SlideShare uma empresa Scribd logo

Fault Injection on Automotive Diagnosis Protocols

Riscure
Riscure

In this work we present fault injection as a technique to bypass the security of automotive diagnosis (UDS) protocol implementations that do not contain any logical vulnerabilities. Therefore, they are protected against traditional logical attacks. Our tests proved that it is possible for an attacker to inject faults and bypass the UDS authentication, obtaining access to the internal Flash and SRAM memories of the targets. By analyzing the dumped firmware, the keys and algorithm that protect the UDS have also been extracted, giving full access to the diagnosis services without requiring the use of fault injection techniques. Originally presented by Riscure's Niek Timmers at the 2018 ESCAR USA conference.

Tecnologia
1 de 37
Baixar para ler offline
1 Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers
2 Big shout out to Ramiro and Santiago! • Security Analysts at Riscure’s Automotive Security Team • Riscure • Services • E.g. Penetration Testing, Security Architecture Review, and more. • Tools • E.g. Automotive Security Test Tools, Fault Injection, and more. • Training • E.g. Embedded Security for Automotive, Fault Injection, and more. • Offices in the Netherlands, USA and China Combining services and tools for fun and profit!
3 The hacker’s approach for hacking embedded systems Access to the firmware is a tremendous convenience for an attacker! Target exploration Vulnerability finding Exploitation Profit ECUs
4 Obtaining ECU Firmware • Firmware is available through official channels • Firmware is stored in an external memory chip • Firmware upgrades are not encrypted • Firmware is leaked / distributed illegally • Code protection features are not enabled • Firmware is extracted using a software-based attack What if all of the above is not applicable? Attackers will resort to something else…
5 Reference: https://derrekr.github.io/3ds/33c3/#/18 Hackers nowadays use Fault Injection! Others came to similar conclusions…
6 Fault Injection – Introduction “Introducing faults in a target to alter its intended behavior.” How can we introduce these faults?
7 Fault Injection – Techniques Clock Voltage Electromagnetic Laser • A controlled environmental change leads to altered behavior in the target • They leverage a vulnerability in hardware
8 Fault Injection – Why does it work?
9 Fault Injection – Basic concept 5.5V time 1.8V
10 Fault Injection – Typical faults • Instruction corruption • Executing different instructions • Skipping instructions • Data corruption • Reading different data • Writing different data These faults change the intended behavior of software!
11 Fault Injection – Tooling ChipWhisperer® Inspector Fault Injection Fault Injection tooling is available to the masses! Open source Commercial
12 Fault Injection – Examples
13 Fault Injection – Examples
14 Fault Injection – Examples
15 We can inject faults and alter software… What software?
16 It’s common and includes convenient functionality! UDS!
17 UDS – Unified Diagnostic Services • Diagnostic and Communication Management • Diagnostic Session Control • Security Access • Data Transmission • Read and Write memory • Upload / Download • Read and Program flash • Manufacturer proprietary Disclaimer: Manufacturers are free to implement only a subset of the UDS specification!
18 UDS – What speaks it? Most ECUs in a modern car speak it using a multitude of protocols CAN K-Line FlexRay Ethernet It is unlikely UDS will go away!
19 UDS – Typical use case Firmware update
20 Standard Security Access Check The secret used by the key calculation algorithm should be protected!
21 Standard Security Access Check
22 Standard Security Access Check • Not successful :’( • There’s a 10 minute timeout after 3 failed attempts • Simply not practical for us (or an attacker) Some times you have to take your losses and move on!
23 Reading Memory No restrictions on failed attempts!
24 Reading Memory
25 Reading Memory • Successful on multiple instrument clusters • Depending on the target • Allows reading out N bytes from an arbitrary address • Extraction of the internal memories in N days • Addresses include volatile and non-volatile memories • Complete firmware extracted Extraction of the firmware only has to be done once!
26 We have the firmware… now what?
27 Lots of “cool” stuff… • Reverse engineering • Understanding the device • Extracting secrets • Finding vulnerabilities Please see Alyssa’s presentation on reverse engineering firmware efficiently!
28 But… does this scale!?
29 Hardware attacks scale! • Firmware can be distributed • Secrets can be distributed • Vulnerabilities (and exploits) can be distributed • Vulnerabilities can be exploited remotely
30 Reading memory is fun! What about something cooler?
31 Attack #3: Writing memory Where should we write to get code execution on the ECU?
32 Wrapping up…
33 Why is UDS vulnerable? • A robust Security Access check is not part of the standard • Typical Security Access check based on pre-shared secrets • No fault injection resistant hardware used in most ECUs • No fault injection resistant software used in most ECUs What can you do?
34 Improving Products • Include fault injection attacks in your threat model • Design and implement fault injection resistant hardware • Start from an early design • Test, test… and test again! • Implement fault injection resistant software • Make critical assets inaccessible to software • E.g. Using “real” hardware
35 Fault Injection Hardened Firmware Prevent single point of failures for security critical checks! More info here. Not hardened Hardened
36 Key takeaways • Fault injection attacks are available to the masses • Fault injection attacks subvert software security models • All unprotected devices are vulnerable • Presented attack not unique; most ECUs affected • Fault injection attacks result in scalable attacks
37 Challenge your security Riscure Head Office Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 inforequest@riscure.com Riscure North America 550 Kearny St., Suite 330 San Francisco, CA 94108 USA Phone: +1 650 646 99 79 inforequest@rna.riscure.com Riscure China Room 2030-31, No. 989, Changle Road Shanghai 200031 China Phone: +86 21 5117 5435 inforcn@riscure.com Niek Timmers Principal Security Analyst niek@riscure.com / @tieknimmers Thank you!

