Exploring Injection Attacks on UAVs and the Realities of Embedded Device Security Artwork

Empowering Tomorrow's Automotive Software

The automotive industry is experiencing change at a tremendous rate. The software-defined vehicle is leading the future of mobility - the car is rapidly becoming an electronic device on wheels. Empowering Tomorrow's Automotive Software will look at how electrification, automation and connectivity are impacting the industry, from changing the development process and software architecture to how data is generated and processed.

The podcast is brought to you by the experts at ETAS, leaders in automotive software.

To learn more, visit etas.com

Produced by ETAS Inc.; Madelyn Downs, madelyn.downs@bosch.com

Imprint and contact information:

ETAS Inc.
15800 N. Haggerty Road
Plymouth, Michigan 48170 USA
contact.us@etas.com
Privacy Policy

All Episodes

Empowering Tomorrow's Automotive Software

Exploring Injection Attacks on UAVs and the Realities of Embedded Device Security

December 02, 2025 • Zane Pelletier, Gabriel Gonzalez-Garcia

0:00 | 44:12

In this episode, host Zane Pelletier from ETAS is joined by Gabriel Gonzalez-Garcia, Director of Hardware Security at IOActive, for a fascinating look into the world of drone hacking. Gabriel shares his journey into hardware hacking and explains why unmanned aerial vehicles (UAVs) present a compelling target for security research.

The conversation explores fault injection attacks, including what they are, why they’re difficult to execute, and how they can be used to bypass embedded security features. If you're interested in embedded systems, hardware security, or the evolving threat landscape in connected devices, this episode is a must-listen.

To learn more, check out Gabriel's whitepaper: https://www.ioactive.com/drone-security-fault-injection-attacks-gabriel-gonzalez/

Tell us what you think - send us a text message!

Thanks for listening!

Email us at: contact.us@etas.com
Learn more about ETAS on our website
Follow us on LinkedIn: @ETAS

00:00:02 Voiceover

Welcome to the Empowering Tomorrow's Automotive Software Podcast, brought to you by ETAS, a single source of cutting-edge software and hardware solutions that make automotive embedded systems safe, smart, secure, and sustainable.

00:00:15 Voiceover

Each episode, we'll be joined by ETAS and industry experts to discuss how electrification, automation, and connectivity are impacting the automotive industry.

00:00:25 Voiceover

Now, sit back and enjoy the discussion.

00:00:31 Zane Pelletier

Hello everyone and welcome to the Empowering Tomorrow's Automotive Software Podcast.

00:00:37 Zane Pelletier

I'm your host, Zane Pelletier with ETAS.

00:00:39 Zane Pelletier

I am a penetration tester and reverse engineer.

00:00:42 Zane Pelletier

And today I'm very happy to introduce the topic of hacking unmanned aerial vehicles or UAVs, commonly referred to as drones.

00:00:52 Zane Pelletier

And

00:00:53 Zane Pelletier

these technologies seem to be making their way into more and more devices that are, taking the world by storm via land, sea, and air.

00:01:03 Zane Pelletier

Drones typically implement varying levels of security with more advanced modules being resistant to typical embedded device attacks.

00:01:11 Zane Pelletier

Today, we're going to talk with someone who has set out to use precision side channel and fault injection techniques to exploit an otherwise heavily fortified embedded device.

00:01:20 Zane Pelletier

I would like to welcome Gabriel Gonzalez-Garcia, who's the director of hardware security at IOActive.

00:01:26 Zane Pelletier

He's completed hundreds of projects involving reverse engineering of embedded devices, code review, integrated hardware and software penetration testing, and many other topics.

00:01:37 Zane Pelletier

His areas of focus and technologies are hardware and embedded systems.

00:01:41 Zane Pelletier

He also has special interests in low-level attack vectors, including fault injection and side-channel analysis, which we're going to dig into quite a bit today.

00:01:49 Zane Pelletier

He also typically explores novel attack pathways.

00:01:52 Zane Pelletier

He has worked in automotive, aircraft, smart grid, SATCOM, ATM, IoT, and utility industries, among others.

00:02:01 Zane Pelletier

Welcome, Gabriel.

00:02:02 Zane Pelletier

To start, I would like to ask you, how did you get into hardware hacking and messing with embedded devices in the 1st place?

00:02:11 Gabriel Gonzalez-Garcia

So it's always been an interest since I was a kid, right?

00:02:16 Gabriel Gonzalez-Garcia

So many people that I got into hacking, I think we all started very young.

00:02:20 Gabriel Gonzalez-Garcia

And I was always interested in low level, low level implementation on the operating systems and especially microcontrollers, smart cards.

00:02:30 Gabriel Gonzalez-Garcia

I tried to build my own smart card reader when I was around 12 years old.

00:02:36 Gabriel Gonzalez-Garcia

So that's more how I started.

00:02:38 Gabriel Gonzalez-Garcia

And then over the years, I became more interested in

00:02:41 Gabriel Gonzalez-Garcia

these devices with the chip that control the routers.

00:02:46 Gabriel Gonzalez-Garcia

We have them in the cars and everything, right?

00:02:49 Gabriel Gonzalez-Garcia

And that's how I grew a little bit into that area.

00:02:53 Zane Pelletier

Wow, awesome.

00:02:54 Zane Pelletier

Yeah, I think it's a very unified story coming from a lot of folks early in that, you know, it sounds like a lot of people that are in this area typically are messing with devices pretty early on, right?

00:03:05 Zane Pelletier

They're tearing stuff apart.

00:03:06 Zane Pelletier

They're looking at things.

00:03:07 Zane Pelletier

It sounds like your story is no different there.

00:03:10 Zane Pelletier

So for this project in particular, why exactly did you choose to focus on hacking UAVs and how did you come to the decision to really explore this in depth?

00:03:19 Zane Pelletier

Because there are a lot of embedded devices out there.

00:03:22 Zane Pelletier

There's a lot of different areas.

00:03:24 Zane Pelletier

I know that drone hacking sounds really cool and futuristic, and I know it's very kind of timely in terms of where we are with evolving technologies in these unmanned aerial vehicles.

00:03:35 Zane Pelletier

But can you walk us through kind of how you got there and how you really began to start this project?

00:03:41 Gabriel Gonzalez-Garcia

Yeah, I think you put it very well in the introduction, right?

00:03:46 Gabriel Gonzalez-Garcia

There are devices that are kind of recent in the

00:03:53 Gabriel Gonzalez-Garcia

where they begin to be more available to everyone, and there are more commercial applications for drones, and there is even for hobbyists, right?

00:04:03 Gabriel Gonzalez-Garcia

They are everywhere, people grabbing videos.

