Fault Injection Attacks on Secure Automotive Bootloaders
In this talk, we present a novel method for exploiting vulnerabilities in secure embedded bootloaders, which are the foundation of trust for modern vehicle software systems. Specifically, we demonstrate the feasibility of code execution attacks by leveraging a combination of software and hardware weaknesses in the secure software update process of electronic control units (ECUs), which is standardized across the automotive industry. Our method utilizes an automated approach, eliminating the need for static code analysis, and utilizes a novel algorithm for identifying fault injection parameters, enabling code execution in a matter of minutes to hours. Additionally, we demonstrate the ability to perform information leakage and program execution tracing through fault injection on PowerPC and ARM processors, which are commonly used in safety-critical applications. These experiments were conducted using electromagnetic fault injection techniques, without any hardware modifications to the targeted systems. Through our research, we successfully demonstrated our attack on three distinct gateway ECUs used in current vehicles manufactured by Volkswagen and BMW. Our results indicate that the standardized secure software update process currently used in the automotive industry is in need of revision in light of the security risks demonstrated.
This talk is structured as follows:
Introduction:
- Safe and Secure Microcontrollers
- Repair shop testers
- Secure Software-Update Process of ECUs
- Fault Injection Attacks and necessary Equipment
Methodology:
- Parameter search space
- Optimization strategies
- Introduction of an efficient algorithm
Application:
- First attacks on real world ECUs
- Information leakage
- Exploitation strategies
- Exploitation of Hardware- and Software-Vulnerabilities
- Performance
Discussion