavior of software!
11 Fault Injection – Tooling ChipWhisperer® Inspector Fault Injection Fault Injection tooling is available to the masses! Open source Commercial
12 Fault Injection – Examples
13 Fault Injection – Examples
14 Fault Injection – Examples
15 We can inject faults and alter software… What software?
16 It’s common and includes convenient functionality! UDS!
17 UDS – Unified Diagnostic Services • Diagnostic and Communication Management • Diagnostic Session Control • Security Access • Data Transmission • Read and Write memory • Upload / Download • Read and Program flash • Manufacturer proprietary Disclaimer: Manufacturers are free to implement only a subset of the UDS specification!
18 UDS – What speaks it? Most ECUs in a modern car speak it using a multitude of protocols CAN K-Line FlexRay Ethernet It is unlikely UDS will go away!
19 UDS – Typical use case Firmware update
20 Standard Security Access Check The secret used by the key calculation algorithm should be protected!
21 Standard Security Access Check
22 Standard Security Access Check • Not successful :’( • There’s a 10 minute timeout after 3 failed attempts • Simply not practical for us (or an attacker) Some times you have to take your losses and move on!
23 Reading Memory No restrictions on failed attempts!
24 Reading Memory
25 Reading Memory • Successful on multiple instrument clusters • Depending on the target • Allows reading out N bytes from an arbitrary address • Extraction of the internal memories in N days • Addresses include volatile and non-volatile memories • Complete firmware extracted Extraction of the firmware only has to be done once!
26 We have the firmware… now what?
27 Lots of “cool” stuff… • Reverse engineering • Understanding the device • Extracting secrets • Finding vulnerabilities Please see Alyssa’s presentation on reverse engineering firmware efficiently!
28 But… does this scale!?
29 Hardware attacks scale! • Firmware can be distributed • Secrets can be distributed • Vulnerabilities (and exploits) can be distributed • Vulnerabilities can be exploited remotely
30 Reading memory is fun! What about something cooler?
31 Attack #3: Writing memory Where should we write to get code execution on the ECU?
32 Wrapping up…
33 Why is UDS vulnerable? • A robust Security Access check is not part of the standard • Typical Security Access check based on pre-shared secrets • No fault injection resistant hardware used in most ECUs • No fault injection resistant software used in most ECUs What can you do?
34 Improving Products • Include fault injection attacks in your threat model • Design and implement fault injection resistant hardware • Start from an early design • Test, test… and test again! • Implement fault injection resistant software • Make critical assets inaccessible to software • E.g. Using “real” hardware
35 Fault Injection Hardened Firmware Prevent single point of failures for security critical checks! More info here. Not hardened Hardened
36 Key takeaways • Fault injection attacks are available to the masses • Fault injection attacks subvert software security models • All unprotected devices are vulnerable • Presented attack not unique; most ECUs affected • Fault injection attacks result in scalable attacks
37 Challenge your security Riscure Head Office Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 inforequest@riscure.com Riscure North America 550 Kearny St., Suite 330 San Francisco, CA 94108 USA Phone: +1 650 646 99 79 inforequest@rna.riscure.com Riscure China Room 2030-31, No. 989, Changle Road Shanghai 200031 China Phone: +86 21 5117 5435 inforcn@riscure.com Niek Timmers Principal Security Analyst niek@riscure.com / @tieknimmers Thank you!

Recommended

Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
Riscure
 
Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53
Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53
Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53
KarthiSugumar
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
Brendan Gregg
 
Embedded C - Lecture 1
Embedded C - Lecture 1Embedded C - Lecture 1
Embedded C - Lecture 1
Mohamed Abdallah
 
Flash Bootloader Development for ECU programming
Flash Bootloader Development for ECU programmingFlash Bootloader Development for ECU programming
Flash Bootloader Development for ECU programming
Embitel Technologies (I) PVT LTD
 
Autosar Basics hand book_v1
Autosar Basics hand book_v1Autosar Basics hand book_v1
Autosar Basics hand book_v1
Keroles karam khalil
 
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Deepak Shankar
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 

Recommended

Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
Riscure
 
Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53
Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53
Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53
KarthiSugumar
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
Brendan Gregg
 
