A new research paper from Germany discloses that NVIDIA has confirmed a hardware vulnerability that allows an attacker to gain privileged control of code execution for Tesla’s autopilot system. The attack involves a ‘classic’ method of destabilizing hardware by introducing voltage surges, which in this case enables the unlocking of a bootloader that’s usually disabled for consumers, and intended for laboratory conditions.
The attack is also valid for the Mercedes-Benz infotainment system, though with obviously fewer potentially damaging consequences.
The paper, entitled The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs, comes from the Technische Universitat Berlin, following up on some of the same researchers’ recent work disclosing a similar exploit in AMD Secure Encrypted Virtualization, published on the 12th August.
The new paper states:
We responsibly disclosed our ﬁndings to Nvidia, including our experimental setup and parameters. Nvidia reconstructed our experiments and conﬁrmed that fault injection impacts the tested Tegra Parker SoC and earlier chips. According to them, all newer Tegra SoCs would contain countermeasures to mitigate these types of attacks. Furthermore, they proposed countermeasures to reduce the effectiveness of voltage fault injection on vulnerable chips…
The paper states that the kind of attack demonstrated in their research could allow an adversary to alter the system’s firmware to tamper with essential control systems, including the way an autonomous vehicle reacts to human obstacles.
They note that even tampering with cockpit display systems carries genuine hazard, allowing for the display of misinformation of current driving speed, and other information that’s essential to the safe running of the vehicle.
Voltage Fault Injection
Voltage Fault Injection (FI), also known as Voltage Glitching, simply over or under-volts the system supply for a moment. It’s a very old form of attack; the researchers note that smart cards were hardened against this approach two decades ago, and suggests that chip manufacturers have effectively forgotten about this particular attack vector.
However they acknowledge that protecting a System on a Chip (SoC) has become more complex in recent years due to complex power trees and higher rates of power consumption that can exacerbate the potential disruption caused by a perturbed power supply.
Attacks of this type have proved possible against the older NVIDIA Tegra X1 SoC in the past. However, the newer Tegra X2 SoC (‘Parker’) is present in more critical systems, including Tesla’s Autopilot semi-autonomous driving system, as well as in systems used by Mercedes-Benz and Hyundai vehicles.
The new paper demonstrates a Voltage Glitching attack on the Tegra X2 SoC that allowed the researchers to extract content from the internal Read-Only Memory (iROM) of the system. Besides compromising the IP of the manufacturers, this allows the total disabling of Trusted Code Execution.
Permanent Compromise Possible
Furthermore, the incursion is not fragile or necessarily obliterated on restart: the researchers developed a ‘hardware implant’ capable of permanently disabling the Root of Trust (RoT).
To map out the exploit, the researchers sought to unlock hidden documentation about the X2 – hidden header files included as part of the L4T package. The mappings are described, though not explicitly, in online documentation for the Jetson TX2 Boot Flow.
However, though they were able to obtain the necessary information from the exfiltrated header files, the researchers note that they also received significant aid by trawling GitHub for obscure NVIDIA-related code:
Before realizing that the header ﬁle is offered by Nvidia, we searched for it on GitHub. Apart from ﬁnding a repository that includes the Nvidia code, the search also uncovered a repository called ”switch-bootroms”. This repository includes leaked BR source code for the Tegra SoCs with model numbers T210 and T214, whereas T210 is the original model of the Tegra X1 (codenamed ”Erista”), and T214 is an updated version, also called Tegra X1+ (codenamed ”Mariko”). The X1+ includes faster clock speeds and, judging from comments and code in the repository, is hardened against FI. During our investigations, access to this code massively increased our understanding of the X2.’
(Footnotes converted to hyperlinks by me)
All fuses and cryptographic codes were uncovered by the new method, and the later stages of the bootloader system were successfully decrypted. The most notable achievement of the exploit is arguably the ability to make it persistent across restarts via dedicated hardware, a technique first developed by Team Xecutor for the Nintendo Switch implant on the X1 chip series.
The paper suggests a number of hardening methods that could make future iterations of the X-series SoC resistant to voltage glitching attacks. In discussing the matter with NVIDIA, the company suggested that in the case of existing SoCs, board-level changes would be helpful, including the use of epoxies that are resistant to decomposition by heat and solvents. If the circuit cannot easily be taken apart, it is much harder to compromise.
The paper also suggests that a dedicated printed circuit board (PCB) for the SoC is one way to exclude the need for coupling capacitors, which form part of the described attack.
For future designs of SoC, the use of a cross-domain voltage glitch detection circuit that was recently patented by NVIDIA could enable trigger alerts in the case of malicious or suspected voltage disturbances.
Addressing the problem via software is more of a challenge, since the characteristics of the faults being exploited are difficult to understand and counter at a software level.
The paper observes, apparently with some surprise, that most of the obvious safeguards have been evolved over time to protect the older X1 chip, but are absent in the X2.
The report concludes:
‘Manufacturers and designers should not forget about seemingly simple hardware attacks that have been around for already more than two decades.’