Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Analyzing the Security of Cars Efficiently

73 views

Published on

This are the slides for my presentation "Analyzing the Security of Cars Efficiently" at escar Asia 2018.

Published in: Automotive
  • Be the first to comment

  • Be the first to like this

Analyzing the Security of Cars Efficiently

  1. 1. 1 Analyzing the Security of Cars Efficiently Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers
  2. 2. 2 Today we are talking about
  3. 3. 3 System Level Security
  4. 4. 4 System Level Security
  5. 5. 5 System Level Security
  6. 6. 6 System Level Security In-vehicle network Electronic Control Unit (ECU) Microcontroller (MCU) Interfaces
  7. 7. 7 Typical ECUs found in a car…
  8. 8. 8 Typical ECUs found in a car…
  9. 9. 9 Typical ECUs found in a car…
  10. 10. 10 Typical ECUs found in a car…
  11. 11. 11 Typical ECUs found in a car…
  12. 12. 12 Typical ECUs found in a car…
  13. 13. 13 Typical ECUs found in a car…
  14. 14. 14Analyzing the Security of Modern Cars Efficiently They come in all forms, shapes and sizes!
  15. 15. 15Analyzing the Security of Modern Cars Efficiently … and you can buy them cheaply! Lots of them are stuck in cars worldwide…
  16. 16. 16Analyzing the Security of Modern Cars Efficiently
  17. 17. 17Analyzing the Security of Modern Cars Efficiently Which ones are we interested in?
  18. 18. 18 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc.
  19. 19. 19 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote
  20. 20. 20 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote Telematics
  21. 21. 21 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote Telematics Gateway
  22. 22. 22 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. Wireless / Remote Telematics Gateway Powertrain
  23. 23. 23 Let’s kill the engine remotely … Telematics Infotainment Wireless / Remote Gateway Powertrain Interior Chassis Etc. An understanding of multiple ECUs is required! Wireless / Remote Telematics Gateway Powertrain
  24. 24. 24Analyzing the Security of Modern Cars Efficiently Are all the ECUs the same?
  25. 25. 25Analyzing the Security of Modern Cars Efficiently ECU Type 1: SoC-based • System-on-Chip (SoC) based • Firmware stored in external flash • Many interfaces • Multi-purpose • Large attack surface • Only a few implemented in a car
  26. 26. 26Analyzing the Security of Modern Cars Efficiently • Microcontroller (MCU) based • Firmware stored inside the MCU • Few interfaces • Specific functionality • Small attack surface • Many implemented in a vehicle ECU Type 2: MCU-based
  27. 27. 27Analyzing the Security of Modern Cars Efficiently Do hackers use a different approach?
  28. 28. 28Analyzing the Security of Modern Cars Efficiently Typical approach for hacking embedded systems Understand target Identify vulnerability Exploit vulnerability
  29. 29. 29Analyzing the Security of Modern Cars Efficiently Typical approach for hacking embedded systems ECUs found in cars! Understand target Identify vulnerability Exploit vulnerability
  30. 30. 30Analyzing the Security of Modern Cars Efficiently Typical approach for hacking embedded systems But to understand, we need the firmware! ECUs found in cars! Understand target Identify vulnerability Exploit vulnerability
  31. 31. 31Analyzing the Security of Modern Cars Efficiently Getting firmware
  32. 32. 32Analyzing the Security of Modern Cars Efficiently Getting firmware
  33. 33. 33Analyzing the Security of Modern Cars Efficiently Getting firmware
  34. 34. 34Analyzing the Security of Modern Cars Efficiently Getting firmware
  35. 35. 35Analyzing the Security of Modern Cars Efficiently We will focus on MCU-based ECUs!
  36. 36. 36Analyzing the Security of Modern Cars Efficiently Obtaining ECU firmware
  37. 37. 37Analyzing the Security of Modern Cars Efficiently Leaks Firmware upgrade Obtaining ECU firmware
  38. 38. 38Analyzing the Security of Modern Cars Efficiently Leaks Firmware upgrade Obtaining ECU firmware
  39. 39. 39Analyzing the Security of Modern Cars Efficiently Interfaces Leaks Software Firmware upgrade Obtaining ECU firmware Chips
  40. 40. 40Analyzing the Security of Modern Cars Efficiently Interfaces Leaks Software Firmware upgrade Obtaining ECU firmware Chips Let’s open up an ECU!
