There will be Glitches: Extracting and Analyzing Automotive Firmware Efficiently

Presented at Black Hat USA 2018, Aug. 8, 2018, 1:30 p.m. (50 minutes)

Automotive security is a hot topic, and hacking cars is cool. These vehicles are suffering the growing pains seen in many embedded systems: security is a work-in-progress, and in the meantime we see some fun and impressive hacks. Perhaps the most well-known examples are the Jeep and Tesla hacks. But, we know that the industry is paying attention. Consider a bright future where secure boot methods have been universally implemented, without obvious bugs; adversaries no longer have access to unencrypted firmware, ECUs refuse to run any unsigned code, and we feel safe again. Will automotive exploitation be "mission impossible", or do hackers still have a few tricks up their sleeve?<br><br>We will demonstrate how hardware attacks like Fault Injection can be used to obtain the firmware from secure ECUs for which software vulnerabilities are absent. Once we have the firmware, we will discuss successful approaches for efficient analysis of automotive firmware. To provide a concrete example, we will demonstrate the custom emulator we wrote for one of our targets (an instrument cluster) and show that it can accurately perform dynamic analysis. Our emulator allows us to quickly understand the firmware's functionality, extract secrets of attacker's interest and apply fuzzing to the target's interfaces. Finally, we explain the real-world impact of these issues, how they lead to scalable attacks, and what can be done to defend today's cars.


  • Marc Witteman - CTO, Riscure
    <p>Marc Witteman has a long track record in the security industry. He has been involved with a variety of security projects for over two decades and worked on applications in mobile communications, payment industry, identification, and pay television. Recent work includes secure programming and mobile payment security issues.</p><p>He has authored several articles on smart card and embedded device security issues. Further, he has extensive experience as a trainer, lecturing security topics for audiences ranging from novices to experts.</p><p>As a security analyst he developed several tools for testing software and hardware security. This includes Inspector, a platform for conducting side-channel analysis and JCworkBench, a logical test tool.</p><p>Marc Witteman has an MSc in Electrical Engineering from the Delft University of Technology in the Netherlands. From 1989 till 2001 he worked for several telecom operators, the ETSI standardization body and a security evaluation facility.</p><p>In 2001, he founded Riscure, a security lab based in the Netherlands. Riscure offers test tools and services to manufacturers and issuers of advanced security technology.</p><p>Between 2001 and 2009, he raised the company to a leading security test lab, and side channel test tool vendor. In 2010 Marc Witteman started Riscure Inc, the US branch of Riscure, based in San Francisco. At present he is the Chief Executive Officer of Riscure.</p>
  • Nils Wiersma - Security Analyst, Riscure
    Nils Wiersma, after receiving his BSc. degree in general Computing Science at the University of Groningen, moved on to pursue a MSc. degree in the field of Cyber Security offered in a joint-venture between the Radboud University of Nijmegen and Eindhoven University of Technology. During the thesis stage of this master's degree, he focused specifically on embedded security in the automotive context. Now, he works at Riscure as a Security Analyst.
  • Santiago Cordoba Pellicer - Security Analyst, Riscure
    Santiago Cordoba Pellicer is a Security Analyst at Riscure focusing on automotive security. He is known to be lucky which helps when being faced with a significant parameter search space.
  • Ramiro Pareja Veredas - Senior Security Analyst, Riscure
    Ramiro Pareja Veredas is a Senior Security Anlyst at Riscure with vast experience in performing hardware attacks on embedded systems.
  • Alyssa Milburn - Security Analyst, Riscure
    Alyssa Milburn is a Security Analyst at Riscure where you can trust here to break stuff. She enjoys low-level computing, particularly compilers (including working with LLVM/gcc), kernel-level work and embedded platforms. She is fascinated by old computer games. She is also involved in various open source projects in this vein, in particular ScummVM, GemRB and openc2e. Reverse engineering is great fun too; as well as taking apart old computer games, she has also applied her skills for analyzing embedded firmware, and for security work.
  • Niek Timmers - Principal Security Analyst, Riscure
    Niek Timmers is a Principal Security Analyst at Riscure where he analyzes and tests, among other things, the security of SoCs and embedded systems. His primary interest is analyzing and attacking embedded systems using hardware attacks. However, never a week goes by without disassembling some random binary. At the moment he is focusing mostly on automotive security. But is that really so different from any other embedded system? He shared the results of his Fault Injection research at various conferences across the globe like Black Hat Europe, BlueHat, HITB Amsterdam and more.