00:04:05 Gabriel Gonzalez-Garcia

So that's more or less how we got the interest, or how I got the interest into this.

00:04:10 Gabriel Gonzalez-Garcia

It was always, when we choose an area of research that is not very deeply explored, and so there are still things

00:04:19 Gabriel Gonzalez-Garcia

to be applied, and you need to look a little bit into the potential attack vectors, and it's a little bit of novelty on the some specific attacks that come to each industry and on each application, and this is the same for UAVs, and that's what that's how we chose the target, right?

00:04:39 Gabriel Gonzalez-Garcia

Being something that is new to the market, and we wanted to

00:04:44 Gabriel Gonzalez-Garcia

to understand them a little bit better.

00:04:46 Gabriel Gonzalez-Garcia

So we can, of course, literally apply to other projects and all the things that we learn here always match to similar devices or even other types of drones.

00:04:57 Zane Pelletier

Right.

00:04:57 Zane Pelletier

Okay.

00:04:58 Zane Pelletier

Yeah.

00:04:58 Zane Pelletier

No, certainly that makes sense to me.

00:05:01 Zane Pelletier

It's always interesting to see what people choose to look at, especially with a longer project like this, like with security research.

00:05:07 Zane Pelletier

I think it's very

00:05:09 Zane Pelletier

It's very calculated, what you choose to look at and the approach you go about when you're doing kind of your initial lay of the land there, right?

00:05:18 Zane Pelletier

If you're doing a pen test, it's reconnaissance or enumeration, whatever you want to call it.

00:05:21 Zane Pelletier

But actually choosing the target that you're looking at, I think is very, very important, that part of the process.

00:05:27 Zane Pelletier

So I guess not everybody has a background for anyone listening on what exactly your project was.

00:05:33 Zane Pelletier

Could you walk through it, maybe briefly talk about, you know, what you chose to target

00:05:39 Zane Pelletier

maybe some of the methods that you used and kind of outcomes.

00:05:42 Zane Pelletier

What did you accomplish and what did you find?

00:05:45 Gabriel Gonzalez-Garcia

Yeah, sure.

00:05:45 Gabriel Gonzalez-Garcia

That's a good question, right?

00:05:47 Gabriel Gonzalez-Garcia

Because I mean, as you mentioned at the beginning, we explore how to apply poll injection to drones, to this specific DJI drone.

00:05:56 Gabriel Gonzalez-Garcia

And the first thing that we always do when we try to attack one device is look at the whole attack surface.

00:06:02 Gabriel Gonzalez-Garcia

and what the potential entry points, right?

00:06:04 Gabriel Gonzalez-Garcia

And the best or the most obvious one is the wireless access, something these DJI drones have something that is called OcuSync that is used to pair the remote controllers and transmit the video in real time with high quality.

00:06:22 Gabriel Gonzalez-Garcia

But there is also a control channel that goes on that one.

00:06:26 Gabriel Gonzalez-Garcia

There is of course the mobile app and of attack surface because

00:06:32 Gabriel Gonzalez-Garcia

Since these drones also have Wi-Fi, you can control them with the mobile app and also same commands.

00:06:39 Gabriel Gonzalez-Garcia

So that's another attack surface.

00:06:40 Gabriel Gonzalez-Garcia

And another one is the backend application that holds the firmware updates, commands, and everything, right?

00:06:50 Gabriel Gonzalez-Garcia

And there is one, but these are more or less covered, right?

00:06:54 Gabriel Gonzalez-Garcia

There is a little bit more research.

00:06:56 Gabriel Gonzalez-Garcia

They were at the time vulnerabilities published on the mobile apps.

00:07:02 Gabriel Gonzalez-Garcia

And the APIs, and there was also some more research on the RF communications, but something that we wanted to explore is how these devices are or how well protected they are against the physical attacks, right?

00:07:18 Gabriel Gonzalez-Garcia

And when we think of physical attacks.

00:07:22 Gabriel Gonzalez-Garcia

Of course, we need to have access to one drone.

00:07:24 Gabriel Gonzalez-Garcia

This is not something that you can do while the drone is flying, or you cannot intercept the communications.

00:07:32 Gabriel Gonzalez-Garcia

But it's a very important step when we analyze a drone or any system, because what we want to have as researchers or the attackers, right, is to have access to the firmware.

00:07:48 Gabriel Gonzalez-Garcia

to the latest version of the firmware, because that is where all the remotely vulnerabilities are implemented, right?

00:07:55 Gabriel Gonzalez-Garcia

And in this particular case, if they have the distribute the firmware encrypted, so they do a good job on trying to hide that part.

00:08:07 Gabriel Gonzalez-Garcia

So having access to the firmware, it helps

00:08:12 Gabriel Gonzalez-Garcia

uncover, potentially cover all the vulnerabilities.

00:08:15 Gabriel Gonzalez-Garcia

And it's also very important or something that also companies try to protect against because it also exposes IP, right?

00:08:23 Gabriel Gonzalez-Garcia

All the effort that they've done developing video processing algorithms, compression, and the whole control of the motors and the PID systems, the GPS and everything.

00:08:38 Gabriel Gonzalez-Garcia

the competitor can get them.

00:08:40 Gabriel Gonzalez-Garcia

It's hours and hours or years of research that are also exposed.

00:08:46 Gabriel Gonzalez-Garcia

And later on, once you have access to one specific device, you can get crypto material that are, depending on how to use, if for example a key is shared between multiple devices, that's sometimes common

00:09:02 Gabriel Gonzalez-Garcia

When you distribute encrypted firmware, because either you encrypt the firmware with a different key for each device, sometimes the manufacturers choose to have one key that is shared between all devices, and it's...

00:09:16 Gabriel Gonzalez-Garcia

stored in the device while the device is in the manufacturing mode and then it's deployed.

00:09:23 Gabriel Gonzalez-Garcia

And if you get access to that secure key by some other means, like for example, re-enabling JTAG, that we can get into that later, there is a way to get that key and then you will be able to encrypt the decrypt the firmware or sometimes also forge a new malicious firmware update and compromise the device.

00:09:42 Gabriel Gonzalez-Garcia

So that's the attack vector and why we chose this path, right?

00:09:47 Gabriel Gonzalez-Garcia

Do you understand a little bit more how well protected the devices were and how far we can get it using these techniques?

00:09:55 Zane Pelletier

All right, yeah.

00:09:56 Zane Pelletier

I think when people typically think about hacking drones in my mind and probably in popular media as well, in movies and whatnot,

00:10:06 Zane Pelletier

You typically see somebody break out some type of RF or radio frequency device with a big antenna, and they are looking at the actual wireless communication that's happening over that protocol.

