Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
CastSan: Efficient Detection of Polymorphic C++ Object Type Confusions with LLVM Read chapter Read first chapter

2018 | OriginalPaper | Chapter

Beneath the Bonnet: A Breakdown of Diagnostic Security

Authors : Jan Van den Herrewegen, Flavio D. Garcia

Published in: Computer Security

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

An Electronic Control Unit (ECU) is an automotive computer essential to the operation of a modern car. Diagnostic protocols running on these ECUs are often too powerful, giving an adversary full access to the ECU if they can bypass the diagnostic authentication mechanism. Firstly, we present three ciphers used in the diagnostic access control, which we reverse engineered from the ECU firmware of four major automotive manufacturers. Next, we identify practical security vulnerabilities in all three ciphers, which use proprietary cryptographic primitives and a small internal state. Subsequently, we propose a generic method to remotely execute code on an ECU over CAN exclusively through diagnostic functions, which we have tested on units of three major automotive manufacturers. Once authenticated, an adversary with access to the CAN network can download binary code to the RAM of the microcontroller and execute it, giving them full access to the ECU and its peripherals, including the ability to read/write firmware at will. Finally, we conclude with recommendations to improve the diagnostic security of ECUs.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter A Formal Approach to Analyzing Cyber-Forensics Evidence
next chapter Extending Automated Protocol State Learning for the 802.11 4-Way Handshake
Literature
1.
The Universal Measurement and Calibration Protocol Family. Standard, Association of Standardisation and Automation and Measuring Systems (2016)
2.
3.
Bono, S., Green, M., Stubblefield, A., Juels, A., Rubin, A.D., Szydlo, M.: Security analysis of a cryptographically-enabled RFID device. In: Proceedings of the 14th USENIX Security Symposium (USENIX Security 2005), pp. 1–16. USENIX Association (2005)
4.
Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: 20th USENIX Security Symposium (USENIX Security 2011). USENIX Association (2011)
5.
European Directive: 98/69/EC of the European Parliament and of the Council of 13 October 1998 relating to measures to be taken against air pollution by emissions from motor vehicles and amending Council Directive 70/220/EEC. Official J. Eur. Communities L 350(28), 12 (1998)
6.
Foster, I., Prudhomme, A., Koscher, K., Savage, S.: Fast and vulnerable: a story of telematic failures. In: Proceedings of the 9th USENIX Conference on Offensive Technologies, WOOT 2015 (2015)
7.
Garcia, F.D., Oswald, D., Kasper, T., Pavlidès, P.: Lock it and still lose it-on the (in) security of automotive remote keyless entry systems. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 929–944. USENIX Association (2016)
8.
9.
10.
Road vehicles - controller area network (CAN) - part 1: data link layer and physical signalling. Standard, International Organization for Standardization, Geneva, CH (2015)
11.
Road vehicles unified diagnostic services (UDS) specification and requirements. Standard, International Organization for Standardization, Geneva, CH (2006)
12.
Road vehicles diagnostic systems keyword protocol 2000 part 3: application layer. Standard, International Organization for Standardization, Geneva, CH (1999)
13.
Diagnostic Connector Equivalent to ISO/DIS 15031–3. Standard, SAE, International (2012)
14.
15.
Khan, J.: ADvanced Encryption STAndard (ADESTA) for diagnostics over CAN. SAE Int. J. Passeng. Cars - Electron. Electr. Syst. 8(2), 296–305 (2015)
16.
Kleinknecht, H.: Can calibration protocol version 2.1. Germany: ASAM eV, pp. 2–18 (1999)
17.
Koscher, K., et al.: Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 447–462. Institute of Electrical and Electronics Engineers (2010)
18.
Miller, C., Valasek, C.: Adventures in automotive networks and control units. Def. Con. 21, 260–264 (2013)
19.
Miller, C., Valasek, C.: Car hacking: for poories. Technical report, IOActive Report (2015)
20.
Nolte, T., Hansson, H., Norström, C., Punnekkat, S.: Using bit-stuffing distributions in can analysis. In: IEEE Real-Time Embedded Systems Workshop at the Real-Time Systems Symposium (2001)
21.
Pornin, T.: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). RFC 6979 (2013)
22.
23.
Rouf, I., et al.: Security and privacy vulnerabilities of in-car wireless networks: a tire pressure monitoring system case study. In: 19th USENIX Security Symposium (USENIX Security 2010). USENIX Association (2010)
24.
Valasek, C., Miller, C.: Remote exploitation of an unaltered passenger vehicle. Technical report, Illmatics (2015)
25.
Vector Informatik: Product Catalog 5 (2010)
26.
Verdult, R., Garcia, F.D.: Cryptanalysis of the megamos crypto automotive immobilizer. USENIX; login, pp. 17–22 (2015)
27.
Verdult, R., Garcia, F.D., Balasch, J.: Gone in 360 s: hijacking with Hitag2. In: 21st USENIX Security Symposium (USENIX Security 2012), pp. 237–252. USENIX Association (2012)
28.
Verdult, R., Garcia, F.D., Ege, B.: Dismantling megamos crypto: wirelessly lockpicking a vehicle immobilizer. In: 22nd USENIX Security Symposium (USENIX Security 2013), pp. 703–718. USENIX Association (2013)
Metadata
Title
Beneath the Bonnet: A Breakdown of Diagnostic Security
Authors
Jan Van den Herrewegen
Flavio D. Garcia
Copyright Year
2018
Book
Computer Security

Print ISBN: 978-3-319-99072-9

Electronic ISBN: 978-3-319-99073-6

Copyright Year: 2018

DOI
https://doi.org/10.1007/978-3-319-99073-6_15

Premium Partner

    Image Credits