Embedded C - Lecture 1
Embedded C - Lecture 1Embedded C - Lecture 1
Embedded C - Lecture 1
Mohamed Abdallah
 
Flash Bootloader Development for ECU programming
Flash Bootloader Development for ECU programmingFlash Bootloader Development for ECU programming
Flash Bootloader Development for ECU programming
Embitel Technologies (I) PVT LTD
 
Autosar Basics hand book_v1
Autosar Basics hand book_v1Autosar Basics hand book_v1
Autosar Basics hand book_v1
Keroles karam khalil
 
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Deepak Shankar
 
HKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted bootHKG18-223 - Trusted FirmwareM: Trusted boot
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)
Embitel Technologies (I) PVT LTD
 
Introduction to Embedded System
Introduction to Embedded SystemIntroduction to Embedded System
Introduction to Embedded System
Zakaria Gomaa
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
Linaro
 
Microprocessors and microcontrollers
Microprocessors and microcontrollersMicroprocessors and microcontrollers
Microprocessors and microcontrollers
Aditya Porwal
 
Embedded_Linux_Booting
Embedded_Linux_BootingEmbedded_Linux_Booting
Embedded_Linux_Booting
Rashila Rr
 
Introduction to AVR Microcontroller
Introduction to AVR Microcontroller Introduction to AVR Microcontroller
Introduction to AVR Microcontroller
Mahmoud Sadat
 
Automative basics v3
Automative basics v3Automative basics v3
Automative basics v3
Keroles karam khalil
 
AVR Fundamentals
AVR FundamentalsAVR Fundamentals
AVR Fundamentals
Vinit Vyas
 
Alchol detection
Alchol detectionAlchol detection
Alchol detection
Ekalavya Group of Technologies
 
ADC - Analog to Digital Conversion on AVR microcontroller Atmega16
ADC - Analog to Digital Conversion on AVR microcontroller Atmega16ADC - Analog to Digital Conversion on AVR microcontroller Atmega16
ADC - Analog to Digital Conversion on AVR microcontroller Atmega16
Robo India
 
Introduction To Embedded Systems
Introduction To Embedded SystemsIntroduction To Embedded Systems
Introduction To Embedded Systems
anishgoel
 
System-on-Chip
System-on-ChipSystem-on-Chip
System-on-Chip
Lars Jacobs
 
QNX Software Systems
QNX Software SystemsQNX Software Systems
QNX Software Systems
Robert-Emmanuel Mayssat
 
EE6008 MCBSD - Introduction to PIC Micro controller
EE6008 MCBSD - Introduction to PIC Micro controller EE6008 MCBSD - Introduction to PIC Micro controller
EE6008 MCBSD - Introduction to PIC Micro controller
pavihari
 
Communication protocols - Embedded Systems
Communication protocols - Embedded SystemsCommunication protocols - Embedded Systems
Communication protocols - Embedded Systems
Emertxe Information Technologies Pvt Ltd
 
Riscv 20160507-patterson
Riscv 20160507-pattersonRiscv 20160507-patterson
Riscv 20160507-patterson
Krste Asanovic
 
Video Compression Standards - History & Introduction
Video Compression Standards - History & IntroductionVideo Compression Standards - History & Introduction
Video Compression Standards - History & Introduction
Champ Yen
 
UNIT-I-RTOS and Concepts
UNIT-I-RTOS and ConceptsUNIT-I-RTOS and Concepts
UNIT-I-RTOS and Concepts
Dr.YNM
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARM
Emertxe Information Technologies Pvt Ltd
 
DerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouDerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For You
Adam Caudill
 
Undermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security ChecksUndermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security Checks
Niek Timmers
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 

More Related Content

What's hot

Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)
Embitel Technologies (I) PVT LTD
 
Introduction to Embedded System
Introduction to Embedded SystemIntroduction to Embedded System
Introduction to Embedded System
Zakaria Gomaa
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
Linaro
 
Microprocessors and microcontrollers
Microprocessors and microcontrollersMicroprocessors and microcontrollers
Microprocessors and microcontrollers
Aditya Porwal
 
