Академический Документы
Профессиональный Документы
Культура Документы
OBDII
port
Body Control
Module
Engine
Control
Unit
“BMW Group considers the security level “The objective of manipulating the
for our customers and products ensured” steering and brake was not achieved”
Attacker model
Telematics
Instrument
Unit
Cluster
Gateway
ECU
CAN bus
OBDII
port
Body Control
Module
Engine
Control
Unit
Attacker model
Telematics
Instrument
Unit
Cluster
Gateway
ECU
Unencrypted
Unauthenticated
OBDII
port
Body Control
Module
Engine
Control
Unit
Overview
1. Motivation & attacker model
2. Introduction to diagnostic protocols
3. Security analysis of diagnostic protocols
4. Executing arbitrary code on an ECU via CAN
5. Implications & mitigation
What are automotive diagnostics?
For diagnosing
Electronic Control
Units (ECUs)
Used by service
technicians
- Request fault
codes
- (Re)calibrate ECU
- Reprogram ECU
Diagnostic Protocol Standards
● Very advanced
Universal Measurement and Calibration Protocol (XCP) diagnostics
● Debugging
ASAM MCD-1 XCP interface to the
ECU
● Reprogramming
CAN, Ethernet, USB, Flexray,...
functionality
Diagnostic Protocol Standards
Download through
Unified Diagnostic Services UDS
(UDS)
ISO 14229-1
XCP
ISO 15765 (ISO-TP)
CAN Flash
CAN ...
driver driver
Unified Diagnostic Services
Requests defined by keyword and
optional arguments
CAN ID CAN ID
0x726 0x72E
Unified Diagnostic Services
Requests defined by keyword
and optional arguments
Diagnostic Session Control
- Programming
- Extended Diagnostic
10 02
0
50 02 00 01 5
CAN ID CAN ID
0x726 0x72E
Unified Diagnostic Services
Requests defined by keyword
and optional arguments
ECU Reset
- Soft reset of ECU
11 01
51 01
REBOOT
CAN ID CAN ID
0x726 0x72E
Unified Diagnostic Services
Requests defined by keyword
and optional arguments
Security Access
- Challenge-Response
27 01
challenge/response size and
cipher left up to manufacturer
E
67 01 2B 46 6
27 02 5F C1 0
5
67 02
CAN ID CAN ID
0x726 0x72E
Unified Diagnostic Services
Requests defined by
keyword and optional
arguments
34 00 22 10 0
0 01 00
Download Services:
74 20 04 02
36 01
RequestDownload
- Optional encryption
DATA
- Address and size
TransferData 76 01
TransferExit
37 01
- Provides checksum
77 F3 2A
Unified Diagnostic Services
Requests defined by
keyword and optional
arguments
RoutineControl: execute 31 01 03 01 1
0 10
manufacturer-defined
routines 71 01
- Identified by Routine
Execute
ID and optional Routine 0301
arguments
CAN ID CAN ID
0x726 0x72E
Overview
1. Motivation & attacker model
2. Introduction to diagnostic protocols
3. Security analysis of diagnostic protocols
4. Executing arbitrary code on an ECU via CAN
5. Implications & mitigation
Extracting and analysing ECU firmware
1. Collect car parts
Extracting and analysing ECU firmware
Brute force:
Fiat challenge-response cipher
Two 16-bit LFSRs with Input I0 and I1 both run for 24 rounds
In: 32-bit Challenge C, 32-bit Secret S, 16 bit tapping sequence, 16-bit
start state
Out: 32-bit Response R
I0 = C0..8 ⊕ S8..16 | C16..24 >>> 5 | S0..8
I1 = C24..32 ⊕ S24..32 | Permute(C8..16) | S16..24
R = bytes of both internal LFSR states permuted
Fiat challenge-response cipher
WEAKNESSES:
- two 16-bit LFSRs instead of one 32-bit LFSR
- key diversification
Fiat BSI
0x12 0xDC 0x34 0x7A 0x8408 0xFFFF
2012+
Fiat BSI
0x21 0xDC 0x43 0x7A 0x3423 0xFFFF
2012-
Fiat challenge-response cipher
WEAKNESSES:
- two 16-bit LFSRs instead of one 32-bit LFSR
- key diversification
ECU S[0] S[1] S[2] S[3] taps start state
Fiat BSI
0x12 0xDC 0x34 0x7A 0x8408 0xFFFF
2012+
Fiat BSI
0x21 0xDC 0x43 0x7A 0x3423 0xFFFF
2012-
Audi challenge-response cipher
ECU translates a sequence of bytes (~Secret) into
operations on ‘internal state’: XOR with given value
(0x87), rotate left (0x81) /right (0x82), add (0x93)/
substract (0x84) given value / loops (0x68) and if-
statements (0x4A)
internal state initialised with Challenge C (32 bits)
Example:
