1. 1
Analyzing the Security
of Cars Efficiently
Niek Timmers
Principal Security Analyst, Riscure
niek@riscure.com / @tieknimmers

2. 2
Today we are talking about

3. 3
System Level Security

4. 4
System Level Security

5. 5
System Level Security

6. 6
System Level Security
In-vehicle network
Electronic Control Unit (ECU)
Microcontroller (MCU)
Interfaces

7. 7
Typical ECUs found in a car…

8. 8
Typical ECUs found in a car…

9. 9
Typical ECUs found in a car…

10. 10
Typical ECUs found in a car…

11. 11
Typical ECUs found in a car…

12. 12
Typical ECUs found in a car…

13. 13
Typical ECUs found in a car…

14. 14Analyzing the Security of Modern Cars Efficiently
They come in all forms, shapes and sizes!

15. 15Analyzing the Security of Modern Cars Efficiently
… and you can buy them cheaply!
Lots of them are stuck in cars worldwide…

16. 16Analyzing the Security of Modern Cars Efficiently

17. 17Analyzing the Security of Modern Cars Efficiently
Which ones are we interested in?

18. 18
Let’s kill the engine remotely …
Telematics
Infotainment
Wireless
/ Remote
Gateway
Powertrain
Interior
Chassis
Etc.

19. 19
Let’s kill the engine remotely …
Telematics
Infotainment
Wireless
/ Remote
Gateway
Powertrain
Interior
Chassis
Etc.
Wireless
/ Remote

20. 20
Let’s kill the engine remotely …
Telematics
Infotainment
Wireless
/ Remote
Gateway
Powertrain
Interior
Chassis
Etc.
Wireless
/ Remote
Telematics

21. 21
Let’s kill the engine remotely …
Telematics
Infotainment
Wireless
/ Remote
Gateway
Powertrain
Interior
Chassis
Etc.
Wireless
/ Remote
Telematics
Gateway

22. 22
Let’s kill the engine remotely …
Telematics
Infotainment
Wireless
/ Remote
Gateway
Powertrain
Interior
Chassis
Etc.
Wireless
/ Remote
Telematics
Gateway
Powertrain

23. 23
Let’s kill the engine remotely …
Telematics
Infotainment
Wireless
/ Remote
Gateway
Powertrain
Interior
Chassis
Etc.
An understanding of multiple ECUs is required!
Wireless
/ Remote
Telematics
Gateway
Powertrain

24. 24Analyzing the Security of Modern Cars Efficiently
Are all the ECUs the same?

25. 25Analyzing the Security of Modern Cars Efficiently
ECU Type 1: SoC-based
• System-on-Chip (SoC) based
• Firmware stored in external flash
• Many interfaces
• Multi-purpose
• Large attack surface
• Only a few implemented in a car

26. 26Analyzing the Security of Modern Cars Efficiently
• Microcontroller (MCU) based
• Firmware stored inside the MCU
• Few interfaces
• Specific functionality
• Small attack surface
• Many implemented in a vehicle
ECU Type 2: MCU-based

27. 27Analyzing the Security of Modern Cars Efficiently
Do hackers use a different approach?

28. 28Analyzing the Security of Modern Cars Efficiently
Typical approach for hacking
embedded systems
Understand
target
Identify
vulnerability
Exploit
vulnerability

29. 29Analyzing the Security of Modern Cars Efficiently
Typical approach for hacking
embedded systems
ECUs found in cars!
Understand
target
Identify
vulnerability
Exploit
vulnerability

30. 30Analyzing the Security of Modern Cars Efficiently
Typical approach for hacking
embedded systems
But to understand, we need the firmware!
ECUs found in cars!
Understand
target
Identify
vulnerability
Exploit
vulnerability

31. 31Analyzing the Security of Modern Cars Efficiently
Getting firmware

32. 32Analyzing the Security of Modern Cars Efficiently
Getting firmware

33. 33Analyzing the Security of Modern Cars Efficiently
Getting firmware

34. 34Analyzing the Security of Modern Cars Efficiently
Getting firmware

35. 35Analyzing the Security of Modern Cars Efficiently
We will focus on MCU-based ECUs!