Embedded_Linux_Booting
Embedded_Linux_BootingEmbedded_Linux_Booting
Embedded_Linux_Booting
Rashila Rr
 
Introduction to AVR Microcontroller
Introduction to AVR Microcontroller Introduction to AVR Microcontroller
Introduction to AVR Microcontroller
Mahmoud Sadat
 
Automative basics v3
Automative basics v3Automative basics v3
Automative basics v3
Keroles karam khalil
 
AVR Fundamentals
AVR FundamentalsAVR Fundamentals
AVR Fundamentals
Vinit Vyas
 
Alchol detection
Alchol detectionAlchol detection
Alchol detection
Ekalavya Group of Technologies
 
ADC - Analog to Digital Conversion on AVR microcontroller Atmega16
ADC - Analog to Digital Conversion on AVR microcontroller Atmega16ADC - Analog to Digital Conversion on AVR microcontroller Atmega16
ADC - Analog to Digital Conversion on AVR microcontroller Atmega16
Robo India
 
Introduction To Embedded Systems
Introduction To Embedded SystemsIntroduction To Embedded Systems
Introduction To Embedded Systems
anishgoel
 
System-on-Chip
System-on-ChipSystem-on-Chip
System-on-Chip
Lars Jacobs
 
QNX Software Systems
QNX Software SystemsQNX Software Systems
QNX Software Systems
Robert-Emmanuel Mayssat
 
EE6008 MCBSD - Introduction to PIC Micro controller
EE6008 MCBSD - Introduction to PIC Micro controller EE6008 MCBSD - Introduction to PIC Micro controller
EE6008 MCBSD - Introduction to PIC Micro controller
pavihari
 
Communication protocols - Embedded Systems
Communication protocols - Embedded SystemsCommunication protocols - Embedded Systems
Communication protocols - Embedded Systems
Emertxe Information Technologies Pvt Ltd
 
Riscv 20160507-patterson
Riscv 20160507-pattersonRiscv 20160507-patterson
Riscv 20160507-patterson
Krste Asanovic
 
Video Compression Standards - History & Introduction
Video Compression Standards - History & IntroductionVideo Compression Standards - History & Introduction
Video Compression Standards - History & Introduction
Champ Yen
 
UNIT-I-RTOS and Concepts
UNIT-I-RTOS and ConceptsUNIT-I-RTOS and Concepts
UNIT-I-RTOS and Concepts
Dr.YNM
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARM
Emertxe Information Technologies Pvt Ltd
 
DerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouDerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For You
Adam Caudill
 

What's hot (20)

Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)
 
Introduction to Embedded System
Introduction to Embedded SystemIntroduction to Embedded System
Introduction to Embedded System
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
 
Microprocessors and microcontrollers
Microprocessors and microcontrollersMicroprocessors and microcontrollers
Microprocessors and microcontrollers
 
Embedded_Linux_Booting
Embedded_Linux_BootingEmbedded_Linux_Booting
Embedded_Linux_Booting
 
Introduction to AVR Microcontroller
Introduction to AVR Microcontroller Introduction to AVR Microcontroller
Introduction to AVR Microcontroller
 
Automative basics v3
Automative basics v3Automative basics v3
Automative basics v3
 
AVR Fundamentals
AVR FundamentalsAVR Fundamentals
AVR Fundamentals
 
Alchol detection
Alchol detectionAlchol detection
Alchol detection
 
ADC - Analog to Digital Conversion on AVR microcontroller Atmega16
ADC - Analog to Digital Conversion on AVR microcontroller Atmega16ADC - Analog to Digital Conversion on AVR microcontroller Atmega16
ADC - Analog to Digital Conversion on AVR microcontroller Atmega16
 
Introduction To Embedded Systems
Introduction To Embedded SystemsIntroduction To Embedded Systems
Introduction To Embedded Systems
 
System-on-Chip
System-on-ChipSystem-on-Chip
System-on-Chip
 
QNX Software Systems
QNX Software SystemsQNX Software Systems
QNX Software Systems
 
EE6008 MCBSD - Introduction to PIC Micro controller
EE6008 MCBSD - Introduction to PIC Micro controller EE6008 MCBSD - Introduction to PIC Micro controller
EE6008 MCBSD - Introduction to PIC Micro controller
 