00:10:19 Zane Pelletier

But this is kind of where I think reality kind of diverges from fiction a little bit.

00:10:24 Zane Pelletier

You mentioned that there was some research into the radio frequency protocols and the channels used for communication from, let's say, the remote to the device.

00:10:35 Zane Pelletier

for control and feedback video and all that.

00:10:38 Zane Pelletier

But in this case, I think that you kind of illustrate a reality here when you're working with embedded devices where, and especially with security research, you need to know what's existing on the device already to be able to uncover what could potentially be exploited in the field.

00:10:54 Zane Pelletier

And usually that means you need to get your hands on firmware, right, like you mentioned.

00:10:59 Zane Pelletier

And so that kind of transitions you from working on kind of a black box only project where you know nothing about what the internals of the chip look like on your board to you're starting to get into gray and white box realm because you can actually get access to the firmware.

00:11:14 Zane Pelletier

You could potentially de-obfuscate or decompile it, assuming that it's not encrypted, as you mentioned, and you can start to actually look at what

00:11:23 Zane Pelletier

what's running on the central processor on the device, which will give you insight into what else you can do.

00:11:30 Zane Pelletier

And that's really driving all of the communications, all of the right, all of the other chips on the board that are responsible for the operation of the device in the field.

00:11:39 Zane Pelletier

So I guess maybe, could you talk to us a little bit about, for those that are listening that aren't aware, what exactly is a fault injection attack?

00:11:46 Zane Pelletier

And why is it so difficult to achieve, right?

00:11:50 Zane Pelletier

I don't think a lot of people understand the specific hardware.

00:11:54 Zane Pelletier

All of the variables here have to be, I think, very precise to be able to, one, detect if the attack worked, and then two, to even get it into a place where you can begin to systematically

00:12:07 Zane Pelletier

let's say, perform injections on the chip that you're trying to perform the fault injection attack against.

00:12:14 Zane Pelletier

So, yeah, maybe you could give us a little insight there.

00:12:17 Gabriel Gonzalez-Garcia

Yeah, exactly.

00:12:18 Gabriel Gonzalez-Garcia

That's a very good question, right?

00:12:19 Gabriel Gonzalez-Garcia

Because there is a difference between traditional vulnerability exploitation.

00:12:24 Gabriel Gonzalez-Garcia

When we find, for example, the zero day on a firmware, it could be, for example, integral overflow, buffer overflow, even command injection, right?

00:12:33 Gabriel Gonzalez-Garcia

Or maybe a memory leak.

00:12:35 Gabriel Gonzalez-Garcia

But when you fight those vulnerabilities,

00:12:36 Gabriel Gonzalez-Garcia

the vulnerability is there, it's going to be easy to reproduce, right?

00:12:40 Gabriel Gonzalez-Garcia

Of course, the writing exploit can be more or less challenging, but if the vulnerability is there, it's there, and you're going to find it in that version of the firmware in every device that you find, right?

00:12:52 Gabriel Gonzalez-Garcia

When you come to full injection, it's a different approach, because here we are not targeting the firmware.

00:12:59 Gabriel Gonzalez-Garcia

or the software that is being written, although we can target specific features, but what we are doing is altering how the chip behaves in a normal way, right?

00:13:10 Gabriel Gonzalez-Garcia

It's like altering, but we are actually doing is altering the electronic, the electrons that flow through the internal of the chip, that go through the transistors.

00:13:20 Gabriel Gonzalez-Garcia

And we do that by different attacks, different types of techniques.

00:13:25 Gabriel Gonzalez-Garcia

But what we do is change the currents that are inside the chip.

00:13:30 Gabriel Gonzalez-Garcia

So for example, when the processor is reading an instruction and moving memory from one side of the bus, the internal bus, right, from the memory location to the register, to the internal register, if we kind of tamper with the current that is going through the chip, if we

00:13:52 Gabriel Gonzalez-Garcia

As an example, we briefly cut the amount of electricity that goes into the chip.

00:13:57 Gabriel Gonzalez-Garcia

There is not going to be enough power to turn or to switch to flip bits from 1 to 0 or to 0 to 1.

00:14:05 Gabriel Gonzalez-Garcia

So what happens is that we can alter the values that are in registers.

00:14:10 Gabriel Gonzalez-Garcia

So that way we can abuse that to gain specific advantages or bypass features.

00:14:17 Gabriel Gonzalez-Garcia

For example, as I was mentioning before, there is a common

00:14:21 Gabriel Gonzalez-Garcia

Attack, we're a common attack.

00:14:24 Gabriel Gonzalez-Garcia

We'll use a poll injection to enable JTAG.

00:14:28 Gabriel Gonzalez-Garcia

And for those that don't know, JTAG is an interface that all the chips have physically.

00:14:33 Gabriel Gonzalez-Garcia

It's a physical interface that anyone can connect to and gets you full access to the chip.

00:14:40 Gabriel Gonzalez-Garcia

So you can read memory, you can write memory, you can read the register, you can debug the instructions, right?

00:14:47 Gabriel Gonzalez-Garcia

You can go instruction by instruction, debugging what is on the chip.

00:14:51 Gabriel Gonzalez-Garcia

And when devices are shipped, they should all have the JTAG closed and currently disabled, right?

00:14:58 Gabriel Gonzalez-Garcia

Because if not it has a vulnerability, anyone can go, plug in the debugger and read all the crypto information that you have there with the firmware or things like that.

00:15:07 Gabriel Gonzalez-Garcia

But there are some ways to protect JTAG.

00:15:10 Gabriel Gonzalez-Garcia

For example, the chip or the code that controls that part within the chip can

00:15:17 Gabriel Gonzalez-Garcia

look for a specific value in the register.

00:15:19 Gabriel Gonzalez-Garcia

Let's say, for simplicity, that is all ones, right?

00:15:22 Gabriel Gonzalez-Garcia

One, one, one, one, one, one.

00:15:24 Gabriel Gonzalez-Garcia

If in one register is everything is one, then the JTAG is closed.

00:15:29 Gabriel Gonzalez-Garcia

And if everything is whatever other value, then the JTAG is open, right?

00:15:33 Gabriel Gonzalez-Garcia

So that's something that similar cases are in the way.

00:15:37 Gabriel Gonzalez-Garcia

So when the chip, if we manage to time

00:15:41 Gabriel Gonzalez-Garcia

the glitch or to cut the current very briefly, that what we do is to short the VCC lines, the power that goes into the chip.

00:15:51 Gabriel Gonzalez-Garcia

We short them very briefly by microseconds or milliseconds, depending on the chip, right?