Recomendados

Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
Riscure
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systems
Raghav S
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
Prabhu Swamy
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEE
Linaro
 
Embedded systems
Embedded systemsEmbedded systems
Embedded systems
Green University of Bangladesh
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
inside-BigData.com
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
Linaro
 

Recomendados

Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
Riscure
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systems
Raghav S
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
Prabhu Swamy
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEE
Linaro
 
Embedded systems
Embedded systemsEmbedded systems
Embedded systems
Green University of Bangladesh
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
inside-BigData.com
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
Linaro
 
Lcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future EnhancementsLcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
Developing Automotive Linux
Developing Automotive LinuxDeveloping Automotive Linux
Developing Automotive Linux
Alison Chaiken
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
NSConclave
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Automatic braking system whole project documentation.docx pdf
Automatic braking system whole project documentation.docx pdfAutomatic braking system whole project documentation.docx pdf
Automatic braking system whole project documentation.docx pdf
Syedmuhammed Hussainabbas
 
ECU ... Engine Control Unit .. Inputs & Outputs _ Explained
ECU ... Engine Control Unit .. Inputs & Outputs _ ExplainedECU ... Engine Control Unit .. Inputs & Outputs _ Explained
ECU ... Engine Control Unit .. Inputs & Outputs _ Explained
Kamel Elsayed
 
Micro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical SystemsMicro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical Systems
Heechul Yun
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CanSecWest
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to it
SUSE Labs Taipei
 
강좌 02 ARM 펌웨어 개발 환경 개요
강좌 02 ARM 펌웨어 개발 환경 개요강좌 02 ARM 펌웨어 개발 환경 개요
강좌 02 ARM 펌웨어 개발 환경 개요
chcbaram
 
Embedded systems
Embedded systemsEmbedded systems
Embedded systems
Fahad Farooq
 
Introduction to Modern U-Boot
Introduction to Modern U-BootIntroduction to Modern U-Boot
Introduction to Modern U-Boot
GlobalLogic Ukraine
 
Q4.11: Introduction to eMMC
Q4.11: Introduction to eMMCQ4.11: Introduction to eMMC
Q4.11: Introduction to eMMC
Linaro
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
Linaro
 
pptudsy.pptx
pptudsy.pptxpptudsy.pptx
pptudsy.pptx
Yamini454
 
Embedded linux
Embedded linuxEmbedded linux
Embedded linux
Wingston
 
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK
 
Introduction to AVR Microcontroller
Introduction to AVR Microcontroller Introduction to AVR Microcontroller
Introduction to AVR Microcontroller
Mahmoud Sadat
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
Florian Roth
 
BIOS PRESENTATION
BIOS PRESENTATIONBIOS PRESENTATION
BIOS PRESENTATION
Rajput98k
 
Undermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security ChecksUndermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security Checks
Niek Timmers
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 

Mais conteúdo relacionado

Mais procurados

Lcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future EnhancementsLcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Micro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical SystemsMicro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical Systems
Heechul Yun
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CanSecWest
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
Linaro
 
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK
 

Mais procurados (20)

Lcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future EnhancementsLcu14 306 - OP-TEE Future Enhancements
Lcu14 306 - OP-TEE Future Enhancements
 
