Download as PDF, PPTX
More Related Content
Similar to Undermining Diagnostics Security: Bypassing UDS Security Checks
Undermining Diagnostics Security: Bypassing UDS Security Checks
- 1. 1 Undermining Diagnostics Security NiekTimmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers Bypassing UDS Security Checks
- 2. 2 Today we aretalking about
- 3. 3 Typical ECUs foundin a car…
- 4. 4Undermining Diagnostics Services:Bypassing UDS Security Checks They come in all forms, shapes and sizes!
- 5. 5Undermining Diagnostics Services:Bypassing UDS Security Checks … and you can buy them cheaply! Lots of them are stuck in cars worldwide…
- 6. 6Undermining Diagnostics Services:Bypassing UDS Security Checks
- 7. 7Undermining Diagnostics Services:Bypassing UDS Security Checks We can analyze them easily with little funding! To understand we need the firmware! Understand target Identify vulnerability Exploit vulnerability
- 8. 8Undermining Diagnostics Services:Bypassing UDS Security Checks Interfaces Leaks Software Firmware upgrade Obtaining ECU firmware Chips Let’s open up an ECU!
- 9. 9Undermining Diagnostics Services:Bypassing UDS Security Checks MCU EEPROM Debug I/O CAN Firmware is stored inside the MCU!
- 10. 10Undermining Diagnostics Services:Bypassing UDS Security Checks Wait… Peter told us what we can speak!
- 11. 11Undermining Diagnostics Services:Bypassing UDS Security Checks Unified Diagnostic Services (UDS) • Diagnostics • Data Transmission • Security Access • And loads of more stuff… It’s everywhere! It’s standardized! It’s easy!
- 12. 12Undermining Diagnostics Services:Bypassing UDS Security Checks • Local through the DLC / OBD • Remotely using a cellular connection • Directly on the ECU itself Talking UDS
- 13. 13Undermining Diagnostics Services:Bypassing UDS Security Checks • Reprogramming • Loading new firmware • Read and write memory • Accessing device internals • (Re)configuration • Adding keys, changing mileage, etc. Why are hackers interested?
- 14. 14Undermining Diagnostics Services:Bypassing UDS Security Checks What protects all this juice from malicious use?
- 15. 15Undermining Diagnostics Services:Bypassing UDS Security Checks It should not be possible to brute force or guess the key!
- 16. 16Undermining Diagnostics Services:Bypassing UDS Security Checks Key size • 8-bit • 16-bit • 32-bit • 64-bit • 128-bit
- 17. 17Undermining Diagnostics Services:Bypassing UDS Security Checks Try count
- 18. 18Undermining Diagnostics Services:Bypassing UDS Security Checks Seed randomness
- 19. 19Undermining Diagnostics Services:Bypassing UDS Security Checks Algorithm strength • Pre-shared secret • Addition • Exclusive-Or • (H)MAC • Asymmetric cryptography • RSA • ECC NOT OFTEN SEEN IN THE WILD (YET?)
- 20. 20Undermining Diagnostics Services:Bypassing UDS Security Checks • Large key: 256-bit • Secure algorithm using strong crypto • After 3 wrong tries there is a 30 minute delay • Random seed based using a TRNG+PRNG A strong implementation! Is this sufficient to protect against determined attackers?
- 21. 21Undermining Diagnostics Services:Bypassing UDS Security Checks Back-end system Tester Gateway ECU A DLC ECU B Diagnostics The transformation algorithm and secret(s) are stored inside the ECU! Attacker has access!
- 22. 22Undermining Diagnostics Services:Bypassing UDS Security Checks How do we get access to the firmware of an secured ECU? Access to ECU’s firmware results in access to the key!
- 23. 23Undermining Diagnostics Services:Bypassing UDS Security Checks MCU EEPROM Debug I/O CAN VCC
- 24.
- 25. 25Undermining Diagnostics Services:Bypassing UDS Security Checks Fault Injection – Tooling ChipWhisperer® Fault Injection tooling is available to the masses! Open source Commercial Inspector FI
- 26. 26Undermining Diagnostics Services:Bypassing UDS Security Checks
- 27. 27Undermining Diagnostics Services:Bypassing UDS Security Checks What happens when we glitch? Things go wrong!
- 28. 28Undermining Diagnostics Services:Bypassing UDS Security Checks Fault Injection breaks things! • We can change memory contents • We can change register contents • We can change the executed instructions We can change the intended behavior of software!
- 29. 29Undermining Diagnostics Services:Bypassing UDS Security Checks ReadMemoryByAddress(0x00000000, 0x40) Two checks are bypassed using a single glitch!
- 30. 30Undermining Diagnostics Services:Bypassing UDS Security Checks Glitching ReadMemoryByAddress • Successful on several different ECUs implementing UDS • Designed around different MCUs • Depending on the target… • Allows reading out N bytes from an arbitrary address • Complete firmware extracted in the order of days • Depended on flash size and success rate
- 31. 31Undermining Diagnostics Services:Bypassing UDS Security Checks We have access to firmware… now what?
- 32. 32Undermining Diagnostics Services:Bypassing UDS Security Checks
- 33. 33Undermining Diagnostics Services:Bypassing UDS Security Checks Getting firmware Secrets Hacking Reconfiguration Reverse engineering Understanding Scaling up the attack
- 34. 34Undermining Diagnostics Services:Bypassing UDS Security Checks Can’t we do something about this?
- 35. 35Undermining Diagnostics Services:Bypassing UDS Security Checks • Don’t expose secrets to software • use secure hardware (E.g. SHE+) • Avoid using pre-shared secrets • use asymmetric cryptography (E.g. RSA) • Adjust the product’s threat model • protect against hardware attacks Hardening ECUs
- 36. 36Undermining Diagnostics Services:Bypassing UDS Security Checks As always, defense in depth is key!
- 37. 37Undermining Diagnostics Services:Bypassing UDS Security Checks Key takeaways • Hardware cannot be trusted • No software vulnerabilities != secure • Hardware attacks do scale • They are a stepping stone to scalable attacks • Your firmware will be exposed • Pre-shared secrets will be compromised
- 38. 38Undermining Diagnostics Services:Bypassing UDS Security Checks Thank you! Any questions? Niek Timmers Principal Security Analyst, Riscure niek@riscure.com / @tieknimmers