Automotive security is a hot topic, and hacking cars is cool. These vehicles are suffering the growing pains seen in many embedded systems: security is a work-in-progress, and in the meantime we see some fun and impressive hacks. Perhaps the most well-known examples are the Jeep and Tesla hacks. But, we know that the industry is paying attention. Consider a bright future where secure boot methods have been universally implemented, without obvious bugs; adversaries no longer have access to unencrypted firmware, ECUs refuse to run any unsigned code, and we feel safe again. Will automotive exploitation be "mission impossible", or do hackers still have a few tricks up their sleeve?
We will demonstrate how hardware attacks like Fault Injection can be used to obtain the firmware from secure ECUs for which software vulnerabilities are absent. Once we have the firmware, we will discuss successful approaches for efficient analysis of automotive firmware. To provide a concrete example, we will demonstrate the custom emulator we wrote for one of our targets (an instrument cluster) and show that it can accurately perform dynamic analysis. Our emulator allows us to quickly understand the firmware's functionality, extract secrets of attacker's interest and apply fuzzing to the target's interfaces. Finally, we explain the real-world impact of these issues, how they lead to scalable attacks, and what can be done to defend today's cars.