Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Undermining Diagnostics Security: Bypassing UDS Security Checks

63 views

Published on

Slides for my presentation "Undermining Diagnostics Security: Bypassing UDS Security Checks" at the OBD Symposium in Indianapolis (2018).

Published in: Automotive
  • Be the first to comment

  • Be the first to like this

Undermining Diagnostics Security: Bypassing UDS Security Checks

  1. 1. 1 Undermining Diagnostics Security Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers Bypassing UDS Security Checks
  2. 2. 2 Today we are talking about
  3. 3. 3 Typical ECUs found in a car…
  4. 4. 4Undermining Diagnostics Services: Bypassing UDS Security Checks They come in all forms, shapes and sizes!
  5. 5. 5Undermining Diagnostics Services: Bypassing UDS Security Checks … and you can buy them cheaply! Lots of them are stuck in cars worldwide…
  6. 6. 6Undermining Diagnostics Services: Bypassing UDS Security Checks
  7. 7. 7Undermining Diagnostics Services: Bypassing UDS Security Checks We can analyze them easily with little funding! To understand we need the firmware! Understand target Identify vulnerability Exploit vulnerability
  8. 8. 8Undermining Diagnostics Services: Bypassing UDS Security Checks Interfaces Leaks Software Firmware upgrade Obtaining ECU firmware Chips Let’s open up an ECU!
  9. 9. 9Undermining Diagnostics Services: Bypassing UDS Security Checks MCU EEPROM Debug I/O CAN Firmware is stored inside the MCU!
  10. 10. 10Undermining Diagnostics Services: Bypassing UDS Security Checks Wait… Peter told us what we can speak!
  11. 11. 11Undermining Diagnostics Services: Bypassing UDS Security Checks Unified Diagnostic Services (UDS) • Diagnostics • Data Transmission • Security Access • And loads of more stuff… It’s everywhere! It’s standardized! It’s easy!
  12. 12. 12Undermining Diagnostics Services: Bypassing UDS Security Checks • Local through the DLC / OBD • Remotely using a cellular connection • Directly on the ECU itself Talking UDS
  13. 13. 13Undermining Diagnostics Services: Bypassing UDS Security Checks • Reprogramming • Loading new firmware • Read and write memory • Accessing device internals • (Re)configuration • Adding keys, changing mileage, etc. Why are hackers interested?
  14. 14. 14Undermining Diagnostics Services: Bypassing UDS Security Checks What protects all this juice from malicious use?
  15. 15. 15Undermining Diagnostics Services: Bypassing UDS Security Checks It should not be possible to brute force or guess the key!
  16. 16. 16Undermining Diagnostics Services: Bypassing UDS Security Checks Key size • 8-bit • 16-bit • 32-bit • 64-bit • 128-bit
  17. 17. 17Undermining Diagnostics Services: Bypassing UDS Security Checks Try count
  18. 18. 18Undermining Diagnostics Services: Bypassing UDS Security Checks Seed randomness
  19. 19. 19Undermining Diagnostics Services: Bypassing UDS Security Checks Algorithm strength • Pre-shared secret • Addition • Exclusive-Or • (H)MAC • Asymmetric cryptography • RSA • ECC NOT OFTEN SEEN IN THE WILD (YET?)
  20. 20. 20Undermining Diagnostics Services: Bypassing UDS Security Checks • Large key: 256-bit • Secure algorithm using strong crypto • After 3 wrong tries there is a 30 minute delay • Random seed based using a TRNG+PRNG A strong implementation! Is this sufficient to protect against determined attackers?
  21. 21. 21Undermining Diagnostics Services: Bypassing UDS Security Checks Back-end system Tester Gateway ECU A DLC ECU B Diagnostics The transformation algorithm and secret(s) are stored inside the ECU! Attacker has access!
  22. 22. 22Undermining Diagnostics Services: Bypassing UDS Security Checks How do we get access to the firmware of an secured ECU? Access to ECU’s firmware results in access to the key!
  23. 23. 23Undermining Diagnostics Services: Bypassing UDS Security Checks MCU EEPROM Debug I/O CAN VCC
  24. 24. 24 5.5V 1.8V time
  25. 25. 25Undermining Diagnostics Services: Bypassing UDS Security Checks Fault Injection – Tooling ChipWhisperer® Fault Injection tooling is available to the masses! Open source Commercial Inspector FI
  26. 26. 26Undermining Diagnostics Services: Bypassing UDS Security Checks
  27. 27. 27Undermining Diagnostics Services: Bypassing UDS Security Checks What happens when we glitch? Things go wrong!
  28. 28. 28Undermining Diagnostics Services: Bypassing UDS Security Checks Fault Injection breaks things! • We can change memory contents • We can change register contents • We can change the executed instructions We can change the intended behavior of software!
  29. 29. 29Undermining Diagnostics Services: Bypassing UDS Security Checks ReadMemoryByAddress(0x00000000, 0x40) Two checks are bypassed using a single glitch!
  30. 30. 30Undermining Diagnostics Services: Bypassing UDS Security Checks Glitching ReadMemoryByAddress • Successful on several different ECUs implementing UDS • Designed around different MCUs • Depending on the target… • Allows reading out N bytes from an arbitrary address • Complete firmware extracted in the order of days • Depended on flash size and success rate
  31. 31. 31Undermining Diagnostics Services: Bypassing UDS Security Checks We have access to firmware… now what?
  32. 32. 32Undermining Diagnostics Services: Bypassing UDS Security Checks
  33. 33. 33Undermining Diagnostics Services: Bypassing UDS Security Checks Getting firmware Secrets Hacking Reconfiguration Reverse engineering Understanding Scaling up the attack
  34. 34. 34Undermining Diagnostics Services: Bypassing UDS Security Checks Can’t we do something about this?
  35. 35. 35Undermining Diagnostics Services: Bypassing UDS Security Checks • Don’t expose secrets to software • use secure hardware (E.g. SHE+) • Avoid using pre-shared secrets • use asymmetric cryptography (E.g. RSA) • Adjust the product’s threat model • protect against hardware attacks Hardening ECUs
  36. 36. 36Undermining Diagnostics Services: Bypassing UDS Security Checks As always, defense in depth is key!
  37. 37. 37Undermining Diagnostics Services: Bypassing UDS Security Checks Key takeaways • Hardware cannot be trusted • No software vulnerabilities != secure • Hardware attacks do scale • They are a stepping stone to scalable attacks • Your firmware will be exposed • Pre-shared secrets will be compromised
  38. 38. 38Undermining Diagnostics Services: Bypassing UDS Security Checks Thank you! Any questions? Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers

×