  41. 41. 41Analyzing the Security of Modern Cars Efficiently MCU
  42. 42. 42Analyzing the Security of Modern Cars Efficiently MCU EEPROM Firmware is stored inside the MCU!
  43. 43. 43Analyzing the Security of Modern Cars Efficiently MCU EEPROM I/O Firmware is stored inside the MCU!
  44. 44. 44Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O Firmware is stored inside the MCU!
  45. 45. 45Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN Firmware is stored inside the MCU!
  46. 46. 46Analyzing the Security of Modern Cars Efficiently What can we speak on CAN?
  47. 47. 47Analyzing the Security of Modern Cars Efficiently Unified Diagnostic Services (UDS) • Diagnostics • Data Transmission • And loads of more stuff…
  48. 48. 48Analyzing the Security of Modern Cars Efficiently Unified Diagnostic Services (UDS) • Diagnostics • Data Transmission • And loads of more stuff… It’s everywhere! It’s standardized! It’s easy!
  49. 49. 49Analyzing the Security of Modern Cars Efficiently Why are hackers interested?
  50. 50. 50Analyzing the Security of Modern Cars Efficiently • Reprogramming • Programming new firmware Why are hackers interested?
  51. 51. 51Analyzing the Security of Modern Cars Efficiently • Reprogramming • Programming new firmware • Read and write memory • Accessing device internals Why are hackers interested?
  52. 52. 52Analyzing the Security of Modern Cars Efficiently • Reprogramming • Programming new firmware • Read and write memory • Accessing device internals • (Re)configuration • Adding keys, changing mileage, etc. Why are hackers interested?
  53. 53. 53Analyzing the Security of Modern Cars Efficiently What protects all this juice from malicious use?
  54. 54. 54Analyzing the Security of Modern Cars Efficiently Security Access
  55. 55. 55Analyzing the Security of Modern Cars Efficiently Security Access
  56. 56. 56Analyzing the Security of Modern Cars Efficiently It should not be possible to brute force or guess the key! Security Access
  57. 57. 57Analyzing the Security of Modern Cars Efficiently Back-end system Tester Gateway ECU A DLC ECU B Diagnostics
  58. 58. 58Analyzing the Security of Modern Cars Efficiently Back-end system Tester Gateway ECU A DLC ECU B Diagnostics Attacker has access!
  59. 59. 59Analyzing the Security of Modern Cars Efficiently Back-end system Tester Gateway ECU A DLC ECU B Diagnostics The transformation algorithm and secret(s) are stored inside the ECU! Attacker has access!
  60. 60. 60Analyzing the Security of Modern Cars Efficiently Let’s hack UDS!
  61. 61. 61Analyzing the Security of Modern Cars Efficiently • Read/write memory functions • Protected Let’s hack UDS!
  62. 62. 62Analyzing the Security of Modern Cars Efficiently • Read/write memory functions • Protected • Black-box vulnerability discovery • Possible; but too difficult Let’s hack UDS!
  63. 63. 63Analyzing the Security of Modern Cars Efficiently • Read/write memory functions • Protected • Black-box vulnerability discovery • Possible; but too difficult • We want something easy… Let’s hack UDS!
  64. 64. 64Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN
  65. 65. 65Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  66. 66. 66 time
  67. 67. 67 time
  68. 68. 68 5.5V 1.8V time
  69. 69. 69 5.5V 1.8V time
  70. 70. 70 5.5V 1.8V time
  71. 71. 71Analyzing the Security of Modern Cars Efficiently Fault Injection – Tooling ChipWhisperer® Fault Injection tooling is available to the masses! Open source Commercial Inspector FI
  72. 72. 72Analyzing the Security of Modern Cars Efficiently
  73. 73. 73Analyzing the Security of Modern Cars Efficiently What happens when we glitch? Things go wrong!
  74. 74. 74Analyzing the Security of Modern Cars Efficiently Fault Injection breaks things! • We can change memory contents • We can change register contents • We can change the executed instructions
  75. 75. 75Analyzing the Security of Modern Cars Efficiently Fault Injection breaks things! • We can change memory contents • We can change register contents • We can change the executed instructions We can change the intended behavior of software!
  76. 76. 76Analyzing the Security of Modern Cars Efficiently ReadMemoryByAddress(0x00000000, 0x40)
