Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
Undermining Diagnostics Security
Niek Timmers
Principal Security Analyst, Riscure
niek@riscure.com / @tieknimmers
Bypass...
2
Today we are talking about
3
Typical ECUs found in a car…
4Undermining Diagnostics Services: Bypassing UDS Security Checks
They come in all forms, shapes and sizes!
5Undermining Diagnostics Services: Bypassing UDS Security Checks
… and you can buy them cheaply!
Lots of them are stuck in...
6Undermining Diagnostics Services: Bypassing UDS Security Checks
7Undermining Diagnostics Services: Bypassing UDS Security Checks
We can analyze them easily with little funding!
To unders...
8Undermining Diagnostics Services: Bypassing UDS Security Checks
Interfaces
Leaks
Software
Firmware
upgrade
Obtaining ECU ...
9Undermining Diagnostics Services: Bypassing UDS Security Checks
MCU
EEPROM
Debug
I/O
CAN
Firmware is stored inside the MC...
10Undermining Diagnostics Services: Bypassing UDS Security Checks
Wait… Peter told us what we can speak!
11Undermining Diagnostics Services: Bypassing UDS Security Checks
Unified Diagnostic Services (UDS)
• Diagnostics
• Data T...
12Undermining Diagnostics Services: Bypassing UDS Security Checks
• Local through the DLC / OBD
• Remotely using a cellula...
13Undermining Diagnostics Services: Bypassing UDS Security Checks
• Reprogramming
• Loading new firmware
• Read and write ...
14Undermining Diagnostics Services: Bypassing UDS Security Checks
What protects all this juice from malicious use?
15Undermining Diagnostics Services: Bypassing UDS Security Checks
It should not be possible to
brute force or guess the ke...
16Undermining Diagnostics Services: Bypassing UDS Security Checks
Key size
• 8-bit
• 16-bit
• 32-bit
• 64-bit
• 128-bit
17Undermining Diagnostics Services: Bypassing UDS Security Checks
Try count
18Undermining Diagnostics Services: Bypassing UDS Security Checks
Seed randomness
19Undermining Diagnostics Services: Bypassing UDS Security Checks
Algorithm strength
• Pre-shared secret
• Addition
• Excl...
20Undermining Diagnostics Services: Bypassing UDS Security Checks
• Large key: 256-bit
• Secure algorithm using strong cry...
21Undermining Diagnostics Services: Bypassing UDS Security Checks
Back-end system
Tester
Gateway
ECU A
DLC
ECU B
Diagnosti...
22Undermining Diagnostics Services: Bypassing UDS Security Checks
How do we get access to the firmware of an secured ECU?
...
23Undermining Diagnostics Services: Bypassing UDS Security Checks
MCU
EEPROM
Debug
I/O
CAN
VCC
24
5.5V
1.8V
time
25Undermining Diagnostics Services: Bypassing UDS Security Checks
Fault Injection – Tooling
ChipWhisperer®
Fault Injection...
26Undermining Diagnostics Services: Bypassing UDS Security Checks
27Undermining Diagnostics Services: Bypassing UDS Security Checks
What happens when we glitch?
Things go wrong!
28Undermining Diagnostics Services: Bypassing UDS Security Checks
Fault Injection breaks things!
• We can change memory co...
29Undermining Diagnostics Services: Bypassing UDS Security Checks
ReadMemoryByAddress(0x00000000, 0x40)
Two checks are byp...
30Undermining Diagnostics Services: Bypassing UDS Security Checks
Glitching ReadMemoryByAddress
• Successful on several di...
31Undermining Diagnostics Services: Bypassing UDS Security Checks
We have access to firmware… now what?
32Undermining Diagnostics Services: Bypassing UDS Security Checks
33Undermining Diagnostics Services: Bypassing UDS Security Checks
Getting
firmware
Secrets
Hacking
Reconfiguration
Reverse...
34Undermining Diagnostics Services: Bypassing UDS Security Checks
Can’t we do something about this?
35Undermining Diagnostics Services: Bypassing UDS Security Checks
• Don’t expose secrets to software
• use secure hardware...
36Undermining Diagnostics Services: Bypassing UDS Security Checks
As always, defense in depth is key!
37Undermining Diagnostics Services: Bypassing UDS Security Checks
Key takeaways
• Hardware cannot be trusted
• No software...
38Undermining Diagnostics Services: Bypassing UDS Security Checks
Thank you! Any questions?
Niek Timmers
Principal Securit...
Upcoming SlideShare
Loading in …5
×