36. 36Analyzing the Security of Modern Cars Efficiently
Obtaining ECU firmware

37. 37Analyzing the Security of Modern Cars Efficiently
Leaks
Firmware
upgrade
Obtaining ECU firmware

38. 38Analyzing the Security of Modern Cars Efficiently
Leaks
Firmware
upgrade
Obtaining ECU firmware

39. 39Analyzing the Security of Modern Cars Efficiently
Interfaces
Leaks
Software
Firmware
upgrade
Obtaining ECU firmware
Chips

40. 40Analyzing the Security of Modern Cars Efficiently
Interfaces
Leaks
Software
Firmware
upgrade
Obtaining ECU firmware
Chips
Let’s open up an ECU!

41. 41Analyzing the Security of Modern Cars Efficiently
MCU

42. 42Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
Firmware is stored inside the MCU!

43. 43Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
I/O
Firmware is stored inside the MCU!

44. 44Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
Debug
I/O
Firmware is stored inside the MCU!

45. 45Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
Debug
I/O
CAN
Firmware is stored inside the MCU!

46. 46Analyzing the Security of Modern Cars Efficiently
What can we speak on CAN?

47. 47Analyzing the Security of Modern Cars Efficiently
Unified Diagnostic Services (UDS)
• Diagnostics
• Data Transmission
• And loads of more stuff…

48. 48Analyzing the Security of Modern Cars Efficiently
Unified Diagnostic Services (UDS)
• Diagnostics
• Data Transmission
• And loads of more stuff…
It’s everywhere! It’s standardized! It’s easy!

49. 49Analyzing the Security of Modern Cars Efficiently
Why are hackers interested?

50. 50Analyzing the Security of Modern Cars Efficiently
• Reprogramming
• Programming new firmware
Why are hackers interested?

51. 51Analyzing the Security of Modern Cars Efficiently
• Reprogramming
• Programming new firmware
• Read and write memory
• Accessing device internals
Why are hackers interested?

52. 52Analyzing the Security of Modern Cars Efficiently
• Reprogramming
• Programming new firmware
• Read and write memory
• Accessing device internals
• (Re)configuration
• Adding keys, changing mileage, etc.
Why are hackers interested?

53. 53Analyzing the Security of Modern Cars Efficiently
What protects all this juice from malicious use?

54. 54Analyzing the Security of Modern Cars Efficiently
Security Access

55. 55Analyzing the Security of Modern Cars Efficiently
Security Access

56. 56Analyzing the Security of Modern Cars Efficiently
It should not be possible to
brute force or guess the key!
Security Access

57. 57Analyzing the Security of Modern Cars Efficiently
Back-end system
Tester
Gateway
ECU A
DLC
ECU B
Diagnostics

58. 58Analyzing the Security of Modern Cars Efficiently
Back-end system
Tester
Gateway
ECU A
DLC
ECU B
Diagnostics
Attacker has access!

59. 59Analyzing the Security of Modern Cars Efficiently
Back-end system
Tester
Gateway
ECU A
DLC
ECU B
Diagnostics
The transformation algorithm and secret(s) are stored inside the ECU!
Attacker has access!

60. 60Analyzing the Security of Modern Cars Efficiently
Let’s hack UDS!

61. 61Analyzing the Security of Modern Cars Efficiently
• Read/write memory functions
• Protected
Let’s hack UDS!

62. 62Analyzing the Security of Modern Cars Efficiently
• Read/write memory functions
• Protected
• Black-box vulnerability discovery
• Possible; but too difficult
Let’s hack UDS!

63. 63Analyzing the Security of Modern Cars Efficiently
• Read/write memory functions
• Protected
• Black-box vulnerability discovery
• Possible; but too difficult
• We want something easy…
Let’s hack UDS!

64. 64Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
Debug
I/O
CAN

65. 65Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
Debug
I/O
CAN
VCC

66. 66
time

67. 67
time

68. 68
5.5V
1.8V
time

69. 69
5.5V
1.8V
time

70. 70
5.5V
1.8V
time

71. 71Analyzing the Security of Modern Cars Efficiently
Fault Injection – Tooling
ChipWhisperer®
Fault Injection tooling is available to the masses!
Open source Commercial
Inspector FI

72. 72Analyzing the Security of Modern Cars Efficiently

73. 73Analyzing the Security of Modern Cars Efficiently
What happens when we glitch?
Things go wrong!

74. 74Analyzing the Security of Modern Cars Efficiently
Fault Injection breaks things!
• We can change memory contents
• We can change register contents
• We can change the executed instructions

75. 75Analyzing the Security of Modern Cars Efficiently
Fault Injection breaks things!
• We can change memory contents
• We can change register contents
• We can change the executed instructions
We can change the intended behavior of software!