  77. 77. 77Analyzing the Security of Modern Cars Efficiently ReadMemoryByAddress(0x00000000, 0x40)
  78. 78. 78Analyzing the Security of Modern Cars Efficiently ReadMemoryByAddress(0x00000000, 0x40) Two checks are bypassed using a single glitch!
  79. 79. 79Analyzing the Security of Modern Cars Efficiently Glitching ReadMemoryByAddress • Successful on several different ECUs implementing UDS • Designed around different MCUs • Depending on the target… • Allows reading out N bytes from an arbitrary address • Complete firmware extracted in the order of days • Depended on flash size and success rate
  80. 80. 80Analyzing the Security of Modern Cars Efficiently Demo time! (please visit our booth for a live demo)
  81. 81. 81Analyzing the Security of Modern Cars Efficiently Randomization of parameters Glitch Parameters • Glitch Delay • Glitch Duration • Glitch Voltage VCC CAN Trigger Glitch (zoomed) CMD RSP Glitch
  82. 82. 82Analyzing the Security of Modern Cars Efficiently Fault Injection video
  83. 83. 83Analyzing the Security of Modern Cars Efficiently Can we do better?
  84. 84. 84Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  85. 85. 85Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  86. 86. 86Analyzing the Security of Modern Cars Efficiently • Standard manufacturer tooling often publicly available • Reading, writing and programming internal memories • Debugging software • Software is often forcing any security measures Debug Interfaces MCUPC Debugger ECU USB Serial I2C JTAG
  87. 87. 87Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  88. 88. 88Analyzing the Security of Modern Cars Efficiently MCU EEPROM Debug I/O CAN VCC
  89. 89. 89 Being more efficient
  90. 90. 90Analyzing the Security of Modern Cars Efficiently Electromagnetic Fault Injection ChipSHOUTER® Cheap and awesome: BADFET Inspector FI Electromagnetic fault injection available to the masses!
  91. 91. 91Analyzing the Security of Modern Cars Efficiently Glitching Debug Interfaces • Successful on several different MCUs • Different types of debug interfaces • Depending on the target…. • Allows reading, writing, programming and debugging • Complete firmware extracted in seconds/minutes/hours • Depended on the debug interface
  92. 92. 92Analyzing the Security of Modern Cars Efficiently We have access to firmware… now what?
  93. 93. 93Analyzing the Security of Modern Cars Efficiently
  94. 94. 94Analyzing the Security of Modern Cars Efficiently Getting firmware The goal: scaling up the attack
  95. 95. 95Analyzing the Security of Modern Cars Efficiently Getting firmware The goal: scaling up the attack
  96. 96. 96Analyzing the Security of Modern Cars Efficiently Getting firmware Reverse engineering The goal: scaling up the attack
  97. 97. 97Analyzing the Security of Modern Cars Efficiently Getting firmware Reverse engineering Understanding The goal: scaling up the attack
  98. 98. 98Analyzing the Security of Modern Cars Efficiently Getting firmware Secrets Hacking Reconfiguration Reverse engineering Understanding The goal: scaling up the attack
  99. 99. 99Analyzing the Security of Modern Cars Efficiently How can we understand efficiently?
  100. 100. 100Analyzing the Security of Modern Cars Efficiently Static analysis? Firmware
  101. 101. 101Analyzing the Security of Modern Cars Efficiently Static analysis? Custom code OS code Firmware
  102. 102. 102Analyzing the Security of Modern Cars Efficiently Static analysis? Generated code Custom code OS code Firmware Configuration Models
  103. 103. 103Analyzing the Security of Modern Cars Efficiently
  104. 104. 104Analyzing the Security of Modern Cars Efficiently Let’s do this more efficient!
  105. 105. 105Analyzing the Security of Modern Cars Efficiently Firmware emulation • Firmware is executed without needing the ECU itself • Great tooling only available for common architectures • When tooling is not available, we need to make our own • We are emulating only the functionality we need
  106. 106. 106Analyzing the Security of Modern Cars Efficiently MCU What do we need?
  107. 107. 107Analyzing the Security of Modern Cars Efficiently MCU • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
  108. 108. 108Analyzing the Security of Modern Cars Efficiently MCUI/O • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