00:15:58 Gabriel Gonzalez-Garcia

For 1 millisecond, so to speak, while the chip is reading that value.

00:16:04 Gabriel Gonzalez-Garcia

right?

00:16:04 Gabriel Gonzalez-Garcia

It's reading the value that controls the JTAG.

00:16:06 Gabriel Gonzalez-Garcia

We check it into a register, we copy it into a register, and then we do a compare function, right?

00:16:11 Gabriel Gonzalez-Garcia

That's how it works.

00:16:13 Gabriel Gonzalez-Garcia

If we manage to reduce the current when it's copying the value into the register, instead of being 111, pretty likely it's going to turn to be 000, and that is going to, the code is going to go, okay, is it different than one?

00:16:27 Gabriel Gonzalez-Garcia

So let's open JTAG.

00:16:29 Gabriel Gonzalez-Garcia

Right, and that way you can bypass the security feature by manipulating the bits.

00:16:35 Gabriel Gonzalez-Garcia

It's not actually manipulating the bits what you're doing is reducing the amount of power that a chip has, and then it will not be able to flip bits.

00:16:44 Gabriel Gonzalez-Garcia

And that's one, one, one approach, right?

00:16:47 Gabriel Gonzalez-Garcia

I'm modifying that shorting the current, but it isn't the one that we use on the drone is we use instead of doing voltage glitching, which is the most common one, and we did we use EMFI, which is electromagnetic for injection.

00:17:01 Gabriel Gonzalez-Garcia

And why we chose that because these drones are, even though they might seem simple, they are very complex.

00:17:08 Gabriel Gonzalez-Garcia

So the PCBs and the hardware architecture is very complex, and they are very tiny,

00:17:14 Gabriel Gonzalez-Garcia

In terms of PCB size, there are multiple layers, and in the size of a phone, they have very like 4 very big chips, and it's very difficult to.

00:17:28 Gabriel Gonzalez-Garcia

to get access to the paths of the specific points of the chip that draw the current, right, that draw the voltage.

00:17:37 Gabriel Gonzalez-Garcia

It would require to do PCB surgery, and of course drones are not something that is cheap, right?

00:17:43 Gabriel Gonzalez-Garcia

So if we risk damaging two or three drones, we are already in the 10s of thousands of dollars.

00:17:50 Gabriel Gonzalez-Garcia

So that would turn out in a very specific research.

00:17:53 Gabriel Gonzalez-Garcia

So that's why we chose electromagnetic fall injection, which in this case

00:17:58 Gabriel Gonzalez-Garcia

It doesn't require any PCB modification.

00:18:01 Gabriel Gonzalez-Garcia

It's just a probe that you place on top of the chip.

00:18:05 Gabriel Gonzalez-Garcia

And what you do is you run a very high voltage current through a coil.

00:18:11 Gabriel Gonzalez-Garcia

And when you run that current, you induce electromagnetic field, right?

00:18:18 Gabriel Gonzalez-Garcia

This is physics, so you do electromagnetic field and that electromagnetic field goes through the chip.

00:18:26 Gabriel Gonzalez-Garcia

And since this is an induced car, and what is going to this automatically fill is going to induce a current in the transistors that are inside the chip.

00:18:35 Gabriel Gonzalez-Garcia

And it's going to have a similar effect, right?

00:18:36 Gabriel Gonzalez-Garcia

We are modifying what the values of registers, the values of transistors that are around.

00:18:43 Gabriel Gonzalez-Garcia

And if you manage to time the feature that you want to target with the location and the pulse that you inject, then you can get a win, right?

00:18:56 Gabriel Gonzalez-Garcia

And when we use electromagnetic injection, there is another variable, because with voltage glitching is just you have like the cable that gets the power to the chip, and that's it, right?

00:19:05 Gabriel Gonzalez-Garcia

You short it very beautifully to ground, and that's it.

00:19:08 Gabriel Gonzalez-Garcia

But with EMFI, you have another variable, which is the specific location on top of the chip, and also the space between the chip and the probe.

00:19:22 Gabriel Gonzalez-Garcia

So usually you place it

00:19:24 Gabriel Gonzalez-Garcia

as close as you can, but it can also, if depending on the chip and the whole packages, you might need to leave a little bit of space so the glitch is not as powerful, or maybe you need to be a little bit closer.

00:19:38 Gabriel Gonzalez-Garcia

So, as you can guess, there are many variables that go there because you need to 1st time the glitch with a specific time with the data.

00:19:49 Gabriel Gonzalez-Garcia

memory is being copied from an internal memory location to a register, right?

00:19:55 Gabriel Gonzalez-Garcia

It needs to happen in that specific time.

00:19:58 Gabriel Gonzalez-Garcia

And then you need to find the right location on the chip.

00:20:00 Gabriel Gonzalez-Garcia

So you need to go with a space of millimeters, right?

00:20:04 Gabriel Gonzalez-Garcia

You move 01 millimeters.

00:20:07 Gabriel Gonzalez-Garcia

You try, many times.

00:20:09 Gabriel Gonzalez-Garcia

You move to the next location, you try, and then you have to do whole campaigns that take hours and hours.

00:20:17 Gabriel Gonzalez-Garcia

to be able to know the first exact location that you can reuse to perform an attack.

00:20:23 Gabriel Gonzalez-Garcia

And after you have the location, try to target the specific feature that you want to bypass.

00:20:30 Gabriel Gonzalez-Garcia

So it's a very lengthy process because there are so many variables and it's not something very deterministic.

00:20:38 Gabriel Gonzalez-Garcia

So usually it's not something that you go, you have the location, you inject the glitch, and then you get it.

00:20:44 Gabriel Gonzalez-Garcia

So it even depends.

00:20:46 Gabriel Gonzalez-Garcia

Even when you have the chip, it works perfect for one chip.

00:20:49 Gabriel Gonzalez-Garcia

It's more or less the same location.

00:20:51 Gabriel Gonzalez-Garcia

You get a different chip, the same part number, but it's a different timing, right?

00:20:56 Gabriel Gonzalez-Garcia

Because the internals of the chip, even though they might be built in the same way, they might be slightly different.

00:21:05 Gabriel Gonzalez-Garcia

So that also takes into account on it.

00:21:07 Gabriel Gonzalez-Garcia

So it's a lot of tries.

00:21:09 Gabriel Gonzalez-Garcia

Usually what you have some parameter ranges.

00:21:11 Gabriel Gonzalez-Garcia

So it's not like a fixed location and a fixed timing.

00:21:14 Gabriel Gonzalez-Garcia

You have a range of let's say 100 milliseconds.