Communication protocols - Embedded Systems
Communication protocols - Embedded SystemsCommunication protocols - Embedded Systems
Communication protocols - Embedded Systems
 
Riscv 20160507-patterson
Riscv 20160507-pattersonRiscv 20160507-patterson
Riscv 20160507-patterson
 
Video Compression Standards - History & Introduction
Video Compression Standards - History & IntroductionVideo Compression Standards - History & Introduction
Video Compression Standards - History & Introduction
 
UNIT-I-RTOS and Concepts
UNIT-I-RTOS and ConceptsUNIT-I-RTOS and Concepts
UNIT-I-RTOS and Concepts
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARM
 
DerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouDerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For You
 

Similar to Fault Injection on Automotive Diagnosis Protocols

Undermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security ChecksUndermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security Checks
Niek Timmers
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
Digital Bond
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
Wasif Ali Syed
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
ssuserfb92ae
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
Christopher Grayson
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product Development
Mark Szewczul, CISSP
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
Muhib Ahmad Sherwani
 
Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
Chris Sistrunk
 
Cyber security applied to embedded systems
Cyber security applied to embedded systemsCyber security applied to embedded systems
Cyber security applied to embedded systems
Tonex
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
Cu Nguyen
 
Trusted _Computing _security mobile .ppt
Trusted _Computing _security mobile .pptTrusted _Computing _security mobile .ppt
Trusted _Computing _security mobile .ppt
naghamallella
 
SDL: Secure design principles
SDL: Secure design principlesSDL: Secure design principles
SDL: Secure design principles
sluge
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
AVEVA
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with Fedora
Uditha Bandara Wijerathna
 
Program security
Program securityProgram security
Program security
G Prachi
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 

Similar to Fault Injection on Automotive Diagnosis Protocols (20)

Undermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security ChecksUndermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security Checks
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product Development
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
 
Cyber security applied to embedded systems
Cyber security applied to embedded systemsCyber security applied to embedded systems
Cyber security applied to embedded systems
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Trusted _Computing _security mobile .ppt
Trusted _Computing _security mobile .pptTrusted _Computing _security mobile .ppt
Trusted _Computing _security mobile .ppt
 
SDL: Secure design principles
SDL: Secure design principlesSDL: Secure design principles
SDL: Secure design principles
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with Fedora
 
Program security
Program securityProgram security
Program security
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 

More from Riscure

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Riscure
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
Riscure
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
Riscure
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
Riscure
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
Riscure
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
Riscure
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
Riscure
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
Riscure
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AES
Riscure
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
Riscure
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
Riscure
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cards
Riscure
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
Riscure
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCE
Riscure
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
Riscure
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
Riscure
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresDefeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Riscure
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Riscure
 

More from Riscure (18)

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AES
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cards
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCE
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresDefeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding Countermeasures
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 

Recently uploaded

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
Federico Razzoli
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 

Recently uploaded (20)

