There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently
Alyssa Milburn & Niek Timmers @noopwafel @tieknimmers Santiago Cordoba, Nils Wiersma, Ramiro Pareja 1 Today we are talking about
2 Standard approach for breaking embedded systems
Understand Identify Exploit target vulnerability vulnerability
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 3 Standard approach for breaking embedded systems
Understand Identify Exploit target vulnerability vulnerability
But to understand, we need the firmware!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 4 Standard approach for breaking embedded systems ECUs found in cars!
Understand Identify Exploit target vulnerability vulnerability
But to understand, we need the firmware!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 5 Typical ECUs found in a car…
6 Typical ECUs found in a car…
7 Typical ECUs found in a car…
8 Typical ECUs found in a car…
9 Typical ECUs found in a car…
10 Typical ECUs found in a car…
11 Typical ECUs found in a car…
12 Just like embedded systems, these ECUs come in all forms, shapes and sizes!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 13 Lots of them are stuck in cars worldwide…
… and you can buy them cheaply!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 14 There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 15 There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 16 Today we target an Instrument Cluster
17 Today we target an Instrument Cluster
Why?
It has blinky lights!
18 We want to understand our target…
So we need to its firmware!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 19 Let’s get our target’s firmware!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 20 Let’s get our target’s firmware!
Firmware upgrade Leaks
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 21 Let’s get our target’s firmware!
Firmware upgrade Leaks
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 22 Let’s get our target’s firmware!
Firmware upgrade Leaks
Interfaces Chips Software
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 23 Let’s get our target’s firmware!
Firmware upgrade Leaks
Interfaces Chips Software
Let’s open up our Instrument Cluster!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 24 MCU
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 25 MCU
EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 26 MCU Display
EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 27 UART Debug
MCU Display
EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 28 UART Debug
I/O MCU Display CAN
EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 29 Most ECUs speak UDS over CAN!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 30 Most ECUs speak UDS over CAN!
Yay, UDS! Wait… what?
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 31 Unified Diagnostic Services (UDS)
• Diagnostics • Data Transmission • Read and write memory • Security Access check • And loads of more stuff…
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 32 Quick analysis of our dashboard
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 33 Quick analysis of our dashboard • Read/write memory functions • Protected
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 34 Quick analysis of our dashboard • Read/write memory functions • Protected
• Black-box vulnerability discovery • Possible; but too difficult
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 35 Quick analysis of our dashboard • Read/write memory functions • Protected
• Black-box vulnerability discovery • Possible; but too difficult
• We want something easy…
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 36 UART Debug
I/O MCU Display CAN
EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 37 UART Debug
I/O MCU Display CAN
VCC EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 38 Voltage Fault Injection !!!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 39 time
40 time
41 5.5V
1.8V
time
42 5.5V
1.8V
time
43 5.5V
1.8V
time
44 Fault Injection – Tooling
Open source Commercial
ChipWhisperer® Inspector FI
Fault Injection tooling is available to the masses!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 45 What happens when we glitch?
Things go wrong!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 46 Fault Injection breaks things!
• Memory contents • Register contents • Executed instructions
You cannot trust anything anymore…
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 47 We can modify instructions and data!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 48 We can modify instructions and data!
Yes, this also means we can skip instructions!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 49 We can modify instructions and data!
Yes, this also means we can skip instructions!
This works on all standard architectures: ARM, MIPS, PowerPC, SH4, V850, Intel, etc.
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 50 Let’s glitch something…
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 51 Glitching the Security Access Check Client ECU request access
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 52 Glitching the Security Access Check Client ECU request access
challenge
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 53 Glitching the Security Access Check Client ECU request access
challenge
response
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 54 Glitching the Security Access Check Client ECU request access
challenge
response if (response == correct_response)
grant_access();
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 55 Glitching the Security Access Check Client ECU request access
challenge
response if (response == correct_response)
grant_access();
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 56 Glitching the Security Access Check Results
• Not successful :’(
• There’s a 10 minute timeout after 3 failed attempts
• Simply not practical for us (or an attacker)
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 57 Glitching the Security Access Check Results
• Not successful :’(
• There’s a 10 minute timeout after 3 failed attempts
• Simply not practical for us (or an attacker)
You win some, you lose some!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 58 Glitching ReadMemoryByAddress
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 59 Glitching ReadMemoryByAddress
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 60 Glitching ReadMemoryByAddress
No restrictions on failed attempts!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 61 Glitching ReadMemoryByAddress Results
• Successful on several different ECUs • Which are designed around different MCUs
• Depending on the target… • Allows reading out N bytes from an arbitrary address
• Complete firmware extracted in the order of days • Depended on the size of the internal memory
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 62 DEMO TIME !!!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 63 Fault Injection demo setup
CAN UDS CMD: ReadMemoryByAddress(0x00000000, 0x40)
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 64 There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 65 There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 66 Finding the right parameters: Randomize VCC Glitch CMD RSP CAN Trigger
Glitch (zoomed) Glitch Parameters • Glitch Delay • Glitch Duration • Glitch Voltage
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 67 There is a relationship!
