The Impacts of JSON on Reversing Your Firmware

  • Monday, 13 Mar 2017 1:00PM EST (13 Mar 2017 17:00 UTC)
  • Speaker: Ben Gardiner

JSON is a very useful data serialization. To say that it is pervasive in cloud applications is an understatement; it is next to impossible to find a mobile app that isn't using JSON for it's server communications. It is increasingly finding a home in the communications protocols employed by embedded systems too.

We've investigated the firmwares of the OpenXC vi-firmware open project with disassemblers like IDA Pro and radare2 to estimate the degree of difficulty an attacker would encounter if their goal was to deduce the CAN PID and bitfield packings contained therein.

For context, please note that the vi-firmware project contains a small example of JSON structures describing fictitious vehicle signals and how they are packed into CAN messages. Whereas the proprietary openXC firmwares available for download from Ford contain information about actual vehicle signal CAN packing information -- which is proprietary information. This information is much like the 'dbc' files (a vector format) which are traded clandestinely on the dark web.

It is worth noting that the openXC platform was conceived as a tinkerers platform and hence the openness of the firmware and the information that is exposed in source is not an error by the developers at Ford. This platform meets its design goals by being so open. This presentation seeks to educate by way of a case study about the openXC firmwares where the impact is here is low; however, the same designs could have high security impact if used in other cases. This is not a vulnerability disclosure presentation as there is not vulnerability in openXC to disclose.

A walk-through of loading and analyzing a raw binary firmware will be presented as introduction (details on load address, how to check for correct settings etc) -- which will give defenders insights on how to thwart their attackers at early stages of analysis. Followed by an exposition of the example JSON structures present in the open vi-firmware build. Concluding with pure speculation (because no proprietary firmwares were harmed in the making of this presentation) about the ease with which an attacker could extract proprietary CAN signal information from a proprietary openXC.

Analogies to mobile applications using JSON for communication will be made. And as an added bonus, since the reversing was of an open source firmware, the attacker advantages of having source code will be discussed.

Attendees will learn the following and will be armed to better protect their deployed firmwares and mobile applications:

  1. What tools do attackers use to reverse engineer raw binary firmwares? How do they use them? What are some simple, useful deterrents?
  2. How do descriptive data structures -- JSON in particular -- aid attackers in their reverse engineering efforts? What mitigations are possible for this risk?
  3. How much advantage does an attacker get when there is a related open source project available? What specific advantages? What mitigations are possible for this risk?

Learn more on this topic at the SANS Automotive Cybersecurity Summit & Training, May 1-8 in Detroit.'this inaugural Summit will address the key issues and challenges around securing automotive organizations and their products. Join us for a comprehensive look at automotive assembly, industry suppliers, embedded systems, and safeguarding extended customer and product data. The Summit will include two-days of in-depth presentations from top security experts and seasoned practitioners, hands-on learning exercises, and exclusive networking opportunities.