Developing Automotive Linux
Developing Automotive LinuxDeveloping Automotive Linux
Developing Automotive Linux
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Automatic braking system whole project documentation.docx pdf
Automatic braking system whole project documentation.docx pdfAutomatic braking system whole project documentation.docx pdf
Automatic braking system whole project documentation.docx pdf
 
ECU ... Engine Control Unit .. Inputs & Outputs _ Explained
ECU ... Engine Control Unit .. Inputs & Outputs _ ExplainedECU ... Engine Control Unit .. Inputs & Outputs _ Explained
ECU ... Engine Control Unit .. Inputs & Outputs _ Explained
 
Micro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical SystemsMicro-Architectural Attacks on Cyber-Physical Systems
Micro-Architectural Attacks on Cyber-Physical Systems
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to it
 
강좌 02 ARM 펌웨어 개발 환경 개요
강좌 02 ARM 펌웨어 개발 환경 개요강좌 02 ARM 펌웨어 개발 환경 개요
강좌 02 ARM 펌웨어 개발 환경 개요
 
Embedded systems
Embedded systemsEmbedded systems
Embedded systems
 
Introduction to Modern U-Boot
Introduction to Modern U-BootIntroduction to Modern U-Boot
Introduction to Modern U-Boot
 
Q4.11: Introduction to eMMC
Q4.11: Introduction to eMMCQ4.11: Introduction to eMMC
Q4.11: Introduction to eMMC
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
 
pptudsy.pptx
pptudsy.pptxpptudsy.pptx
pptudsy.pptx
 
Embedded linux
Embedded linuxEmbedded linux
Embedded linux
 
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
LF_DPDK17_GRO/GSO Libraries: Bring Significant Performance Gains to DPDK-base...
 
Introduction to AVR Microcontroller
Introduction to AVR Microcontroller Introduction to AVR Microcontroller
Introduction to AVR Microcontroller
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
BIOS PRESENTATION
BIOS PRESENTATIONBIOS PRESENTATION
BIOS PRESENTATION
 

Semelhante a Fault Injection on Automotive Diagnosis Protocols

Cyber security applied to embedded systems
Cyber security applied to embedded systemsCyber security applied to embedded systems
Cyber security applied to embedded systems
Tonex
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
Cu Nguyen
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 

Semelhante a Fault Injection on Automotive Diagnosis Protocols (20)

Undermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security ChecksUndermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security Checks
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product Development
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
 
Cyber security applied to embedded systems
Cyber security applied to embedded systemsCyber security applied to embedded systems
Cyber security applied to embedded systems
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Trusted _Computing _security mobile .ppt
Trusted _Computing _security mobile .pptTrusted _Computing _security mobile .ppt
Trusted _Computing _security mobile .ppt
 
SDL: Secure design principles
SDL: Secure design principlesSDL: Secure design principles
SDL: Secure design principles
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with Fedora
 
Program security
Program securityProgram security
Program security
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 

Mais de Riscure

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Riscure
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
Riscure
 

Mais de Riscure (18)

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
 
Riscure Introduction
Riscure IntroductionRiscure Introduction
Riscure Introduction
 
Practical Differential Fault Attack on AES
Practical Differential Fault Attack on AESPractical Differential Fault Attack on AES
Practical Differential Fault Attack on AES
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
 
How multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cardsHow multi-fault injection breaks the security of smart cards
How multi-fault injection breaks the security of smart cards
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
How to secure HCE
How to secure HCEHow to secure HCE
How to secure HCE
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding CountermeasuresDefeating RSA Multiply-Always and Message Blinding Countermeasures
Defeating RSA Multiply-Always and Message Blinding Countermeasures
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Fault Injection on Automotive Diagnosis Protocols