of

Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 1 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 2 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 3 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 4 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 5 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 6 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 7 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 8 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 9 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 10 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 11 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 12 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 13 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 14 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 15 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 16 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 17 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 18 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 19 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 20 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 21 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 22 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 23 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 24 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 25 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 26 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 27 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 28 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 29 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 30 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 31 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 32 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 33 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 34 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 35 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 36 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 37 Undermining Diagnostics Security: Bypassing UDS Security Checks Slide 38
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Undermining Diagnostics Security: Bypassing UDS Security Checks

Download to read offline

Slides for my presentation "Undermining Diagnostics Security: Bypassing UDS Security Checks" at the OBD Symposium in Indianapolis (2018).

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Undermining Diagnostics Security: Bypassing UDS Security Checks

  1. 1. 1 Undermining Diagnostics Security Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers Bypassing UDS Security Checks
  2. 2. 2 Today we are talking about
  3. 3. 3 Typical ECUs found in a car…
  4. 4. 4Undermining Diagnostics Services: Bypassing UDS Security Checks They come in all forms, shapes and sizes!
  5. 5. 5Undermining Diagnostics Services: Bypassing UDS Security Checks … and you can buy them cheaply! Lots of them are stuck in cars worldwide…
  6. 6. 6Undermining Diagnostics Services: Bypassing UDS Security Checks
  7. 7. 7Undermining Diagnostics Services: Bypassing UDS Security Checks We can analyze them easily with little funding! To understand we need the firmware! Understand target Identify vulnerability Exploit vulnerability
  8. 8. 8Undermining Diagnostics Services: Bypassing UDS Security Checks Interfaces Leaks Software Firmware upgrade Obtaining ECU firmware Chips Let’s open up an ECU!
  9. 9. 9Undermining Diagnostics Services: Bypassing UDS Security Checks MCU EEPROM Debug I/O CAN Firmware is stored inside the MCU!
  10. 10. 10Undermining Diagnostics Services: Bypassing UDS Security Checks Wait… Peter told us what we can speak!
  11. 11. 11Undermining Diagnostics Services: Bypassing UDS Security Checks Unified Diagnostic Services (UDS) • Diagnostics • Data Transmission • Security Access • And loads of more stuff… It’s everywhere! It’s standardized! It’s easy!
  12. 12. 12Undermining Diagnostics Services: Bypassing UDS Security Checks • Local through the DLC / OBD • Remotely using a cellular connection • Directly on the ECU itself Talking UDS
  13. 13. 13Undermining Diagnostics Services: Bypassing UDS Security Checks • Reprogramming • Loading new firmware • Read and write memory • Accessing device internals • (Re)configuration • Adding keys, changing mileage, etc. Why are hackers interested?
