To use our site, you agree to the use of cookies and data processing according to our privacy statement.
Close
Search

There Will Be Glitches: Extracting and Analyzing Automotive Firmware Efficiently

The firmware executed by components found in a car provides a starting point for adversaries to obtain confidential information and discover potential vulnerabilities, if they are able to successfully extract and analyze it. In principle, the entire manufacturing process of an entire car can be reversed, potentially allowing the entire vehicle's reconstruction without the need for access to any restricted design information. Adversarial reverse engineering of a component or a system therefore should be considered during design.

Download the whitepaper

Methods to Extracting Firmware

In this paper, we discuss several techniques used to significantly increase the efficiency of reverse-engineering the firmware of an instrument cluster. Publicly available research has shown that there are numerous ways to extract firmware due to a number of security oversights:

  • Protections are not enabled
  • Firmware is stored externally
  • Firmware is extracted using software attacks
  • Firmware is extracted using hardware/physical attacks
  • Firmware is leaked

Using this example target, we demonstrate it is fairly easy to implement an emulator capable of emulating the target’s firmware entirely without the need for the original hardware, including many essential components of the target such as the EEPROM, display controller, and CAN bus.

Implementation

Our implementation allows standard Linux tooling to send CAN messages to the target. Using this emulator, we efficiently understood the target’s functionality, recovered secrets (e.g., UDS keys), and performed fuzzing to identify vulnerabilities. These efficient analysis techniques are only possible for adversaries who fully control the firmware executed by the target device. Therefore, we recommend manufacturers operating in the automotive industry to increase the difficulty of doing so. For example, it is possible to increase the complexity of extracting the firmware if the software and hardware of automotive products are hardened against clever adversaries. Experience has shown that even then, these defenses are insufficient to prevent dedicated attackers from obtaining plain text firmware, which means that reverse engineering of firmware may be inevitable. Rather than relying on the confidentiality of firmware, we recommend using dedicated hardware security (e.g., cryptographic engines, secure storage, etc.) to protect a target’s most sensitive secrets, such as cryptographic keys; the necessary functionality is provided by many modern system-on-chips (SoCs) intended for automotive purposes.

Discover the full process of implementing an emulator in the full whitepaper by registering below