This relationship allows minimizing the parameter search space!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 68 Let’s switch to the other laptop…
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 69 Why not a 100% success rate? :’(
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 70 Why not a 100% success rate? :’(
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 71 We have the firmware… now what?
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 72 There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 73 The Plan
Getting Firmware
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 74 The Plan
Getting Firmware
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 75 The Plan
Getting Reverse Firmware Engineering
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 76 The Plan
Getting Reverse Understanding Firmware Engineering
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 77 The Plan
Tuning
Getting Reverse Understanding Secrets! Firmware Engineering
Hacking
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 78 Static analysis?
Firmware
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 79 Static analysis?
Custom code Firmware
OS code
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 80 Static analysis?
Models Custom code Firmware
Generated code OS Configuration code
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 81 There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 82 Tools?
$ARCH is supported by IDA Pro and radare2
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 83 Tools?
$ARCH is supported by IDA Pro and radare2
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 84 Tools?
$ARCH is supported by IDA Pro and radare2
$ARCH is not supported by qemu
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 85 No tools? Let’s make some tools!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 86 CAN port What do we need?
I/O ports MCU EEPROM
Display
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 87 CAN port What do we need?
I/O ports MCU EEPROM
• Instruction set emulator Display • Timers, interrupts, …
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 88 CAN port What do we need?
I/O ports MCU EEPROM I2C
• Instruction set emulator Display • Timers, interrupts, …
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 89 CAN port What do we need?
I/O ports MCU EEPROM I2C
• Instruction set emulator Display • Timers, interrupts, …
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 90 Emulating the CPU architecture
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 91 “Implementing” peripherals
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 92 “Implementing” peripherals
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 93 How difficult was it?
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 94 How difficult was it?
~ 1 (sleepless) week of work (for a hacker experienced in writing emulators)
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 95 How difficult was it?
~ 1 (sleepless) week of work (for a hacker experienced in writing emulators)
~ 3000 lines of (terrible) code (excluding support tooling)
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 96 Why write an emulator?
• Debugging (e.g. GDB stub)
• SocketCAN
• Execution tracing
• Taint tracking
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 97 Execution tracing
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 101 Execution tracing
0x02920 0x02922 (jump) 0x02926 0x02928 0x0292c 0x02930
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 102 Execution tracing
0x02920 0x02922 (jump) 0x02926 0x02928 0x0292c 0x02930
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 103 Execution tracing
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 104 Execution tracing
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 105 Taint tracking
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 106 Taint tracking
1 ?? CAN message 2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 107 Taint tracking
1 ?? Data[2] = CAN message 2 ?? CAN.read()
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 108 Taint tracking
1 ?? Data[2] = CAN message 2 CAN message?? CAN.read() 3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 109 Taint tracking
1 ?? Data[2] = CAN message 2 CAN message?? CAN.read() 3 ??
4 ?? Data[7] = 5 ?? Data[2] 6 ??
7 ??
8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 110 Taint tracking
1 ?? Data[2] = CAN message 2 CAN message?? CAN.read() 3 ??
4 ?? Data[7] = 5 ?? Data[2] 6 ?? 7 CAN message?? 8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 111 Taint tracking
1 ?? Data[2] = CAN message 2 CAN message?? CAN.read() 3 ??
4 ?? Data[7] = 5 ?? Data[2] 6 ?? 7 CAN message?? 8 ?? Data[7] == Y?
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 112 Taint tracking
1 ?? Data[2] = CAN message 2 CAN message?? CAN.read() 3 ??
