Intership subject: My car is my passport, verify me

A survey of privacy-related data and Personally Identifiable Information stored in automotive Electronic Control Units and how to protect them.

Description

Modern automotive embedded a large amount of Electronic Control Unit (ECU) to assist the driver and enhance his driving experience. Some of those ECU collect data that could be considered as Personally Identifiable Information (PII) or that could affect privacy.

The aim of this internship is to study a set of ECUs to evaluate what kind of PII or privacy related data are stored, how they are protected against the extraction from a malicious actor.

What you will do

During this internship, you'll assess how Personally Identifiable Information (PII) and privacy related data are stored and protected in an Electronic Control Unit (ECU) and if an attacker could be able to extract data using exposed interfaces (CAN, USB, Automotive Ethernet...).

To do so, you'll perform several tasks:

• Build a test-bench to evaluate the ECU.

• Identify and dump external memory chips and micro-controller's firmware using debug interfaces and chip-off techniques.

• Analyse dumps from memory chips to identify data of interest.

• Reverse-engineer firmware or binaries of interest.

• Explore automotive-specific interfaces to interact with the main chips.

You'll be assisted by cybersecurity experts.

Assignment

Find and read carefully a write-up with an analysis of an ECU storing data of interest (PII, cryptographic material, etc). Describe the various techniques used to gain access to the memory and recover those data. Discuss any relevant design or implementation flaws that led to this access and ways to secure it.

Explain the potential impact of extracting the date data to the user or the manufacturer. On the car model of the studied ECU, list other ECUs that could store sensitive information from a privacy point of view and the associated risks if those data are accessible to an attacker. Be as specific as possible.