Automotive Penetration Testing: Protocol UDS

Speaker Info

• Senior Cybersecurity Consultant at Oxygen Cyber Security
• Independent Security Researcher
• Focused on Automotive Security, especially UDS (Unified Diagnostic Services)

UDS Protocol Overview

• Purpose: Communication between vehicle and diagnostic tools
• OSI Model Comparison: Similar structure for automotive sector
• Application Layer Focus: Specifically UDS on CAN interface, applicable to FlexRay, DoIP, LIN

UDS Method Structure

• Arbitration IDs: Identify server (vehicle) and client (tester device)
  • 11 bits or 29 bits
• Protocol Control Information: Frame types (single, first, consecutive, flow control)
• Service IDs: Communicate and perform specific actions
  • Sub-function Byte: Specifies exact functionality
• Data: Applicable data for each service
• Padding: Use specific tools for padding, e.g., 00

Key UDS Services and IDs

• Diagnostic Session Control: E.g., 0x10 (request) ↔ 0x50 (response)
• Negative Response: Always 0x7F, with sub-function ID
• Requirements: Vehicle, device interface, software (Python libraries like isotp, python-can, can-utils)

Tools for UDS Penetration Testing

• carWhisperer: Supported by Linux kernel
• Widely Adopted Tools: scapy, can-utils, caringcaribou, can_map (security testing tool)
• carWhisperer GUI: Modular tool, plug CAN adapter, start enumeration and fuzzing
• Help Page: Lists modules for doip, UDS, fuzzing, etc.

Fuzzing: What and How?

• Definition: Supplying unexpected inputs, monitoring responses
• Arbitrary ID Enumeration: Iterating IDs and checking positive/negative responses
• Service ID Enumeration: Iterating service IDs, checking responses

Security and Safety Critical ECUs

• ECU Reset Services: Hard reset, soft reset, etc.
• Write/Read Memory Services: Potential buffer overflow vulnerabilities
• Critical Data in ECUs: Secret keys, passwords, mileage, commands

UDS Security Access

• Mechanism: Secure access to restricted functions
• Seed and Key Pair: Request seed, derive key, send back
• Common Attacks: Pre-calculated keys, fuzzing, brute-forcing, fault injection
• Randomness Concerns: Weak source of randomness, e.g., processor uptime

Tools Developed by Speaker

• Custom Scripts for Python: Streamline enumeration and fuzzing
• carWhisperer Extensions: delay_fuzzer, randomness_fuzzer
• Seed Randomness Fuzzer: Evaluates weak seed randomness
• Delay Fuzzer: Finds delay between reset and seed request, uses pre-calculated keys

Real-World Vulnerabilities and Examples

• ECU Lockup: Resetting ECUs, causing critical components to fail
• Memory Corruption: Buffer overflows in identifier memory locations
• Example Vehicle Tests: Real scenarios showing ECU vulnerabilities

Final Recommendations and Mitigations

• HSM Implementation: Hardware Security Module for better security
• Random Seed Source: Ensure proper sources of randomness
• Emphasize Safety: Security for safety-critical components is paramount
• Close Industry Collaboration: Work with OEMs and Tier 1 suppliers

Speaker's Closing Remarks

• Ensuring Safety and Security: Automotive security is crucial for public safety
• Research Community Role: Encourage collaborative efforts in security research

Q&A Highlights

• Authentication Methods: Discussed effectiveness of current methods
• Further Exploitation Post-Access: Tampering data, rewriting firmware
• Common ECU Vulnerabilities: Often manufacturer-dependent
• Memory Corruption Concerns: More exploratory research needed