Last week, we were an exhibitor at the 21st escar conference in Hamburg. First held in Germany in 2003, escar has since established itself internationally – in Europe, the USA and Asia – thanks to its continued success. The number of participants increases every year, and both participants and exhibitors enjoy informative conference days, interesting presentations and good networking opportunities.
The overall purpose of the event is to provide a forum for collaboration between private industry, academia and government in relation to modern cybersecurity threats and vulnerabilities in vehicles. In addition to cyber security, the conference will also address other security-related issues such as electronic theft protection and new digital business models.
Key Takeaways from Enrico Pozzobon’s Talk
Among the many speakers on the conference stage was our co-founder Enrico Pozzobon. In his presentation entitled “Fuzzy Fault Injection Attacks Against Secure Automotive Bootloaders”, our colleague highlighted vulnerabilities in the software update processes of automotive software in connection with fault injection attacks.
1. Importance of Secure Embedded Bootloaders
First, the crucial role of secure embedded bootloaders as trust anchors for the software of modern vehicles was emphasized. Enrico then highlighted both the largely standardized processes for software updates in the automotive industry and the differences in the approaches of the various Original Equipment Manufacturers (OEMs).
2. Automated Code Execution Attacks
The following demonstration of automated code execution attacks caused quite a stir in the audience. Our colleague showed that these attacks can be carried out completely without the use of reverse engineering. The experiments, conducted using electromagnetic fault injection, targeted secure embedded bootloaders in the automotive industry without the need for hardware modifications. This highlights potential vulnerabilities in the current security infrastructure of many vehicles.
3. Practical Examples
Our dissecto research team has already successfully carried out attacks on control units (ECUs) of two leading German car manufacturers in the past. This validation in the real world underlines the urgency of addressing vulnerabilities in the automotive industry’s security-relevant software update processes.
4. Implications for the Automotive Industry
As a consequence of these successful attacks, the general process for secure software updates in the automotive industry urgently needs to be revised, our colleague argued towards the end of the presentation. The combination of hardware and software attacks raises strong concerns about the overall security of modern vehicles. These findings call for a reassessment of strategies for securing automotive software in the medium and long term.
Conclusion: A Call to Action
Enrico Pozzobon’s presentation at the escar conference calls on the automotive industry to rethink its approach to software security. Especially in view of the constantly changing specifications and safety requirements on the part of legislators. With the help of our Platform as a Service HydraVision and the underlying research, we are making a decisive contribution to the further development of automotive cybersecurity in the coming years. Finally, we would like to thank the many interested parties on site as well as the organizers for the successful event!
Interested in customized solutions for your company?
Contact us to receive a quote for our services and products tailored to your requirements. Whether you need Penetration Testing, our HydraVision Security Test Environment or Automotive Scapy Consulting, we are here to help.