One Week Left to Get an 11" iPad Pro with Apple Pencil w/ OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

The Impacts of JSON on Reversing Your Firmware

  • Monday, March 13, 2017 at 1:00 PM EST (2017-03-13 17:00:00 UTC)
  • Ben Gardiner

You can now attend the webcast using your mobile device!



JSON is a very useful data serialization. To say that it is pervasive in cloud applications is an understatement; it is next to impossible to find a mobile app that isn't using JSON for it's server communications. It is increasingly finding a home in the communications protocols employed by embedded systems too.

We've investigated the firmwares of the OpenXC vi-firmware open project with disassemblers like IDA Pro and radare2 to estimate the degree of difficulty an attacker would encounter if their goal was to deduce the CAN PID and bitfield packings contained therein.

For context, please note that the vi-firmware project contains a small example of JSON structures describing fictitious vehicle signals and how they are packed into CAN messages. Whereas the proprietary openXC firmwares available for download from Ford contain information about actual vehicle signal CAN packing information -- which is proprietary information. This information is much like the 'dbc' files (a vector format) which are traded clandestinely on the dark web.

It is worth noting that the openXC platform was conceived as a tinkerers platform and hence the openness of the firmware and the information that is exposed in source is not an error by the developers at Ford. This platform meets its design goals by being so open. This presentation seeks to educate by way of a case study about the openXC firmwares where the impact is here is low; however, the same designs could have high security impact if used in other cases. This is not a vulnerability disclosure presentation as there is not vulnerability in openXC to disclose.

A walk-through of loading and analyzing a raw binary firmware will be presented as introduction (details on load address, how to check for correct settings etc) -- which will give defenders insights on how to thwart their attackers at early stages of analysis. Followed by an exposition of the example JSON structures present in the open vi-firmware build. Concluding with pure speculation (because no proprietary firmwares were harmed in the making of this presentation) about the ease with which an attacker could extract proprietary CAN signal information from a proprietary openXC.

Analogies to mobile applications using JSON for communication will be made. And as an added bonus, since the reversing was of an open source firmware, the attacker advantages of having source code will be discussed.

Attendees will learn the following and will be armed to better protect their deployed firmwares and mobile applications:

  1. What tools do attackers use to reverse engineer raw binary firmwares? How do they use them? What are some simple, useful deterrents?
  2. How do descriptive data structures -- JSON in particular -- aid attackers in their reverse engineering efforts? What mitigations are possible for this risk?
  3. How much advantage does an attacker get when there is a related open source project available? What specific advantages? What mitigations are possible for this risk?

Learn more on this topic at the SANS Automotive Cybersecurity Summit & Training, May 1-8 in Detroit. This inaugural Summit will address the key issues and challenges around securing automotive organizations and their products. Join us for a comprehensive look at automotive assembly, industry suppliers, embedded systems, and safeguarding extended customer and product data. The Summit will include two-days of in-depth presentations from top security experts and seasoned practitioners, hands-on learning exercises, and exclusive networking opportunities.

Speaker Bio

Ben Gardiner

Ben Gardiner is a Principal Security Engineer at Irdeto and a member of the ethical hacking team, specializing in hardware and low-level software security. With more than 10 years of professional experience in embedded systems design and a lifetime of hacking experience, Gardiner has a deep knowledge of the low-level functions of operating systems and the hardware with which they interface. He brings this knowledge to Irdeto, a pioneer in digital platform and application security. With nearly 50 years of experience, Its software security technology and cyber services protects more than 5 billion devices and applications against cyberattacks for some of the world's best known brands.

Prior to joining Irdeto in 2013, Gardiner held embedded software and systems engineer roles at several organizations. Gardiner has a Masters of Engineering in Applied Math & Stats from Queen's University. He is also a member of and a contributor to SAE TEVEES18A1 Cybersecurity Assurance Testing TF (drafting J3061-2) and the GENIVI security subcommittee.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.