Methods to Extracting Firmware
In this paper, we discuss several techniques used to significantly increase the efficiency of reverse-engineering the firmware of an instrument cluster. Publicly available research has shown that there are numerous ways to extract firmware due to a number of security oversights:
- Protections are not enabled
- Firmware is stored externally
- Firmware is extracted using software attacks
- Firmware is extracted using hardware/physical attacks
- Firmware is leaked
Using this example target, we demonstrate it is fairly easy to implement an emulator capable of emulating the target’s firmware entirely without the need for the original hardware, including many essential components of the target such as the EEPROM, display controller, and CAN bus.
Our implementation allows standard Linux tooling to send CAN messages to the target. Using this emulator, we efficiently understood the target’s functionality, recovered secrets (e.g., UDS keys), and performed fuzzing to identify vulnerabilities. These efficient analysis techniques are only possible for adversaries who fully control the firmware executed by the target device. Therefore, we recommend manufacturers operating in the automotive industry to increase the difficulty of doing so. For example, it is possible to increase the complexity of extracting the firmware if the software and hardware of automotive products are hardened against clever adversaries. Experience has shown that even then, these defenses are insufficient to prevent dedicated attackers from obtaining plain text firmware, which means that reverse engineering of firmware may be inevitable. Rather than relying on the confidentiality of firmware, we recommend using dedicated hardware security (e.g., cryptographic engines, secure storage, etc.) to protect a target’s most sensitive secrets, such as cryptographic keys; the necessary functionality is provided by many modern system-on-chips (SoCs) intended for automotive purposes.
Discover the full process of implementing an emulator in the full whitepaper by registering below