Security Analyst at Riscure
Fault injection on automotive diagnosis protocols
Nowadays it is uncommon to find a car that does not implement the OBD2 (On-Board Diagnosis 2) and the UDS (Unified Diagnostic Services) standards for diagnosis of the vehicle and the individual Electronic Controller Units (ECUs) respectively. Due to the amount of information available through these diagnosis interfaces, they have been targeted by hackers and hobbyists from the very beginning.
Modern protocols like UDS require authentication in order to access to critical assets (e.g. firmware). For years, attackers exploited trivial vulnerabilities in these diagnosis protocols to bypass this authentication, but state-of-art implementations make it impossible to simply logically bypass the security. This talk presents fault injection as a technique to bypass the security of diagnosis protocol implementations, with special focus in UDS, that is protected against traditional logical attacks because they do not contain any logical vulnerabilities. This paper also illustrates the risk of an implementing a vulnerable diagnosis protocol since it could serve as entry point for a scalable attack.
Work co-authored by Santi Córdoba and Ramiro Pareja. Santi is a Security Analyst at Riscure, where he breaks stuff for a living. When he's not breaking stuff he can be found tinkering with radios, downing craft beer, playing CTF and reversing automotive devices. Ping him at @Quorth