Efficient Reverse Engineering of Automotive Firmware · 2019. 4. 30. · Efficient Reverse...
Transcript of Efficient Reverse Engineering of Automotive Firmware · 2019. 4. 30. · Efficient Reverse...
1
Efficient Reverse
Engineering of
Automotive Firmware
Alyssa Milburn
Security Analyst, Riscure
[email protected] / @noopwafel
(with Niek Timmers)
2
Reverse Engineering
Getting
Firmware
IP
Tuning /
manipulation
Efficient Reverse Engineering of Automotive Firmware
Hacking
???
Reverse
Engineering Understanding
3
Automotive Firmware?
4
Instrument Cluster
• Speedometer/gauges • Display (screen) • Speaker! • Blinky lights!
• 32-bit CPU • CAN bus • I2C bus
• EEPROM
5
How can we get the firmware?
Efficient Reverse Engineering of Automotive Firmware
External
flash
Debug
interfaces
Leaks
Software
vulnerabilities
Hardware
attacks
6
What makes this challenging?
• “Non-standard” platforms
• New concepts
• Complexity
Efficient Reverse Engineering of Automotive Firmware
7
8
What makes this challenging?
No tools?! Let’s make some!
• Static analysis (disassembly): too complicated
• Dynamic analysis (emulation / debugging): no tools?
Efficient Reverse Engineering of Automotive Firmware
9
What do we need?
• Processor (instruction set) emulator
• Timers, interrupts
• CAN controller
• I2C controller
• EEPROM • Display controller
Efficient Reverse Engineering of Automotive Firmware
10 Efficient Reverse Engineering of Automotive Firmware
Emulating the CPU architecture
11
“Implementing” peripherals
Efficient Reverse Engineering of Automotive Firmware
12
How difficult was it?
~ 1 man-week of work ~ 3000 lines of (terrible) code (excluding support tooling)
Efficient Reverse Engineering of Automotive Firmware
13
Dynamic analysis
14
Debugging
Efficient Reverse Engineering of Automotive Firmware
Step!
Break!
Watch!
gdb “stub”
gdb
15
Debugging
(gdb) hbreak *0x11032 Hardware assisted breakpoint 1 at 0x11032 (gdb) c Continuing. 0x00011032 in ?? () (gdb)
Efficient Reverse Engineering of Automotive Firmware
16
Execution tracing
Efficient Reverse Engineering of Automotive Firmware
17
Execution tracing
Efficient Reverse Engineering of Automotive Firmware
0x02920 0x02922 (jump) 0x02926 0x02928 0x0292c 0x02930
18
Execution tracing
Efficient Reverse Engineering of Automotive Firmware
0x02920 0x02922 (jump) 0x02926 0x02928 0x0292c 0x02930
19
Execution tracing
Efficient Reverse Engineering of Automotive Firmware
20
Execution tracing
Efficient Reverse Engineering of Automotive Firmware
21
Hacks!
Efficient Reverse Engineering of Automotive Firmware
22
Hacks!
Efficient Reverse Engineering of Automotive Firmware
23
Initial state
Running (booted)
Send CAN message
Observe CAN response
State rewinding
100ms boot time
Efficient Reverse Engineering of Automotive Firmware
24
Taint tracking
Efficient Reverse Engineering of Automotive Firmware
1 ??
2 ??
3 ??
4 ??
5 ??
6 ??
7 ??
8 ??
CAN message Data[2] = CAN.read()
Data[7] = Data[2]
CAN message
CAN message
Data[7] == Y?
25
Fuzzing
Efficient Reverse Engineering of Automotive Firmware
CAN message Memory
Memory[5] == 0xc7?
Path 1 Path 2
26
./cc.py dcm discovery CARING CARIBOU v0.1 ------------------- Starting diagnostics service discovery Found diagnostics at arbitration ID 0x????, reply at 0x????
UDS
Efficient Reverse Engineering of Automotive Firmware
27
UDS: security access
Efficient Reverse Engineering of Automotive Firmware
Random key Random key ==
calculateKey(seed)?
We found calculateKey!
Seed (challenge)
28
UDS: security access
sending requestSeed (0x3) CAN0: RCV [id ####] 02 27 03 aa aa aa aa aa CAN0: TRQ [id ####] 06 67 03 47 2e 8e 70 aa sending sendKey CAN0: RCV [id ####] 06 27 04 41 9b 35 42 aa
comparison at 0002f390 (419b3542 vs 419b3542) is tainted with 000000c0 CAN0: TRQ [id ####] 02 67 04 aa aa aa aa aa
Efficient Reverse Engineering of Automotive Firmware
29
EEPROM contents
Efficient Reverse Engineering of Automotive Firmware
Reverse engineering is hard work!
updateEEPROM(id, value)
Identification (VIN)
Features/ configuration
(UDS) security state
Odometer
30
Takeaways
Efficient Reverse Engineering of Automotive Firmware
• Reverse engineering is not so hard!
• Lots of other “tricks” to try:
• Symbolic execution • Deobfuscation (if necessary) • Smarter fuzzing
• You can’t hide secrets in firmware:
• Use asymmetric cryptography (i.e. public keys) • Use the secure hardware inside modern processors
31
Thanks to…
Efficient Reverse Engineering of Automotive Firmware
Santiago Cordoba
Eloi Sanfelix
Ramiro Pareja
32
Challenge your security
Alyssa Milburn
Security Analyst, Riscure
[email protected] / @noopwafel
Efficient Reverse Engineering of Automotive Firmware
icons8.com
• Training
• Tools
• Services