00:21:17 Gabriel Gonzalez-Garcia

I know that I need to release between 1,000 and 1,100.

00:21:22 Gabriel Gonzalez-Garcia

And then you begin doing that and then you will eventually get a successful attack.

00:21:29 Gabriel Gonzalez-Garcia

So the whole process,

00:21:32 Gabriel Gonzalez-Garcia

The bulk of the time is to understand the parameters, to learn the location, get how strong you need to inject the glitch, the timing, right?

00:21:43 Gabriel Gonzalez-Garcia

And then reduce that.

00:21:45 Gabriel Gonzalez-Garcia

But you begin with a very wide area and all the delays that you have in the world.

00:21:51 Gabriel Gonzalez-Garcia

And then you start reducing that.

00:21:53 Gabriel Gonzalez-Garcia

And when you have that into a range that you can do in maybe 6 to 8 hours, for example,

00:21:59 Gabriel Gonzalez-Garcia

You let it run, and then you get it, you get the success, so that's more or less how it works.

00:22:06 Zane Pelletier

Wow, yeah, I mean...

00:22:07 Zane Pelletier

So, how long did it take you on this project?

00:22:11 Zane Pelletier

I think it was a few weeks, right, to have a reproducible glitch?

00:22:14 Zane Pelletier

OK.

00:22:15 Gabriel Gonzalez-Garcia

Yeah, because first you need to understand how everything works, and that this is because when you do the full injection attacks, the first thing that you need to know is to...

00:22:27 Gabriel Gonzalez-Garcia

to determine the parameters, you need to run, what we do is to run a software that we can control, right?

00:22:34 Gabriel Gonzalez-Garcia

So it's basically, there's information on the online.

00:22:38 Gabriel Gonzalez-Garcia

There is a loop with counters that it runs, and then the prints, when all the counters are completed, all the for-loops, nested loops, you're going to appear in, for example, 10,000, 10,000, 10,000, right?

00:22:50 Gabriel Gonzalez-Garcia

And then you begin injecting glitches, and you begin finding the location.

00:22:54 Gabriel Gonzalez-Garcia

And most of the time, nothing happens.

00:22:56 Gabriel Gonzalez-Garcia

Sometimes the chip reboots because the glitch was too strong, or maybe you glitched the CPU and it got into memory fault and the whole chip had to reboot.

00:23:09 Gabriel Gonzalez-Garcia

Sometimes, as I said, nothing happens, and eventually you will get the loops instead of returning 10,000, they're going to return 8,000 or maybe 20,000, right, or whatever.

00:23:22 Gabriel Gonzalez-Garcia

So that means that you were able in that location and with those parameters

00:23:27 Gabriel Gonzalez-Garcia

to make the chip behave differently.

00:23:29 Gabriel Gonzalez-Garcia

So either you were able to skip an instruction or there is a register that got changed the value while it was copied and between memories.

00:23:38 Gabriel Gonzalez-Garcia

And that's the first stage.

00:23:39 Gabriel Gonzalez-Garcia

And that usually takes a long time because there are many parameters.

00:23:43 Gabriel Gonzalez-Garcia

Sometimes you have the XYZ table.

00:23:48 Gabriel Gonzalez-Garcia

And it moved away, you come the next day, and everything is ruined.

00:23:54 Gabriel Gonzalez-Garcia

The profile was in a different position, have to redo everything, so it's a process, yeah, but after that one got completed, I was able to get a successful year after a couple of days of test, right?

00:24:07 Gabriel Gonzalez-Garcia

So, you let it there, and then a couple of days I was able to get a full call execution on the devices.

00:24:12 Zane Pelletier

Amazing.

00:24:13 Zane Pelletier

Yeah.

00:24:13 Zane Pelletier

So it sounds like a lot of trial and error, essentially.

00:24:16 Zane Pelletier

I mean, and it's, to some extent, that's what any kind of hacking or manipulation of other devices is trial and error.

00:24:25 Zane Pelletier

But with this, like you mentioned, all of the variables that come into play here, I mean, really, you are doing some kind of a physical manipulation of the chip, but it's not physical in terms of like re-soldering components on the board and removing things.

00:24:40 Zane Pelletier

It's physical in terms of the electromagnetic

00:24:42 Zane Pelletier

magnetic frequencies that you are manipulating to actually affect the physical components of the internals of the chip itself.

00:24:52 Zane Pelletier

Yeah, and I mean, for this, I'm probably going to butcher this reference because I don't remember all the dates, but I do believe there's a natural occurrence of this, right?

00:25:02 Zane Pelletier

I think it was back in the 90s or early 2000s.

00:25:05 Zane Pelletier

Belgium had an election, and it was one of their first elections.

00:25:08 Zane Pelletier

They used electronic devices to

00:25:12 Zane Pelletier

count the ballots, right, that were cast for the election.

00:25:15 Zane Pelletier

So they did the electronic election, but then they also kept the physical ballots and counted those separately.

00:25:22 Zane Pelletier

And I think they found a pretty significant error in the device, and they couldn't figure it out for the longest time.

00:25:29 Zane Pelletier

I think they were off by about 10,000 or so votes, which was quite a lot.

00:25:35 Zane Pelletier

And it turns out that

00:25:37 Zane Pelletier

somewhere on some physical component on the voting device, there was a bit that was flipped.

00:25:45 Zane Pelletier

And they couldn't figure out why.

00:25:46 Zane Pelletier

And it seemed to have been flipped in the volatile memory, not the actual hard drive storage of the device, but in the actual memory while it was performing the counting operation.

00:25:57 Zane Pelletier

And I believe they attributed it to a cosmic ray or solar flare or something, some kind of electromagnetic radiation from space, essentially, they said came down.

00:26:06 Zane Pelletier

and actually flip the bit.

00:26:07 Zane Pelletier

So this is something that actual devices, physical devices on this planet, I think, deal with every day.

00:26:12 Zane Pelletier

And there are varying levels of protections you can do to kind of keep that from happening, right?

00:26:17 Zane Pelletier

Shielding and whatnot.

00:26:18 Zane Pelletier

But that's kind of a natural occurrence of what you are trying to simulate artificially here, right?

00:26:24 Gabriel Gonzalez-Garcia

So, for example, all the devices that go on planes, they go through similar tests because they are exposed to more radiation that are on Earth right on the ground, so they have a special testing equipment to simulate those scenarios as well, yes.

00:26:41 Zane Pelletier

Wow, it's really cool that we can take advantage of that to actually perform manipulations in any kind of controlled sense, right?

00:26:50 Zane Pelletier

So let's talk about the hardware that you used a little bit more, because I'm very interested.

00:26:54 Zane Pelletier

I mean...

