Safety ≠ Security
White Papers
With the ever-increasing number of electronic components in vehicles and, in particular, the amount of complex autonomous actions that these components perform, security topics become more and more important in the automotive industry — not only from a business point of view, as valuable IP assets are contained within these components, but also from a safety point of view, especially when vulnerabilities lead to remotely exploitable attacks. Logical attacks in this field are abundant, but attacks using hardware-centered techniques such as fault injection are underrepresented. Researchers and professionals often pay no attention to these attacks because they require physical access to the chip, ignoring that the assets obtained can be used later to prepare a remote attack.
This work aims to address the lack of attention on fault injection attacks by investigating two modern microcontroller units that receive the highest safety assurance rating (ASIL-D) of the ISO 26262 standard. This is done in both a theoretical characterization setup and a more realistic setup where debugging interfaces are targeted. The results obtained from these setups show that the mechanisms implemented to adhere to this maximum safety rating do not adequately protect against fault injection attacks and are therefore insufficient to ensure security by themselves — additional countermeasures are required. Each setup required approximately one week of preparation, but once the attacker finds the optimal fault injection parameters, the attack can be repeated in less than an hour. We provide some recommendations on what type of countermeasures should be considered to improve the security with respect to fault injection attacks and also provide several pointers to continue the security research in this area.