Embedded Automotive Security: A Hands-on Introduction

4 DAY U_LONG 32 CPE HOUR TRAINING: FEBRUARY 2022 * WEEK 2: FEB 21-25

Dr. Andrew Blyth and Campbell Murray

Abstract

This training is geared towards offensive security researchers, penetration testers or red teamers who want to dip their toes into the field of automotive security. The basis of this training are developments boards that give the attendees a practical introduction to bus systems such as CANLIN and FlexRay. After the students have learned about common ECU classes, protocols and the AUTOSAR standards we will write some parts of an ECU ourselves to put us in the position of a developer. We then switch to an offensive security perspective and take apart and analyse an ECU image step by step until we will have (a) working exploit(s) against that system at the end of the week.

In contrast to other trainings, we will not look into infotainment units as we see them as too similar to other embedded and mobile systems. Rather we will concentrate on the specifics of automotive embedded systems. To help with this process we will show the attendees how to snapshot and emulate systems to be faster in assessing them.

THIS HANDS-ON TRAINING REQUIRES ADDITIONAL HARDWARE. WE INTEND TO EMPOWER YOU NOT JUST WITH THE KNOW-HOW, BUT ALSO WITH PROPERLY VETTED TOOLS FOR CONTINUED RESEARCH AND ANALYSIS.
PLEASE REFER TO THE SHOPPING LIST AT THE BOTTOM FOR DETAILS.

Key Learning Objectives

  • Develop an understanding of the AUTomotive Open System ARchitecture (AUTOSAR) architecture and development processes
  • Be able to independently evaluate the security of ECUs and find vulnerabilities in them.
  • Rate the technical depth of automotive security assessments.

Agenda

Session 0:

  • Classes of ECUs in cars
  • Protocols in use in cars
  • Exercise #0: Hypothesising potential vulnerabilities by reading standards
  • Automotive network topologies
  • Exercise #1: Test communications with an ECU with S32 Design Studio
  • Q&A / Wrap-up Session 0

Session 1:

  • AUTomotive Open System ARchitecture (AUTOSAR) Basics
  • FreeRTOS Basics
  • Exercise #2: Build your own ECU firmware
  • Obtaining ECU firmware and memory
  • Exercise #3: Use JTAG to snapshot a device for emulation
  • Speeding up your analysis using emulation
  • *Exercise #4: Using JTAG to mount an Attack
  • Q&A / Wrap-up Session 1

Session 2:

  • Detailed explanation of CAN, CAN-FD and LIN buses
  • Exercise #5: Reverse engineering functionality and finding bugs
  • Automotive Ethernet, Gateways and Ethernet switches as isolators
  • Exercises #6: Mapping and understanding attack surface
  • Q&A / Wrap-up Session 2

Session 3:

  • Attack planning/Chaining vulnerabilities
  • Exercises #7: Reverse engineering functionality and finding bugs
  • Exercise #8: Disassemble an ECU flash image
  • Q&A / Wrap-up Session 3

Session 4:

  • Real-world car hacking: How to source parts, how not to tear apart your car, where to find documentation and tools
  • Exercise #9: Understanding and doodling schematics
  • Building benches and labs
  • Exercise #10: Exploiting the bugs you found (or didn't find, we'll share and compare)
  • Q&A / Final Wrap-up

Who should take this course?

  • Offensive Security Researchers/Pentesters/Red-teamers starting to work on automotive embedded systems
  • Ex. technical roles that are now managing teams doing automotive embedded work and need to guide projects and/or assess results

Required Skills

  • Written/Read code on at least one CPU Instruction Set.
  • Know how to do some basic reversing tasks like loading a plain file into a common “mainstream” Disassembler (IDA, Ghidra, Binary Ninja, Radare, etc.) navigating basic blocks etc.
  • Have used a debugger before. (GDB knowledge is a plus).
  • SKILL LEVEL: INTERMEDIATE

System Requirements

  • 1x Computer capable of running VMware (Workstation or Fusion) with Ethernet, 40G disk space, 6GB of free RAM for VM
  • A decent Internet connection in order to access exercises and material

Shopping List