  109. 109. 109Analyzing the Security of Modern Cars Efficiently MCU EEPROMI2CI/O • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
  110. 110. 110Analyzing the Security of Modern Cars Efficiently MCU EEPROMI2C CAN I/O • Instruction set emulator • Timers, interrupts, … • Peripherals What do we need?
  111. 111. 111Analyzing the Security of Modern Cars Efficiently Emulating the processor
  112. 112. 112Analyzing the Security of Modern Cars Efficiently “Implementing” peripherals
  113. 113. 113Analyzing the Security of Modern Cars Efficiently What cool stuff can we do? • Debugging using standard tooling (GDB) • Sending CAN messages using standard tooling (SocketCAN) • Execution tracing • Taint tracking
  114. 114. 114Analyzing the Security of Modern Cars Efficiently Execution tracing 0x2920 cmp 0x2922 jmp to 0x292c 0x2926 add 0x2928 add 0x292c add 0x2930 add Do we take the jmp to 0x292c?
  115. 115. 115Analyzing the Security of Modern Cars Efficiently Execution tracing 0x2920 cmp 0x2922 jmp to 0x292c 0x2926 add 0x2928 add 0x292c add 0x2930 add It’s too complex to figure this out statically!
  116. 116. 116Analyzing the Security of Modern Cars Efficiently Execution tracing
  117. 117. 117Analyzing the Security of Modern Cars Efficiently Execution tracing
  118. 118. 118Analyzing the Security of Modern Cars Efficiently Execution tracing
  119. 119. 119Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ??
  120. 120. 120Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN message
  121. 121. 121Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read()
  122. 122. 122Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read()CAN message
  123. 123. 123Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message
  124. 124. 124Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message
  125. 125. 125Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message Data[7] == calculateKey()
  126. 126. 126Analyzing the Security of Modern Cars Efficiently Taint tracking 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message Data[7] == calculateKey() We found the calculateKey function!
  127. 127. 127Analyzing the Security of Modern Cars Efficiently Wrap up
  128. 128. 128Analyzing the Security of Modern Cars Efficiently Wrap up • Hardware cannot be trusted • No software vulnerabilities ≠ secure
  129. 129. 129Analyzing the Security of Modern Cars Efficiently Wrap up • Hardware cannot be trusted • No software vulnerabilities ≠ secure • Hardware attacks are efficient and do scale • They are a stepping-stone for scalable attacks
  130. 130. 130Analyzing the Security of Modern Cars Efficiently Wrap up • Hardware cannot be trusted • No software vulnerabilities ≠ secure • Hardware attacks are efficient and do scale • They are a stepping-stone for scalable attacks • Your firmware will be exposed and understood • Do not rely on its secrecy or its complexity
  131. 131. 131 Is all hope lost?
  132. 132. 132 Is all hope lost? No.
  133. 133. 133Analyzing the Security of Modern Cars Efficiently Hardening ECUs
  134. 134. 134Analyzing the Security of Modern Cars Efficiently • Don’t expose secrets to software • Use secure hardware (E.g. SHE, Evita, etc.) • Diversify keys between ECUs Hardening ECUs
  135. 135. 135Analyzing the Security of Modern Cars Efficiently • Don’t expose secrets to software • Use secure hardware (E.g. SHE, Evita, etc.) • Diversify keys between ECUs • Avoid using pre-shared secrets • Use asymmetric cryptography (E.g. RSA) Hardening ECUs
  136. 136. 136Analyzing the Security of Modern Cars Efficiently • Don’t expose secrets to software • Use secure hardware (E.g. SHE, Evita, etc.) • Diversify keys between ECUs • Avoid using pre-shared secrets • Use asymmetric cryptography (E.g. RSA) • Adjust the product’s threat model • Minimize the impact of hardware attacks Hardening ECUs
  137. 137. 137Analyzing the Security of Modern Cars Efficiently Defense in depth is key!
  138. 138. 138Analyzing the Security of Modern Cars Efficiently Thanks to… Santiago CordobaEloi Sanfelix Ramiro Pareja Nils Wiersma Our papers are available here, here and here! Alyssa Milburn
  139. 139. 139Analyzing the Security of Modern Cars Efficiently Thank you! Any questions? (please visit our booth) Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers

×