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 

Fault Injection on Automotive Diagnosis Protocols

  • 1. 1 Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers
  • 2. 2 Big shout out to Ramiro and Santiago! • Security Analysts at Riscure’s Automotive Security Team • Riscure • Services • E.g. Penetration Testing, Security Architecture Review, and more. • Tools • E.g. Automotive Security Test Tools, Fault Injection, and more. • Training • E.g. Embedded Security for Automotive, Fault Injection, and more. • Offices in the Netherlands, USA and China Combining services and tools for fun and profit!
  • 3. 3 The hacker’s approach for hacking embedded systems Access to the firmware is a tremendous convenience for an attacker! Target exploration Vulnerability finding Exploitation Profit ECUs
  • 4. 4 Obtaining ECU Firmware • Firmware is available through official channels • Firmware is stored in an external memory chip • Firmware upgrades are not encrypted • Firmware is leaked / distributed illegally • Code protection features are not enabled • Firmware is extracted using a software-based attack What if all of the above is not applicable? Attackers will resort to something else…
  • 5. 5 Reference: https://derrekr.github.io/3ds/33c3/#/18 Hackers nowadays use Fault Injection! Others came to similar conclusions…
  • 6. 6 Fault Injection – Introduction “Introducing faults in a target to alter its intended behavior.” How can we introduce these faults?
  • 7. 7 Fault Injection – Techniques Clock Voltage Electromagnetic Laser • A controlled environmental change leads to altered behavior in the target • They leverage a vulnerability in hardware
  • 8. 8 Fault Injection – Why does it work?
  • 9. 9 Fault Injection – Basic concept 5.5V time 1.8V
  • 10. 10 Fault Injection – Typical faults • Instruction corruption • Executing different instructions • Skipping instructions • Data corruption • Reading different data • Writing different data These faults change the intended behavior of software!
  • 11. 11 Fault Injection – Tooling ChipWhisperer® Inspector Fault Injection Fault Injection tooling is available to the masses! Open source Commercial
  • 15. 15 We can inject faults and alter software… What software?
  • 16. 16 It’s common and includes convenient functionality! UDS!
  • 17. 17 UDS – Unified Diagnostic Services • Diagnostic and Communication Management • Diagnostic Session Control • Security Access • Data Transmission • Read and Write memory • Upload / Download • Read and Program flash • Manufacturer proprietary Disclaimer: Manufacturers are free to implement only a subset of the UDS specification!
  • 18. 18 UDS – What speaks it? Most ECUs in a modern car speak it using a multitude of protocols CAN K-Line FlexRay Ethernet It is unlikely UDS will go away!
  • 19. 19 UDS – Typical use case Firmware update
  • 20. 20 Standard Security Access Check The secret used by the key calculation algorithm should be protected!
  • 22. 22 Standard Security Access Check • Not successful :’( • There’s a 10 minute timeout after 3 failed attempts • Simply not practical for us (or an attacker) Some times you have to take your losses and move on!
  • 23. 23 Reading Memory No restrictions on failed attempts!
  • 25. 25 Reading Memory • Successful on multiple instrument clusters • Depending on the target • Allows reading out N bytes from an arbitrary address • Extraction of the internal memories in N days • Addresses include volatile and non-volatile memories • Complete firmware extracted Extraction of the firmware only has to be done once!
  • 26. 26 We have the firmware… now what?
  • 27. 27 Lots of “cool” stuff… • Reverse engineering • Understanding the device • Extracting secrets • Finding vulnerabilities Please see Alyssa’s presentation on reverse engineering firmware efficiently!
  • 29. 29 Hardware attacks scale! • Firmware can be distributed • Secrets can be distributed • Vulnerabilities (and exploits) can be distributed • Vulnerabilities can be exploited remotely
  • 30. 30 Reading memory is fun! What about something cooler?
  • 31. 31 Attack #3: Writing memory Where should we write to get code execution on the ECU?
  • 33. 33 Why is UDS vulnerable? • A robust Security Access check is not part of the standard • Typical Security Access check based on pre-shared secrets • No fault injection resistant hardware used in most ECUs • No fault injection resistant software used in most ECUs What can you do?
  • 34. 34 Improving Products • Include fault injection attacks in your threat model • Design and implement fault injection resistant hardware • Start from an early design • Test, test… and test again! • Implement fault injection resistant software • Make critical assets inaccessible to software • E.g. Using “real” hardware
  • 35. 35 Fault Injection Hardened Firmware Prevent single point of failures for security critical checks! More info here. Not hardened Hardened
  • 36. 36 Key takeaways • Fault injection attacks are available to the masses • Fault injection attacks subvert software security models • All unprotected devices are vulnerable • Presented attack not unique; most ECUs affected • Fault injection attacks result in scalable attacks
  • 37. 37 Challenge your security Riscure Head Office Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 inforequest@riscure.com Riscure North America 550 Kearny St., Suite 330 San Francisco, CA 94108 USA Phone: +1 650 646 99 79 inforequest@rna.riscure.com Riscure China Room 2030-31, No. 989, Changle Road Shanghai 200031 China Phone: +86 21 5117 5435 inforcn@riscure.com Niek Timmers Principal Security Analyst niek@riscure.com / @tieknimmers Thank you!