There will be Glitches: Extracting and Analyzing Automotive Firmware Efficiently

Conference:  BlackHat USA 2018



The presentation discusses the importance of securing both hardware and software in automotive ECUs to prevent attacks, and suggests various techniques to improve security.
  • Hardware vulnerabilities can be exploited by attackers to gain access to ECUs
  • Fixing software vulnerabilities alone is not enough to ensure security
  • Redundancy, random delays, and control flow integrity can make attacks more difficult
  • Using hardened microprocessors and asymmetric cryptography can improve security
  • Combining multiple techniques is the best approach to securing ECUs
The speaker mentions that even if all software vulnerabilities are fixed, an attacker can still use the debug interface to break through security. This highlights the importance of securing hardware as well as software.


Automotive security is a hot topic, and hacking cars is cool. These vehicles are suffering the growing pains seen in many embedded systems: security is a work-in-progress, and in the meantime we see some fun and impressive hacks. Perhaps the most well-known examples are the Jeep and Tesla hacks. But, we know that the industry is paying attention. Consider a bright future where secure boot methods have been universally implemented, without obvious bugs; adversaries no longer have access to unencrypted firmware, ECUs refuse to run any unsigned code, and we feel safe again. Will automotive exploitation be "mission impossible", or do hackers still have a few tricks up their sleeve?We will demonstrate how hardware attacks like Fault Injection can be used to obtain the firmware from secure ECUs for which software vulnerabilities are absent. Once we have the firmware, we will discuss successful approaches for efficient analysis of automotive firmware. To provide a concrete example, we will demonstrate the custom emulator we wrote for one of our targets (an instrument cluster) and show that it can accurately perform dynamic analysis. Our emulator allows us to quickly understand the firmware's functionality, extract secrets of attacker's interest and apply fuzzing to the target's interfaces. Finally, we explain the real-world impact of these issues, how they lead to scalable attacks, and what can be done to defend today's cars.