00:26:55 Zane Pelletier

Sometimes, I deal with, sometimes I scope penetration tests, and I believe there was some guidance released through Auto ISAC and a few other agencies here, at least in North America, that recommend, trying to perform fault injection and side channel analysis as some kind of glitching against the hardware that go into, for instance, vehicles that are on the road.

00:27:16 Zane Pelletier

And so we get a lot of questions, I think, when people come to us and say, hey, can you perform, you know, fault injection against our device, right?

00:27:24 Zane Pelletier

And, you know,

00:27:25 Zane Pelletier

They kind of leave it on there as an afterthought, as something you can kind of tack on at the end.

00:27:29 Zane Pelletier

And I think a lot of people are pretty astonished by the increase in, let's say, effort that is required to do that.

00:27:36 Zane Pelletier

So I think it would help, I think, a lot of the listeners to hear kind of what goes into what you have to set up with the hardware itself and what kind of specialized equipment you need to do stuff like this.

00:27:47 Zane Pelletier

You can't just...

00:27:48 Zane Pelletier

I think a lot of people have the misconception that you can just go, buy a ChipWhisperer, for instance, online and just, tape it to a ruler or something and kind of, hang it over the device and, do that for, a few hours and call it a day, right?

00:28:04 Zane Pelletier

But for this, I got a look at, I believe at the Escar presentation that was given, there's a picture of your setup.

00:28:10 Zane Pelletier

And I mean, you had an anti-vibration table, I think, involved with it.

00:28:14 Zane Pelletier

You had a very precise XY axis, Z axis,

00:28:19 Zane Pelletier

Positioning for, and then the actual injection piece of hardware was very large.

00:28:26 Zane Pelletier

I believe you used something from Riskure, if I remember correctly.

00:28:29 Zane Pelletier

So, yeah, please walk us through that and talk about kind of how you chose that hardware and what went into setting all that up.

00:28:37 Gabriel Gonzalez-Garcia

Yeah, exactly.

00:28:37 Gabriel Gonzalez-Garcia

So, for that one, we chose the Riskure gig that...

00:28:42 Gabriel Gonzalez-Garcia

as they offer, they have their own equipment for that, right?

00:28:46 Gabriel Gonzalez-Garcia

And some specific things that you need for EMFI, like you mentioned that very well, we didn't have an anti-vibration table.

00:28:53 Gabriel Gonzalez-Garcia

That's not required for EMFI, that's more for laser injection.

00:28:58 Gabriel Gonzalez-Garcia

But for this one, what you need is an XYZ table that helps you move

00:29:08 Gabriel Gonzalez-Garcia

To certain precise, right?

00:29:09 Gabriel Gonzalez-Garcia

It doesn't need to be, I think it doesn't need to be very precise.

00:29:13 Gabriel Gonzalez-Garcia

I think any 3D printer can kind of go into that precision, because 3D printing is also very challenging when it comes to moving just by a few millimeters, I mean microns even.

00:29:27 Gabriel Gonzalez-Garcia

So what you need the table to be set up, because that's a key part when you have to, when you're not going to perform the MFI attacks, because otherwise you wouldn't be able to

00:29:37 Gabriel Gonzalez-Garcia

To repeat the exact same location, because repeatability is the key here, right?

00:29:42 Gabriel Gonzalez-Garcia

If it's time you are having a different position, it would have been a mess.

00:29:47 Gabriel Gonzalez-Garcia

It's impossible to...

00:29:49 Gabriel Gonzalez-Garcia

You find the exact location, so you need to have a setup that lets you go to the exact point of start, and then you can repeat that over and over again until you find the right parameters.

00:30:01 Gabriel Gonzalez-Garcia

So, the table is when is required, and then, of course, the MFI probe, which is...

00:30:08 Gabriel Gonzalez-Garcia

has those, as you mentioned, there is the cheap shelter, right?

00:30:12 Gabriel Gonzalez-Garcia

That is from a NewAE.

00:30:14 Gabriel Gonzalez-Garcia

There are other vendors as well that offer that offer that part.

00:30:19 Gabriel Gonzalez-Garcia

This, I think they even the UI guys, they have this PicoEMP that is a cheaper version of electromagnetic fill injector, full injection tool.

00:30:32 Gabriel Gonzalez-Garcia

Of course, it's

00:30:33 Gabriel Gonzalez-Garcia

It's less controllable, but you can also do some things with that.

00:30:37 Gabriel Gonzalez-Garcia

I think it all depends.

00:30:39 Gabriel Gonzalez-Garcia

It's a little bit of a trial and error, and it might work with the PicoEMP, or you might use something that is slightly more power, right?

00:30:47 Gabriel Gonzalez-Garcia

Because the thing with the PicoEMP is that I think you cannot control very well the strength of the chip is always the strength of the pulse is always the same.

00:30:56 Gabriel Gonzalez-Garcia

While with the others, you can control that, specifically with rescue, you can control the strength of the pulse as well.

00:31:04 Gabriel Gonzalez-Garcia

And then the rest of the things that you need is a controlling system.

00:31:07 Gabriel Gonzalez-Garcia

There is something that interfaces with the drone in this case, because you need to be able to assess whether the glitch make the chip behave differently or if it wasn't to reset mode or just set time out and then you need to reset everything.

00:31:24 Gabriel Gonzalez-Garcia

And that, but that one is, I think that's custom and needs to be programmed for every system, right?

00:31:31 Gabriel Gonzalez-Garcia

So, those will be the main setups.

00:31:35 Gabriel Gonzalez-Garcia

You have the MFI probe, the table, which for MFI is very, very required, and the control the control system.

00:31:47 Zane Pelletier

Wow.

00:31:47 Zane Pelletier

Yeah, no, definitely.

00:31:48 Zane Pelletier

I think that for this in particular, actually going through the process of performing glitching on a chip, first off, sounds like there's definitely some things that you pick up.

00:32:03 Zane Pelletier

I think with any skill, there's something that you say, oh, I can, I learned such and such X, Y, and Z last time, and I can quickly

00:32:13 Zane Pelletier

try to adjust these variables more the next time.

00:32:16 Zane Pelletier

But yeah, with this, it's so interesting because of that variance in, as you were mentioning, the actual physical properties of each chip, even if it's the same chip, the same part on the same board, right?

00:32:29 Zane Pelletier

Or same type of board, rather.

00:32:31 Zane Pelletier

So yeah, I mean, I think that's very, I think it provides a lot of clarity to people listening to see, you know, what is required to actually carry something like this out.

00:32:41 Zane Pelletier

So I guess

00:32:42 Zane Pelletier

I have a question for you now about after you found this glitch, you know it's reproducible.