4 ?? Data[7] = 5 ?? Data[2] 6 ?? 7 CAN message?? 8 ?? Data[7] == Y?
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 113 Taint tracking UDS Security Access
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 114 Taint tracking UDS Security Access
1 ?? Response 2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 115 Taint tracking UDS Security Access
1 ?? Data[2] = Response 2 ?? CAN.read()
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 116 Taint tracking UDS Security Access
1 ?? Data[2] = Response 2 Response?? CAN.read() 3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 117 Taint tracking UDS Security Access
1 ?? Data[2] = Response 2 Response?? CAN.read() 3 ??
4 ?? 5 ?? Data[7] == 6 ?? calculateKey()? 7 Response?? 8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 118 Taint tracking UDS Security Access
1 ?? Data[2] = Response 2 Response?? CAN.read() 3 ??
4 ?? 5 ?? Data[7] == 6 ?? calculateKey()? 7 Response?? 8 ??
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 119 Taint tracking UDS Security Access
1 ?? Data[2] = Response 2 Response?? CAN.read() 3 ??
4 ?? 5 ?? Data[7] == 6 ?? calculateKey()? 7 Response?? 8 ?? We found the calculateKey function!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 120 Demo Time!!!
... Runnable ......
Task 1 Task 2
SWC 127 Wrap up!
• Hardware will betray you!
• Emulating a dashboard is not too tricky?
• Fault injection attacks on UDS are cool.
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 128 This Fault Injection attack on UDS is not efficient!
We can do better…
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 129 UART Debug
I/O MCU Display CAN
VCC EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 130 UART Debug
I/O MCU Display CAN
VCC EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 131 Debug interfaces if (allow_debug())
{ open_JTAG(); }
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 132 Debug interfaces if (allow_debug())
{ open_JTAG(); }
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 133 UART Debug
I/O MCU Display CAN
VCC EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 134 UART Debug
I/O MCU Display CAN
VCC EEPROM
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 135 Being more efficient
136 Electromagnetic Fault Injection
ChipSHOUTER® Inspector FI
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 137 Electromagnetic Fault Injection Cheap and awesome: BADFET
ChipSHOUTER® Inspector FI
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 138 Electromagnetic Fault Injection Cheap and awesome: BADFET
ChipSHOUTER® Inspector FI
Electromagnetic fault injection available to the masses! There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 139 Fault Injection is universal all devices
all CPUs/MCUs
all software
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 140 Can we harden ECUs against fault injection?
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 141 Hardening ECU hardware
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 142 Hardening ECU hardware
• Memory integrity (e.g. ECC)
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 143 Hardening ECU hardware
• Memory integrity (e.g. ECC) • Processing integrity (e.g. lockstep)
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 144 Hardening ECU hardware
• Memory integrity (e.g. ECC) • Processing integrity (e.g. lockstep) • However, please: Safety ≠ Security
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 145 Hardening ECU hardware
• Memory integrity (e.g. ECC) • Processing integrity (e.g. lockstep) • However, please: Safety ≠ Security • Don’t forget: debug interfaces
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 146 Hardening ECU software
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 147 Hardening ECU software
• Add redundancy: • Duplicate code/checks • SW-lockstep
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 148 Hardening ECU software
• Add redundancy: • Duplicate code/checks • SW-lockstep • Be paranoid: • Control flow integrity • Random delays
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 149 Hardening ECU design
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 150 Hardening ECU design
• Don’t expose keys to software: use HW crypto engines (HSMs)
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 151 Hardening ECU design
• Don’t expose keys to software: use HW crypto engines (HSMs)
• Avoid having anything to hide: use asymmetric cryptography
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 152 As always, defense in depth is key!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 153 Key takeaways
• No software vulnerabilities ≠ security
• Understanding firmware is easy (with the right tooling)
• Your firmware will be extracted
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 154 Thanks to…
Eloi Sanfelix Santiago Cordoba Ramiro Pareja Nils Wiersma
Our papers are available here, here and here!
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 155 There were glitches… hopefully! ;)
Thank you! Any questions?
Niek Timmers Alyssa Milburn Security Analyst at Riscure PhD Troublemaker at VUSec @tieknimmers / [email protected] @noopwafel / [email protected]
There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently 156