  14. 14. 14Undermining Diagnostics Services: Bypassing UDS Security Checks What protects all this juice from malicious use?
  15. 15. 15Undermining Diagnostics Services: Bypassing UDS Security Checks It should not be possible to brute force or guess the key!
  16. 16. 16Undermining Diagnostics Services: Bypassing UDS Security Checks Key size • 8-bit • 16-bit • 32-bit • 64-bit • 128-bit
  17. 17. 17Undermining Diagnostics Services: Bypassing UDS Security Checks Try count
  18. 18. 18Undermining Diagnostics Services: Bypassing UDS Security Checks Seed randomness
  19. 19. 19Undermining Diagnostics Services: Bypassing UDS Security Checks Algorithm strength • Pre-shared secret • Addition • Exclusive-Or • (H)MAC • Asymmetric cryptography • RSA • ECC NOT OFTEN SEEN IN THE WILD (YET?)
  20. 20. 20Undermining Diagnostics Services: Bypassing UDS Security Checks • Large key: 256-bit • Secure algorithm using strong crypto • After 3 wrong tries there is a 30 minute delay • Random seed based using a TRNG+PRNG A strong implementation! Is this sufficient to protect against determined attackers?
  21. 21. 21Undermining Diagnostics Services: Bypassing UDS Security Checks Back-end system Tester Gateway ECU A DLC ECU B Diagnostics The transformation algorithm and secret(s) are stored inside the ECU! Attacker has access!
  22. 22. 22Undermining Diagnostics Services: Bypassing UDS Security Checks How do we get access to the firmware of an secured ECU? Access to ECU’s firmware results in access to the key!
  23. 23. 23Undermining Diagnostics Services: Bypassing UDS Security Checks MCU EEPROM Debug I/O CAN VCC
  24. 24. 24 5.5V 1.8V time
  25. 25. 25Undermining Diagnostics Services: Bypassing UDS Security Checks Fault Injection – Tooling ChipWhisperer® Fault Injection tooling is available to the masses! Open source Commercial Inspector FI
  26. 26. 26Undermining Diagnostics Services: Bypassing UDS Security Checks
  27. 27. 27Undermining Diagnostics Services: Bypassing UDS Security Checks What happens when we glitch? Things go wrong!
  28. 28. 28Undermining Diagnostics Services: Bypassing UDS Security Checks Fault Injection breaks things! • We can change memory contents • We can change register contents • We can change the executed instructions We can change the intended behavior of software!
  29. 29. 29Undermining Diagnostics Services: Bypassing UDS Security Checks ReadMemoryByAddress(0x00000000, 0x40) Two checks are bypassed using a single glitch!
  30. 30. 30Undermining Diagnostics Services: Bypassing UDS Security Checks Glitching ReadMemoryByAddress • Successful on several different ECUs implementing UDS • Designed around different MCUs • Depending on the target… • Allows reading out N bytes from an arbitrary address • Complete firmware extracted in the order of days • Depended on flash size and success rate
  31. 31. 31Undermining Diagnostics Services: Bypassing UDS Security Checks We have access to firmware… now what?
  32. 32. 32Undermining Diagnostics Services: Bypassing UDS Security Checks
  33. 33. 33Undermining Diagnostics Services: Bypassing UDS Security Checks Getting firmware Secrets Hacking Reconfiguration Reverse engineering Understanding Scaling up the attack
  34. 34. 34Undermining Diagnostics Services: Bypassing UDS Security Checks Can’t we do something about this?
  35. 35. 35Undermining Diagnostics Services: Bypassing UDS Security Checks • Don’t expose secrets to software • use secure hardware (E.g. SHE+) • Avoid using pre-shared secrets • use asymmetric cryptography (E.g. RSA) • Adjust the product’s threat model • protect against hardware attacks Hardening ECUs
  36. 36. 36Undermining Diagnostics Services: Bypassing UDS Security Checks As always, defense in depth is key!
  37. 37. 37Undermining Diagnostics Services: Bypassing UDS Security Checks Key takeaways • Hardware cannot be trusted • No software vulnerabilities != secure • Hardware attacks do scale • They are a stepping stone to scalable attacks • Your firmware will be exposed • Pre-shared secrets will be compromised
  38. 38. 38Undermining Diagnostics Services: Bypassing UDS Security Checks Thank you! Any questions? Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers

Slides for my presentation "Undermining Diagnostics Security: Bypassing UDS Security Checks" at the OBD Symposium in Indianapolis (2018).

Views

Total views

880

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

24

Shares

0

Comments

0

Likes

0

×