3-DAY TRAINING 3 – Embedded Security for Automotive


CAPACITY: 20 pax


EUR2599 (early bird)

EUR3199 (normal)

Early bird registration rate ends on the 28th of February



Modern cars are digital devices, controlled with multiple ECUs and millions of lines of software code. They are the frontline of modern embedded device development. With respect to unique safety requirements and rapid development of V2x communications, automotive security benefits from the expertise of other embedded applications. The Embedded Security for Automotive is brought to you by embedded device security veterans, with years of expertise in securing payment and content protection application. In this training you will look at an automotive solution from an attacker’s perspective. You will learn how ECUs can be hacked, and identify ways to apply this knowledge to your product and make it more robust. As a result, you will obtain the expertise to make effective security-related decisions throughout the entire development lifecycle of a vehicle electronic system.

Who Should Attend

This training is ideal for engineers and managers with limited to no security knowledge working at manufacturers and suppliers in the automotive, trucks, rail and aviation industries, in the following roles: System Engineering, Cyber Security management, Software architecture, Software and hardware development, Electrics/electronics, Safety and functional engineering.

Key Learning Objectives

The goal of the three day interactive training is to gain an overview of in vehicle security with focus on critical systems. In the training your team gains a solid technical grasp of the fundamentals of security engineering, and how they relate to typical sub-components presented on an embedded system, and the functionality of an embedded system.

Next, we look at the automotive target from the perspective of an attacker who aims to compromise the systems assets, gaining runtime control and or retrieving sensitive data, etc. You will obtain new skill sets for identifying these assets, determine the most likely attack paths an attacker will use and refine this attack path in order to discover tooling available to an attacker used to compromise the system. During the training we discuss why implementation attacks are a threat to the security of protocols and cryptographic algorithms, MISRA-C coding guidelines, side channel analysis and fault injection attacks.

Finally, we discuss system defense strategies which are the most sophisticated and complex view of an embedded system. Creating a defense strategy requires not only the understanding of how a system works or how an attacker would compromise an asset, but also to have the ability to prioritize defense according to risk, time, cost, surface, etc.

Prerequisite Knowledge

Knowledge of basic computer science concepts. More importantly an open mind and willingness to learn!

Hardware / Software Requirements

Hardware requirements:

  • Please bring your computer or laptop & power brick
  • Make sure you have ~10GB free disk space (otherwise the VM we will be using may not fit)

Software requirements:

Please install VirtualBox (latest version) in your machine, as well as install the VirtualBox extensions.
You can download your preferred version from the virtualbox website:

In case you prefer direct download, here you have the links:

If you want, you can bring your preferred note-taking tool (e.g. paper notebook) besides your laptop.
Handouts will be provided for exercises that require taking notes.

Agenda Day 1: Fundamentals

Part 1: Fundamentals of security engineering

  • Recognize security assets in a given Target Of Evaluation (TOE)
  • Systematically find attack paths : attack trees
  • Profile the attackers
  • Rate attacks and prioritize attack paths
  • Common defense methods (built-in vs built-on security)

Part 2: An introduction to Embedded Systems

  • Identify the relevance of a component for security
  • Develop a basic understanding of PCB layout
  • Tools used to interact with the target device
  • Memories: An interlude
  • Attacker perspective: assumptions and specifications

Agenda Day 2: Attacks on modern embedded systems

  • Model the attack surface of the Riscurino* board
  • Retrieve assets from the TOE: dumping the MCU non-volatile memory (firmware)
  • Implementation attacks and Misra-C guidelines
  • Side channel attacks- retrieve keys from crypto algorithm implementations
  • Use the JIL system to rate attacks
  • Use FI to bypass the UDS security access

Agenda Day 3: Defense plan and implementation security

  • Evaluate the required security principles and concepts
  • Hardening electronic systems against: physical, implementation, SCA and FI attacks

Case study: the JEEP hack :

  • Create the attack tree to retrieve assets
  • Prioritizing attacks paths
  • Hardening the ECU against modern threats
  • Use SDLC methodology to maintain the security of a system

Location: Training Rooms Date: May 6, 2019 Time: 9:00 am - 6:00 pm Yashin Mehaboobe Rafael Boix Carpi