76. 76Analyzing the Security of Modern Cars Efficiently
ReadMemoryByAddress(0x00000000, 0x40)

77. 77Analyzing the Security of Modern Cars Efficiently
ReadMemoryByAddress(0x00000000, 0x40)

78. 78Analyzing the Security of Modern Cars Efficiently
ReadMemoryByAddress(0x00000000, 0x40)
Two checks are bypassed using a single glitch!

79. 79Analyzing the Security of Modern Cars Efficiently
Glitching ReadMemoryByAddress
• Successful on several different ECUs implementing UDS
• Designed around different MCUs
• Depending on the target…
• Allows reading out N bytes from an arbitrary address
• Complete firmware extracted in the order of days
• Depended on flash size and success rate

80. 80Analyzing the Security of Modern Cars Efficiently
Demo time!
(please visit our booth for a live demo)

81. 81Analyzing the Security of Modern Cars Efficiently
Randomization of parameters
Glitch Parameters
• Glitch Delay
• Glitch Duration
• Glitch Voltage
VCC
CAN
Trigger
Glitch (zoomed)
CMD RSP
Glitch

82. 82Analyzing the Security of Modern Cars Efficiently
Fault Injection video

83. 83Analyzing the Security of Modern Cars Efficiently
Can we do better?

84. 84Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
Debug
I/O
CAN
VCC

85. 85Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
Debug
I/O
CAN
VCC

86. 86Analyzing the Security of Modern Cars Efficiently
• Standard manufacturer tooling often publicly available
• Reading, writing and programming internal memories
• Debugging software
• Software is often forcing any security measures
Debug Interfaces
MCUPC Debugger
ECU
USB
Serial
I2C
JTAG

87. 87Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
Debug
I/O
CAN
VCC

88. 88Analyzing the Security of Modern Cars Efficiently
MCU
EEPROM
Debug
I/O
CAN
VCC

89. 89
Being more efficient

90. 90Analyzing the Security of Modern Cars Efficiently
Electromagnetic Fault Injection
ChipSHOUTER®
Cheap and awesome:
BADFET
Inspector FI
Electromagnetic fault injection available to the masses!

91. 91Analyzing the Security of Modern Cars Efficiently
Glitching Debug Interfaces
• Successful on several different MCUs
• Different types of debug interfaces
• Depending on the target….
• Allows reading, writing, programming and debugging
• Complete firmware extracted in seconds/minutes/hours
• Depended on the debug interface

92. 92Analyzing the Security of Modern Cars Efficiently
We have access to firmware… now what?

93. 93Analyzing the Security of Modern Cars Efficiently

94. 94Analyzing the Security of Modern Cars Efficiently
Getting
firmware
The goal: scaling up the attack

95. 95Analyzing the Security of Modern Cars Efficiently
Getting
firmware
The goal: scaling up the attack

96. 96Analyzing the Security of Modern Cars Efficiently
Getting
firmware
Reverse
engineering
The goal: scaling up the attack

97. 97Analyzing the Security of Modern Cars Efficiently
Getting
firmware
Reverse
engineering
Understanding
The goal: scaling up the attack

98. 98Analyzing the Security of Modern Cars Efficiently
Getting
firmware
Secrets
Hacking
Reconfiguration
Reverse
engineering
Understanding
The goal: scaling up the attack

99. 99Analyzing the Security of Modern Cars Efficiently
How can we understand efficiently?

100. 100Analyzing the Security of Modern Cars Efficiently
Static analysis?
Firmware

101. 101Analyzing the Security of Modern Cars Efficiently
Static analysis?
Custom
code
OS
code
Firmware

102. 102Analyzing the Security of Modern Cars Efficiently
Static analysis?
Generated
code
Custom
code
OS
code
Firmware
Configuration
Models

103. 103Analyzing the Security of Modern Cars Efficiently

104. 104Analyzing the Security of Modern Cars Efficiently
Let’s do this more efficient!

105. 105Analyzing the Security of Modern Cars Efficiently
Firmware emulation
• Firmware is executed without needing the ECU itself
• Great tooling only available for common architectures
• When tooling is not available, we need to make our own
• We are emulating only the functionality we need

106. 106Analyzing the Security of Modern Cars Efficiently
MCU
What do we need?

107. 107Analyzing the Security of Modern Cars Efficiently
MCU
• Instruction set emulator
• Timers, interrupts, …
• Peripherals
What do we need?

108. 108Analyzing the Security of Modern Cars Efficiently
MCUI/O
• Instruction set emulator
• Timers, interrupts, …
• Peripherals
What do we need?

