Extracting and Analyzing Automotive Firmware
白皮书
Automotive security is a trending topic. Modern cars are suffering the growing pains seen in many embedded devices: security is a work-in-progress and in the meantime, we have seen some impressive hacks. Perhaps the most well-known examples are the Jeep and Tesla hacks. But we know that the automotive industry is paying attention.
Consider a bright future where Secure Boot methods have been universally implemented, without obvious bugs; adversaries no longer have access to plain-text firmware, electronic control units (ECUs) refuse to run any unsigned code, and we feel safe again. Will automotive exploitation become impossible, or will hackers still find a way?
In this paper we discuss hardware attacks, like fault injection, which can be used to efficiently extract automotive firmware from secured ECUs. These attacks do not rely on an exploitable software vulnerability. Access to the plain-text firmware allows an attacker to understand the ECU’s functionality, extract the ECU’s secrets, and identify exploitable software vulnerabilities. We describe multiple techniques to analyze binary firmware efficiently. We use an instrument cluster from a modern car to demonstrate the practicality of the described techniques on a real ECU. Finally, we explain the real-world impact of these issues, how they lead to scalable attacks, and what can be done to secure the cars of today and tomorrow.