00:32:49 Zane Pelletier

You see that it's feasible on this chip, right, on this device.

00:32:52 Zane Pelletier

How can you pivot now as a security researcher or, you know, if you're thinking about as an attacker, how can you extrapolate this kind of technique and leverage a common exploit across devices?

00:33:04 Zane Pelletier

Do you think that that's something that's feasible with what you found?

00:33:07 Zane Pelletier

Or is it just getting access to

00:33:11 Zane Pelletier

understanding the internals of the chip at that level that this allowed you to do, right.

00:33:17 Gabriel Gonzalez-Garcia

Yeah, so that's a good question, right?

00:33:18 Gabriel Gonzalez-Garcia

So, in the specific of this drone, the DJ drone had a lead core chip, the one that we are targeting, which is, there is no information around, right?

00:33:30 Gabriel Gonzalez-Garcia

where you need to buy it.

00:33:32 Gabriel Gonzalez-Garcia

And then when you have, you buy in large quantities, that's when they give you the other information.

00:33:36 Gabriel Gonzalez-Garcia

So that's all the data sheets and everything is not public.

00:33:40 Gabriel Gonzalez-Garcia

So these attacks will be specific to this chip.

00:33:43 Gabriel Gonzalez-Garcia

So after I was able to find the glitch or let's say the vulnerability, right, that you can kind of exploit, the next step was to identify a way to abuse this weakness of the chip.

00:34:00 Gabriel Gonzalez-Garcia

As I mentioned, there are different ways that you can do it.

00:34:02 Gabriel Gonzalez-Garcia

One is started in the JTAG, but as well, and this debug interface, there is no public information.

00:34:08 Gabriel Gonzalez-Garcia

We are required to desolder and remove all the chips and look for all the balls on the BGA and the BGA, which is what the chips that don't have like outside pins, they make connection with the board on the bottom part.

00:34:26 Gabriel Gonzalez-Garcia

And there are hundreds of balls, so you will need to potentially

00:34:29 Gabriel Gonzalez-Garcia

Test 20 or 30 balls and see if you can manage to get the data interface, so that's a very lengthy process, and you can also destroy some throws in the web, which is not ideal, so I targeted the...

00:34:45 Gabriel Gonzalez-Garcia

the firmware update feature, right?

00:34:48 Gabriel Gonzalez-Garcia

So now that I knew the position and the parameters that were more or less localized, what I did was to begin injecting glitches while I was transferring data to the drone, right?

00:35:01 Gabriel Gonzalez-Garcia

So basically what the firmware update part, what it does is gets firmware from a USB and then begins the update.

00:35:09 Gabriel Gonzalez-Garcia

And for that, what it does is copy a large amount of data because the updates are worth a couple of gigabytes.

00:35:15 Gabriel Gonzalez-Garcia

So it copies lots of data between one memory location to another, basically between the USB part to other memory.

00:35:23 Gabriel Gonzalez-Garcia

And for that, what it executes many times is a memcpy function, right?

00:35:27 Gabriel Gonzalez-Garcia

This basically what you do is load into a register from memory, and then you copy that memory to another address, right?

00:35:35 Gabriel Gonzalez-Garcia

To another address in the space.

00:35:37 Gabriel Gonzalez-Garcia

And what we do was to begin injecting glitches while this was being performed.

00:35:43 Gabriel Gonzalez-Garcia

And what I was able to achieve was to get an instruction modified in a way that I could control the address where the memory, the data I was supplying was located, was provided, right?

00:36:01 Gabriel Gonzalez-Garcia

So basically the exploit looks like the firmware, right?

00:36:05 Gabriel Gonzalez-Garcia

I need to provide a firmware.

00:36:07 Gabriel Gonzalez-Garcia

I modified firmware myself because it wouldn't be possible to be signed by the company because something that is malicious.

00:36:15 Gabriel Gonzalez-Garcia

And while I provide this firmware that has the address of the target address that I want to overwrite and the data that I want to put in that address, that would be how I need to create that firmware.

00:36:31 Gabriel Gonzalez-Garcia

And then when I was supplying this custom firmware, I had to inject all the...

00:36:37 Gabriel Gonzalez-Garcia

I need to begin the campaign, begin injecting glitches, and eventually the instruction would flip to the one that I needed, and it would copy my firmware into the memory location, right?

00:36:47 Gabriel Gonzalez-Garcia

It would overwrite memory addresses that it wanted.

00:36:50 Gabriel Gonzalez-Garcia

So that's how the attack was actually performed.

00:36:55 Gabriel Gonzalez-Garcia

And to the question of how this would apply to a different device, as we were talking before, this is very specific to the chip.

00:37:06 Gabriel Gonzalez-Garcia

And so, this could could apply this, I mean the same setup and everything, and we need to have the same chip, there's a Leadcore chip, and it was running an Android device, so we should have a similar set of environment, so that it could be more, you don't need to go and reset the whole space of parameters.

00:37:31 Gabriel Gonzalez-Garcia

But if, for example, the next version of the chip uses a completely different, I mean, the next version of the drone uses a completely different chip, everything would need to start from scratch, right?

00:37:41 Gabriel Gonzalez-Garcia

So, everything, all these phone injection attacks are tailored to the chip itself, because it's a vulnerability more on the chip rather than on the software that is executing, although...

00:37:53 Gabriel Gonzalez-Garcia

you target or we target software features that we want to bypass, but the problem is in the chip as well.

00:38:03 Gabriel Gonzalez-Garcia

So that's more or less how it is.

00:38:06 Gabriel Gonzalez-Garcia

I see.

00:38:06 Zane Pelletier

Yeah, so essentially you're able to re-flash the firmware onto the chip and circumvent whatever secure boot processes they had or secure flashing processes that the vendor had.

00:38:17 Zane Pelletier

Yeah, and this might not be...

00:38:19 Zane Pelletier

Directly, it's not something that you immediately have access to do this on every drone, like you're not able to.

00:38:26 Zane Pelletier

There isn't some secret mechanism you've discovered here.

00:38:30 Zane Pelletier

It's basically just modifying it, so it will take it in that instance.

00:38:33 Zane Pelletier

That makes sense.

00:38:34 Gabriel Gonzalez-Garcia

Okay, yeah, it's more about also, because this is a complex...

00:38:38 Gabriel Gonzalez-Garcia

There are lots of literature on full injection, and there is a lot of that on microcontrollers.

00:38:43 Gabriel Gonzalez-Garcia

There is less available on complex chips or SoCScomplex socks.

00:38:47 Gabriel Gonzalez-Garcia

On this one specifically, this chip had four cores, and that makes it even more difficult, right?