109. 109Analyzing the Security of Modern Cars Efficiently
MCU EEPROMI2CI/O
• Instruction set emulator
• Timers, interrupts, …
• Peripherals
What do we need?

110. 110Analyzing the Security of Modern Cars Efficiently
MCU EEPROMI2C
CAN
I/O
• Instruction set emulator
• Timers, interrupts, …
• Peripherals
What do we need?

111. 111Analyzing the Security of Modern Cars Efficiently
Emulating the processor

112. 112Analyzing the Security of Modern Cars Efficiently
“Implementing” peripherals

113. 113Analyzing the Security of Modern Cars Efficiently
What cool stuff can we do?
• Debugging using standard tooling (GDB)
• Sending CAN messages using standard tooling (SocketCAN)
• Execution tracing
• Taint tracking

114. 114Analyzing the Security of Modern Cars Efficiently
Execution tracing
0x2920 cmp
0x2922 jmp to 0x292c
0x2926 add
0x2928 add
0x292c add
0x2930 add
Do we take the jmp to 0x292c?

115. 115Analyzing the Security of Modern Cars Efficiently
Execution tracing
0x2920 cmp
0x2922 jmp to 0x292c
0x2926 add
0x2928 add
0x292c add
0x2930 add
It’s too complex to figure this out statically!

116. 116Analyzing the Security of Modern Cars Efficiently
Execution tracing

117. 117Analyzing the Security of Modern Cars Efficiently
Execution tracing

118. 118Analyzing the Security of Modern Cars Efficiently
Execution tracing

119. 119Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??

120. 120Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN message

121. 121Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()

122. 122Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()CAN message

123. 123Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()
Data[7] = Data[2]
CAN message

124. 124Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()
Data[7] = Data[2]
CAN message
CAN message

125. 125Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()
Data[7] = Data[2]
CAN message
CAN message
Data[7] == calculateKey()

126. 126Analyzing the Security of Modern Cars Efficiently
Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN messageData[2] = CAN.read()
Data[7] = Data[2]
CAN message
CAN message
Data[7] == calculateKey()
We found the calculateKey function!

127. 127Analyzing the Security of Modern Cars Efficiently
Wrap up

128. 128Analyzing the Security of Modern Cars Efficiently
Wrap up
• Hardware cannot be trusted
• No software vulnerabilities ≠ secure

129. 129Analyzing the Security of Modern Cars Efficiently
Wrap up
• Hardware cannot be trusted
• No software vulnerabilities ≠ secure
• Hardware attacks are efficient and do scale
• They are a stepping-stone for scalable attacks

130. 130Analyzing the Security of Modern Cars Efficiently
Wrap up
• Hardware cannot be trusted
• No software vulnerabilities ≠ secure
• Hardware attacks are efficient and do scale
• They are a stepping-stone for scalable attacks
• Your firmware will be exposed and understood
• Do not rely on its secrecy or its complexity

131. 131
Is all hope lost?

132. 132
Is all hope lost?
No.

133. 133Analyzing the Security of Modern Cars Efficiently
Hardening ECUs

134. 134Analyzing the Security of Modern Cars Efficiently
• Don’t expose secrets to software
• Use secure hardware (E.g. SHE, Evita, etc.)
• Diversify keys between ECUs
Hardening ECUs

135. 135Analyzing the Security of Modern Cars Efficiently
• Don’t expose secrets to software
• Use secure hardware (E.g. SHE, Evita, etc.)
• Diversify keys between ECUs
• Avoid using pre-shared secrets
• Use asymmetric cryptography (E.g. RSA)
Hardening ECUs

136. 136Analyzing the Security of Modern Cars Efficiently
• Don’t expose secrets to software
• Use secure hardware (E.g. SHE, Evita, etc.)
• Diversify keys between ECUs
• Avoid using pre-shared secrets
• Use asymmetric cryptography (E.g. RSA)
• Adjust the product’s threat model
• Minimize the impact of hardware attacks
Hardening ECUs

137. 137Analyzing the Security of Modern Cars Efficiently
Defense in depth is key!

138. 138Analyzing the Security of Modern Cars Efficiently
Thanks to…
Santiago CordobaEloi Sanfelix Ramiro Pareja Nils Wiersma
Our papers are available here, here and here!
Alyssa Milburn

139. 139Analyzing the Security of Modern Cars Efficiently
Thank you! Any questions?
(please visit our booth)
Niek Timmers
Principal Security Analyst, Riscure
niek@riscure.com / @tieknimmers