814a0a84000000018704c11db7814a078704c11db76b059300000001814a0a840000000187
04c11db7814a078704c11db76b059300000001814a078704c11db76b059300000001814a07
8704c11db76b059300000001814a0a84000000018704c11db7814a0a84000000018704c11d
b7814a078704c11db76b059300000001814a078704c11db76b059300000001814a078704c1
1db76b0593000000014c
Audi challenge-response cipher
Internal state initialised with Challenge C (32 bits)
ECU interprets a sequence of bytes (~Secret) into
operations on ‘internal state’: XOR with given
value, rotate left/right, add/subtract given value
814a0a84000000018704c11db7814a078704c11db76b05
9300000001814a0a84000000018704c11db7814a078704
c11db76b059300000001814a078704c11db76b05930000
0001814a078704c11db76b059300000001814a0a840000
00018704c11db7814a0a84000000018704c11db7814a07
8704c11db76b059300000001814a078704c11db76b0593
00000001814a078704c11db76b0593000000014c
Audi challenge-response cipher
Internal state S initialised with Challenge C (32
bits)
ECU interprets a sequence of bytes (~Secret) into
operations on ‘internal state’: XOR with given
value, rotate left/right, add/subtract given value
814a0a84000000018704c11db7814a078704c11d
b76b059300000001
S = S <<< 1
Audi challenge-response cipher
Internal state S initialised with Challenge C (32
bits)
ECU interprets a sequence of bytes (~Secret) into
operations on ‘internal state’: XOR with given
value, rotate left/right, add/subtract given value
814a0a84000000018704c11db7814a078704c11d
b76b059300000001
if(! shifted_bit): skip 0x0a * 2 bytes
Audi challenge-response cipher
Internal state S initialised with Challenge C (32
bits)
ECU interprets a sequence of bytes (~Secret) into
operations on ‘internal state’: XOR with given
value, rotate left/right, add/subtract given value
814a0a84000000018704c11db7814a078704c11d
b76b059300000001
S = S - 1
Audi challenge-response cipher
internal state S initialised with Challenge C (32
bits)
ECU interprets a sequence of bytes (~Secret) into
operations on ‘internal state’: XOR with given
value, rotate left/right, add/subtract given value
814a0a84000000018704c11db7814a078704c11d
b76b059300000001
S = S XOR 0x04c11db7
Audi challenge-response cipher
internal state S initialised with Challenge C (32
bits)
ECU interprets a sequence of bytes (~Secret) into
operations on ‘internal state’: XOR with given
value, rotate left/right, add/subtract given value
814a0a84000000018704c11db7814a078704c11d
b76b059300000001
…
Cipher structure dependent on Secret!
Audi challenge-response cipher
Audi challenge-response cipher
hardcoded backdoor:
0xCAFFE012
Challenge-Response security
● Small challenge, response and internal state: 24
or 32-bit lead to insecure ciphers
-> One valid challenge-response pair allows
an attacker to recover secret
Can be obtained by:
- Observing existing diagnostic tools
- Search over CAN
Try secret
Invalid Response
Attack over CAN
Goal: recover diagnostic secret for certain ECU
After certain
number of
invalid attempts
Exceeded number of attempts: Delay timer active
Attack over CAN
Goal: recover diagnostic secret for certain ECU
After an
ECUReset
Delay timer not expired
Attack over CAN
Goal: recover diagnostic secret for certain ECU
Circumvent delay mechanism:
● Request new Programming Mode
● ECUReset (~1s)
Executing Arbitrary code on an ECU
Download of machine code to
the ECU through UDS functions
ECU can activate Watchdog
Reset Timer before execution
No access restrictions in place!
Gives attacker full access to:
- CAN
- Flash (External/Internal)
- EEPROM
- Any other peripherals
Overview
1. Motivation & attacker model
2. Introduction to diagnostic protocols
3. Security analysis of diagnostic protocols
4. Executing arbitrary code on an ECU via CAN
5. Implications & mitigation
Practical Implications
Challenge
Request
SKdiag
t C h a l l en ge C
128-bi
ca ted R VERIFY
Authenti
Mitigation: code execution
Compiled code
PKmanuf
CAN bus
Diagnostic
client ECU
Mitigation: code execution
Compiled code
PKmanuf
CAN bus