fault injection on diagnostic protocols - riscure · fault injection on diagnostic protocols...
TRANSCRIPT
![Page 1: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/1.jpg)
1
Fault Injection on Diagnostic Protocols
21-06-2018
Niek Timmers
Principal Security Analyst, Riscure
[email protected] / @tieknimmers
![Page 2: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/2.jpg)
2
Big shout out to Ramiro and Santiago!
• Security Analysts at Riscure’s Automotive Security Team• Riscure
• Services• E.g. Penetration Testing, Security Architecture Review, and more.
• Tools• E.g. Automotive Security Test Tools, Fault Injection, and more.
• Training• E.g. Embedded Security for Automotive, Fault Injection, and more.
• Offices in the Netherlands, USA and China
Combining services and tools for fun and profit!
![Page 3: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/3.jpg)
3
The hacker’s approach for hacking embedded systems
Access to the firmware is a tremendous convenience for an attacker!
Target exploration
Vulnerability finding
Exploitation Profit
ECUs
![Page 4: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/4.jpg)
4
Obtaining ECU Firmware
• Firmware is available through official channels • Firmware is stored in an external memory chip• Firmware upgrades are not encrypted• Firmware is leaked / distributed illegally• Code protection features are not enabled• Firmware is extracted using a software-based attack
What if all of the above is not applicable? Attackers will resort to something else…
![Page 5: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/5.jpg)
5
Reference: https://derrekr.github.io/3ds/33c3/#/18
Hackers nowadays use Fault Injection!
Others came to similar conclusions…
![Page 6: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/6.jpg)
6
Fault Injection – Introduction“Introducing faults in a target to alter its intended behavior.”
How can we introduce these faults?
![Page 7: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/7.jpg)
7
Fault Injection – Techniques
Clock Voltage Electromagnetic Laser
• A controlled environmental change leads to altered behavior in the target• They leverage a vulnerability in hardware
![Page 8: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/8.jpg)
8
Fault Injection – Why does it work?
![Page 9: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/9.jpg)
9
Fault Injection – Basic concept
5.5V
time
1.8V
![Page 10: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/10.jpg)
10
Fault Injection – Typical faults
• Instruction corruption• Executing different instructions• Skipping instructions
• Data corruption• Reading different data• Writing different data
These faults change the intended behavior of software!
![Page 11: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/11.jpg)
11
Fault Injection – Tooling
ChipWhisperer® Inspector Fault Injection
Fault Injection tooling is available to the masses!
Open source Commercial
![Page 12: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/12.jpg)
12
Fault Injection – Examples
![Page 13: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/13.jpg)
13
Fault Injection – Examples
![Page 14: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/14.jpg)
14
Fault Injection – Examples
![Page 15: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/15.jpg)
15
We can inject faults and alter software…
What software?
![Page 16: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/16.jpg)
16
It’s common and includes convenient functionality!
UDS!
![Page 17: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/17.jpg)
17
UDS – Unified Diagnostic Services
• Diagnostic and Communication Management• Diagnostic Session Control• Security Access
• Data Transmission• Read and Write memory
• Upload / Download• Read and Program flash
• Manufacturer proprietary
Disclaimer: Manufacturers are free to implement only a subset of the UDS specification!
![Page 18: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/18.jpg)
18
UDS – What speaks it?
Most ECUs in a modern car speak it using a multitude of protocols
CAN K-Line FlexRay Ethernet
It is unlikely UDS will go away!
![Page 19: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/19.jpg)
19
UDS – Typical use caseFirmware update
![Page 20: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/20.jpg)
20
Standard Security Access Check
The secret used by the key calculation algorithm should be protected!
![Page 21: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/21.jpg)
21
Standard Security Access Check
![Page 22: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/22.jpg)
22
Standard Security Access Check
• Not successful :’(
• There’s a 10 minute timeout after 3 failed attempts
• Simply not practical for us (or an attacker)
Some times you have to take your losses and move on!
![Page 23: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/23.jpg)
23
Reading Memory
No restrictions on failed attempts!
![Page 24: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/24.jpg)
24
Reading Memory
![Page 25: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/25.jpg)
25
Reading Memory• Successful on multiple instrument clusters
• Depending on the target• Allows reading out N bytes from an arbitrary address• Extraction of the internal memories in N days
• Addresses include volatile and non-volatile memories• Complete firmware extracted
Extraction of the firmware only has to be done once!
![Page 26: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/26.jpg)
26
We have the firmware… now what?
![Page 27: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/27.jpg)
27
Lots of “cool” stuff…
• Reverse engineering
• Understanding the device
• Extracting secrets
• Finding vulnerabilities
Please see Alyssa’s presentation on reverse engineering firmware efficiently!
![Page 28: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/28.jpg)
28
But… does this scale!?
![Page 29: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/29.jpg)
29
Hardware attacks scale!
• Firmware can be distributed
• Secrets can be distributed
• Vulnerabilities (and exploits) can be distributed
• Vulnerabilities can be exploited remotely
![Page 30: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/30.jpg)
30
Reading memory is fun! What about something cooler?
![Page 31: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/31.jpg)
31
Attack #3: Writing memory
Where should we write to get code execution on the ECU?
![Page 32: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/32.jpg)
32
Wrapping up…
![Page 33: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/33.jpg)
33
Why is UDS vulnerable?
• A robust Security Access check is not part of the standard
• Typical Security Access check based on pre-shared secrets
• No fault injection resistant hardware used in most ECUs
• No fault injection resistant software used in most ECUs
What can you do?
![Page 34: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/34.jpg)
34
Improving Products• Include fault injection attacks in your threat model
• Design and implement fault injection resistant hardware• Start from an early design• Test, test… and test again!
• Implement fault injection resistant software
• Make critical assets inaccessible to software• E.g. Using “real” hardware
![Page 35: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/35.jpg)
35
Fault Injection Hardened Firmware
Prevent single point of failures for security critical checks! More info here.
Not hardened Hardened
![Page 36: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/36.jpg)
36
Key takeaways
• Fault injection attacks are available to the masses
• Fault injection attacks subvert software security models
• All unprotected devices are vulnerable
• Presented attack not unique; most ECUs affected
• Fault injection attacks result in scalable attacks
![Page 37: Fault Injection on Diagnostic Protocols - Riscure · Fault Injection on Diagnostic Protocols 21-06-2018 Niek Timmers Principal Security Analyst, Riscure timmers@riscure.com / @tieknimmers](https://reader036.vdocuments.site/reader036/viewer/2022062223/5f01b4087e708231d400a2b1/html5/thumbnails/37.jpg)
37
Challenge your security
Riscure Head Office
Delftechpark 49
2628 XJ Delft
The Netherlands
Phone: +31 15 251 40 90
Riscure North America
550 Kearny St., Suite 330
San Francisco, CA 94108
USA
Phone: +1 650 646 99 79
Riscure China
Room 2030-31, No. 989, Changle Road
Shanghai 200031
China
Phone: +86 21 5117 5435
[email protected] Timmers
Principal Security Analyst
[email protected] / @tieknimmers
Thank you!