The document discusses how security checks for diagnostics services in vehicles can be bypassed. It describes how fault injection techniques can be used to extract firmware from electronic control units (ECUs), allowing attackers to obtain secrets and reconfigure ECUs. Recommendations are provided for hardening ECUs, such as using secure hardware and asymmetric cryptography instead of pre-shared secrets. The key takeaway is that hardware attacks are scalable and will expose firmware, compromising any pre-shared secrets.
7. 7Undermining Diagnostics Services: Bypassing UDS Security Checks
We can analyze them easily with little funding!
To understand we need the firmware!
Understand
target
Identify
vulnerability
Exploit
vulnerability
8. 8Undermining Diagnostics Services: Bypassing UDS Security Checks
Interfaces
Leaks
Software
Firmware
upgrade
Obtaining ECU firmware
Chips
Let’s open up an ECU!
11. 11Undermining Diagnostics Services: Bypassing UDS Security Checks
Unified Diagnostic Services (UDS)
• Diagnostics
• Data Transmission
• Security Access
• And loads of more stuff…
It’s everywhere! It’s standardized! It’s easy!
12. 12Undermining Diagnostics Services: Bypassing UDS Security Checks
• Local through the DLC / OBD
• Remotely using a cellular connection
• Directly on the ECU itself
Talking UDS
13. 13Undermining Diagnostics Services: Bypassing UDS Security Checks
• Reprogramming
• Loading new firmware
• Read and write memory
• Accessing device internals
• (Re)configuration
• Adding keys, changing mileage, etc.
Why are hackers interested?
19. 19Undermining Diagnostics Services: Bypassing UDS Security Checks
Algorithm strength
• Pre-shared secret
• Addition
• Exclusive-Or
• (H)MAC
• Asymmetric cryptography
• RSA
• ECC
NOT OFTEN SEEN IN
THE WILD (YET?)
20. 20Undermining Diagnostics Services: Bypassing UDS Security Checks
• Large key: 256-bit
• Secure algorithm using strong crypto
• After 3 wrong tries there is a 30 minute delay
• Random seed based using a TRNG+PRNG
A strong implementation!
Is this sufficient to protect against determined attackers?
21. 21Undermining Diagnostics Services: Bypassing UDS Security Checks
Back-end system
Tester
Gateway
ECU A
DLC
ECU B
Diagnostics
The transformation algorithm and secret(s) are stored inside the ECU!
Attacker has access!
22. 22Undermining Diagnostics Services: Bypassing UDS Security Checks
How do we get access to the firmware of an secured ECU?
Access to ECU’s firmware results in access to the key!
25. 25Undermining Diagnostics Services: Bypassing UDS Security Checks
Fault Injection – Tooling
ChipWhisperer®
Fault Injection tooling is available to the masses!
Open source Commercial
Inspector FI
28. 28Undermining Diagnostics Services: Bypassing UDS Security Checks
Fault Injection breaks things!
• We can change memory contents
• We can change register contents
• We can change the executed instructions
We can change the intended behavior of software!
29. 29Undermining Diagnostics Services: Bypassing UDS Security Checks
ReadMemoryByAddress(0x00000000, 0x40)
Two checks are bypassed using a single glitch!
30. 30Undermining Diagnostics Services: Bypassing UDS Security Checks
Glitching ReadMemoryByAddress
• Successful on several different ECUs implementing UDS
• Designed around different MCUs
• Depending on the target…
• Allows reading out N bytes from an arbitrary address
• Complete firmware extracted in the order of days
• Depended on flash size and success rate
37. 37Undermining Diagnostics Services: Bypassing UDS Security Checks
Key takeaways
• Hardware cannot be trusted
• No software vulnerabilities != secure
• Hardware attacks do scale
• They are a stepping stone to scalable attacks
• Your firmware will be exposed
• Pre-shared secrets will be compromised