00:38:52 Gabriel Gonzalez-Garcia

Because you need to place, if you might in, if the code your target team runs on a core or is jumping from core to core, it makes it more difficult to find the location.

00:39:02 Gabriel Gonzalez-Garcia

And so, well, there are things that we try to reduce that

00:39:07 Gabriel Gonzalez-Garcia

Those variables, also all the learning experiences, and that we were able to use these wild jumps, or there are different ways of how this attack is performed.

00:39:19 Gabriel Gonzalez-Garcia

This is also a learning experience that you can then reuse in different projects, right?

00:39:23 Gabriel Gonzalez-Garcia

So, maybe the whole setup is different, but at the end of the day, also the attack that is...

00:39:30 Gabriel Gonzalez-Garcia

It's achievable, and you can use it in a different chip.

00:39:34 Gabriel Gonzalez-Garcia

You will need to narrow down all the parameters and get that set up a while.

00:39:38 Gabriel Gonzalez-Garcia

When that is done, then you can use this technique of manipulating, for example, the firmware update mechanism.

00:39:48 Zane Pelletier

Wow, yeah, no, that's amazing to see something like this in action and something that you hear about again.

00:39:55 Zane Pelletier

but I think it's very rare to have someone who can kind of sit down and explain the process and also realistic outcomes, right?

00:40:04 Zane Pelletier

I guess I do want to wrap up soon, but I do want to ask how did the vendor react to this disclosure?

00:40:11 Zane Pelletier

If you can talk about that a little bit, what steps did they take after?

00:40:15 Zane Pelletier

And kind of, that's always interesting to me when you do some kind of responsible disclosure like this, how was it working with DJI with this process?

00:40:24 Zane Pelletier

project.

00:40:25 Gabriel Gonzalez-Garcia

Yeah, the DGA team was very good and they handled that very well, right?

00:40:30 Gabriel Gonzalez-Garcia

We contacted them.

00:40:34 Gabriel Gonzalez-Garcia

We found the security contact.

00:40:36 Gabriel Gonzalez-Garcia

I can't remember exactly how we got to that.

00:40:38 Gabriel Gonzalez-Garcia

But we shared the report and everything before we published anything, of course.

00:40:47 Gabriel Gonzalez-Garcia

And they reacted very promptly.

00:40:49 Gabriel Gonzalez-Garcia

So we set out a call, I was discussing with them what I found.

00:40:53 Gabriel Gonzalez-Garcia

And they even granted me with the bug bounty for the finding, and then they said that they did the problem with this thing is that in the current drums you cannot do much, where there are software mitigations that you can do to mitigate, but if there are no glitch detectors implemented in the chip.

00:41:17 Gabriel Gonzalez-Garcia

You cannot change the chip while something is already so, right?

00:41:20 Gabriel Gonzalez-Garcia

So, I knew that they were beginning to investigate into the full injection, and I evaluated for that coming project, so I think they behaved very well, and everything was very...

00:41:37 Gabriel Gonzalez-Garcia

very fast.

00:41:37 Gabriel Gonzalez-Garcia

They didn't delay anything.

00:41:38 Gabriel Gonzalez-Garcia

So I was very happy with their security team.

00:41:42 Zane Pelletier

Wow, that's great.

00:41:43 Zane Pelletier

That's great to hear.

00:41:43 Zane Pelletier

Yeah, I mean, yeah, mitigations on this are difficult, right?

00:41:46 Zane Pelletier

The hardware is the hardware, and changing that can be costly, and also kind of like almost like future recommendations for future platforms that they create.

00:41:56 Zane Pelletier

Maybe they could take that into account.

00:41:58 Zane Pelletier

But yeah, as you described it, that seems very difficult to protect against, essentially.

00:42:04 Zane Pelletier

Well, amazing.

00:42:05 Zane Pelletier

Thank you, Gabriel, for joining me today.

00:42:08 Zane Pelletier

I really appreciate it.

00:42:09 Zane Pelletier

I've really enjoyed talking with you about this and getting in depth into the process of actually performing fault injection, you know, talking about this.

00:42:18 Zane Pelletier

I know that we talked about this with regards to UAVs and drones, but I think that this is applicable really to any embedded device, right?

00:42:26 Zane Pelletier

And anything that uses a chip that, you know,

00:42:31 Zane Pelletier

Is, I would say, somewhat simple.

00:42:32 Zane Pelletier

I think, as the system gets more complex, it's more difficult to actually do something like this, right?

00:42:38 Zane Pelletier

But I think this is an amazing discussion to kind of jump into that.

00:42:41 Zane Pelletier

Do you have any final closing thoughts for those listening?

00:42:46 Gabriel Gonzalez-Garcia

Just to mention that...

00:42:48 Gabriel Gonzalez-Garcia

The fault injection attacks are something that is real, right?

00:42:51 Gabriel Gonzalez-Garcia

It's been exploited on the wild, and the conferences and security conferences out there, is always new kind of attacks or different devices that have been bypassed by fault injection.

00:43:02 Gabriel Gonzalez-Garcia

So, yeah, I think it's something that needs to be taken into account, of course, depending on the business scenarios.

00:43:08 Gabriel Gonzalez-Garcia

Each company has their own risks, but it's something that is not futuristic, it's something that is already here, and it needs to be taken into consideration.

00:43:18 Zane Pelletier

100%, yeah.

00:43:19 Zane Pelletier

I know, it's very real.

00:43:22 Zane Pelletier

All right, awesome.

00:43:22 Zane Pelletier

Thank you so much.

00:43:23 Zane Pelletier

Well, thank you everyone listening for tuning in to this episode of Empowering Tomorrow's Automotive Software Podcast.

00:43:29 Zane Pelletier

We hope that you as the listener found our discussion insightful and valuable.

00:43:33 Zane Pelletier

If you enjoyed today's episode, don't forget to subscribe on Spotify, Apple Music, or wherever you get your podcasts.

00:43:39 Zane Pelletier

Feel free to share this episode with your network and leave us with a review.

00:43:42 Zane Pelletier

We would love to hear your feedback.

00:43:44 Zane Pelletier

This concludes our episode.

00:43:45 Zane Pelletier

Please check in again for a new one.

00:43:50 Voiceover

Thank you for joining this episode of the Empowering Tomorrow's Automotive Software Podcast.

00:43:54 Voiceover

Please leave a comment or review with your feedback or what you'd like to hear in future episodes.

00:43:59 Voiceover

To learn more about Automotive Embedded Systems and ETAS's capabilities, visit our website at ETAS.

00:44:05 Voiceover

That's ETAS.com.