  • 1. 1 Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers
  • 2. 2 Big shout out to Ramiro and Santiago! • Security Analysts at Riscure’s Automotive Security Team • Riscure • Services • E.g. Penetration Testing, Security Architecture Review, and more. • Tools • E.g. Automotive Security Test Tools, Fault Injection, and more. • Training • E.g. Embedded Security for Automotive, Fault Injection, and more. • Offices in the Netherlands, USA and China Combining services and tools for fun and profit!
  • 3. 3 The hacker’s approach for hacking embedded systems Access to the firmware is a tremendous convenience for an attacker! Target exploration Vulnerability finding Exploitation Profit ECUs
  • 4. 4 Obtaining ECU Firmware • Firmware is available through official channels • Firmware is stored in an external memory chip • Firmware upgrades are not encrypted • Firmware is leaked / distributed illegally • Code protection features are not enabled • Firmware is extracted using a software-based attack What if all of the above is not applicable? Attackers will resort to something else…
  • 5. 5 Reference: https://derrekr.github.io/3ds/33c3/#/18 Hackers nowadays use Fault Injection! Others came to similar conclusions…
  • 6. 6 Fault Injection – Introduction “Introducing faults in a target to alter its intended behavior.” How can we introduce these faults?
  • 7. 7 Fault Injection – Techniques Clock Voltage Electromagnetic Laser • A controlled environmental change leads to altered behavior in the target • They leverage a vulnerability in hardware
  • 8. 8 Fault Injection – Why does it work?
  • 9. 9 Fault Injection – Basic concept 5.5V time 1.8V
  • 10. 10 Fault Injection – Typical faults • Instruction corruption • Executing different instructions • Skipping instructions • Data corruption • Reading different data • Writing different data These faults change the intended behavior of software!
  • 11. 11 Fault Injection – Tooling ChipWhisperer® Inspector Fault Injection Fault Injection tooling is available to the masses! Open source Commercial
  • 15. 15 We can inject faults and alter software… What software?
  • 16. 16 It’s common and includes convenient functionality! UDS!
  • 17. 17 UDS – Unified Diagnostic Services • Diagnostic and Communication Management • Diagnostic Session Control • Security Access • Data Transmission • Read and Write memory • Upload / Download • Read and Program flash • Manufacturer proprietary Disclaimer: Manufacturers are free to implement only a subset of the UDS specification!
  • 18. 18 UDS – What speaks it? Most ECUs in a modern car speak it using a multitude of protocols CAN K-Line FlexRay Ethernet It is unlikely UDS will go away!
  • 19. 19 UDS – Typical use case Firmware update
  • 20. 20 Standard Security Access Check The secret used by the key calculation algorithm should be protected!
  • 22. 22 Standard Security Access Check • Not successful :’( • There’s a 10 minute timeout after 3 failed attempts • Simply not practical for us (or an attacker) Some times you have to take your losses and move on!
  • 23. 23 Reading Memory No restrictions on failed attempts!
  • 25. 25 Reading Memory • Successful on multiple instrument clusters • Depending on the target • Allows reading out N bytes from an arbitrary address • Extraction of the internal memories in N days • Addresses include volatile and non-volatile memories • Complete firmware extracted Extraction of the firmware only has to be done once!
  • 26. 26 We have the firmware… now what?
  • 27. 27 Lots of “cool” stuff… • Reverse engineering • Understanding the device • Extracting secrets • Finding vulnerabilities Please see Alyssa’s presentation on reverse engineering firmware efficiently!
  • 29. 29 Hardware attacks scale! • Firmware can be distributed • Secrets can be distributed • Vulnerabilities (and exploits) can be distributed • Vulnerabilities can be exploited remotely
  • 30. 30 Reading memory is fun! What about something cooler?
  • 31. 31 Attack #3: Writing memory Where should we write to get code execution on the ECU?
  • 33. 33 Why is UDS vulnerable? • A robust Security Access check is not part of the standard • Typical Security Access check based on pre-shared secrets • No fault injection resistant hardware used in most ECUs • No fault injection resistant software used in most ECUs What can you do?
  • 34. 34 Improving Products • Include fault injection attacks in your threat model • Design and implement fault injection resistant hardware • Start from an early design • Test, test… and test again! • Implement fault injection resistant software • Make critical assets inaccessible to software • E.g. Using “real” hardware
  • 35. 35 Fault Injection Hardened Firmware Prevent single point of failures for security critical checks! More info here. Not hardened Hardened
  • 36. 36 Key takeaways • Fault injection attacks are available to the masses • Fault injection attacks subvert software security models • All unprotected devices are vulnerable • Presented attack not unique; most ECUs affected • Fault injection attacks result in scalable attacks
  • 37. 37 Challenge your security Riscure Head Office Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 inforequest@riscure.com Riscure North America 550 Kearny St., Suite 330 San Francisco, CA 94108 USA Phone: +1 650 646 99 79 inforequest@rna.riscure.com Riscure China Room 2030-31, No. 989, Changle Road Shanghai 200031 China Phone: +86 21 5117 5435 inforcn@riscure.com Niek Timmers Principal Security Analyst niek@riscure.com / @tieknimmers Thank you!