Scribd
Upload
367 views129 pages

Uds Fuzzing

The document discusses Unified Diagnostic Services (UDS), an automotive protocol standard for vehicle diagnostics. It describes the UDS message structure, which includes a protocol control information field, service ID, sub-function byte, and parameters. It notes that UDS supports both 11-bit and 29-bit arbitration IDs and defines several standard service IDs, while leaving the rest open for manufacturers.

Uploaded by

gezgeg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
367 views129 pages

Uds Fuzzing

The document discusses Unified Diagnostic Services (UDS), an automotive protocol standard for vehicle diagnostics. It describes the UDS message structure, which includes a protocol control information field, service ID, sub-function byte, and parameters. It notes that UDS supports both 11-bit and 29-bit arbitration IDs and defines several standard service IDs, while leaving the rest open for manufacturers.

Uploaded by

gezgeg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 129

UDS Fuzzing

and the path to

Game Over

Thomas Sermpinis
@cr0wtom

whoami
• Thomas Sermpinis (a.k.a. cr0wtom)
• I want to hack everything I get my hands on
• ESPECIALLY CARS
• I want to make the world a safer place
• Addicted to TROOPERScon

• For boring CV stuff go to cr0wsplace.com


• bla bla bla

• Proud to be a member of the Auxilium Cyber


Security

THOMAS WORLD
x 0 TIME
000101 0-0

Introduction to UDS

LEVEL 0-0

x 3

UDS who?
• Unified Diagnostic Services
(UDS) - ISO-14229

Specification Requirements
Application
UDSonCAN UDSonFR UDSonIP UDSonK-Line UDSonLIN

Presentation Vehicle Manufacturer Specific

Session Session Layer Services

Transport
DoCAN CoFR DoIP Not Applicable LIN
Network

Data Link CAN FlexRay DoK-Line LIN


DoIP
IEE 802.3
Physical CAN FlexRay DoK-Line LIN

Reference: https://www.csselectronics.com/pages/uds-protocol-tutorial-uni ed-diagnostic-services


4

fi

UDS who?
• Unified Diagnostic Services
(UDS) - ISO-14229

Specification Requirements
Application
UDSonCAN UDSonFR UDSonIP UDSonK-Line UDSonLIN

Presentation Vehicle Manufacturer Specific

Session Session Layer Services

Transport
DoCAN CoFR DoIP Not Applicable LIN
Network

Data Link CAN FlexRay DoK-Line LIN


DoIP
IEE 802.3
Physical CAN FlexRay DoK-Line LIN

Reference: https://www.csselectronics.com/pages/uds-protocol-tutorial-uni ed-diagnostic-services


4

fi

UDS who?
• Unified Diagnostic Services
(UDS) - ISO-14229

Specification Requirements
Application
UDSonCAN UDSonFR UDSonIP UDSonK-Line UDSonLIN

Presentation Vehicle Manufacturer Specific

Session Session Layer Services

Transport
DoCAN CoFR DoIP Not Applicable LIN
Network

Data Link CAN FlexRay DoK-Line LIN


DoIP
IEE 802.3
Physical CAN FlexRay DoK-Line LIN

Reference: https://www.csselectronics.com/pages/uds-protocol-tutorial-uni ed-diagnostic-services


4

fi

Message Structure

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

Message Structure

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

11-bit IDs
0x0 - 0x7

29-bit IDs
0x00000000 -
0xFFFFFFFF

5
ff

Message Structure

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

11-bit IDs ISO-TP Related frame


data -
0x0 - 0x7 1st Nibble of the Byte

0: Singe Frame

29-bit IDs 1: First Frame

0x00000000 - 2: Consecutive Frame

0xFFFFFFFF 3: Flow Control Frame

ff

Message Structure

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

0x00 - 0xFF
11-bit IDs ISO-TP Related frame
data -
0x0 - 0x7 1st Nibble of the Byte

0: Singe Frame
Several standardised IDs
29-bit IDs 1: First Frame

0x00000000 - 2: Consecutive Frame

0xFFFFFFFF 3: Flow Control Frame


Rest of them are
manufacturer

ff

Message Structure

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

0x00 - 0xFF 0x00 - 0xFF


11-bit IDs ISO-TP Related frame
data -
0x0 - 0x7 1st Nibble of the Byte

0: Singe Frame Several standardised


Several standardised IDs sub-function bytes for
29-bit IDs 1: First Frame each service

0x00000000 - 2: Consecutive Frame

0xFFFFFFFF 3: Flow Control Frame


Rest of them are Rest of them are
manufacturer specific
manufacturer

ff

Message Structure

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

0x00 - 0xFF 0x00 - 0xFF


11-bit IDs ISO-TP Related frame
data -
0x0 - 0x7 1st Nibble of the Byte

0: Singe Frame Several standardised Applicable data by


Several standardised IDs sub-function bytes for
29-bit IDs 1: First Frame each service the service
0x00000000 - 2: Consecutive Frame

0xFFFFFFFF 3: Flow Control Frame


Rest of them are Rest of them are
manufacturer specific
manufacturer

ff

Message Structure

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

00 00 00 00 00 00 00 00
0x00 - 0xFF 0x00 - 0xFF 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
11-bit IDs ISO-TP Related frame
data -
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0x0 - 0x7 1st Nibble of the Byte
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0: Singe Frame Several standardised Applicable data by 00 00 00 00 00 00 00 00
Several standardised IDs sub-function bytes for
00 00 00 00 00 00 00 00
29-bit IDs 1: First Frame each service the service 00 00 00 00 00 00 00 00
0x00000000 - 2: Consecutive Frame
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0xFFFFFFFF 3: Flow Control Frame
Rest of them are Rest of them are
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
manufacturer specific 00 00 00 00 00 00 00 00
manufacturer 00 00 00 00 00 00 00 00

ff

Message Structure

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

00 00 00 00 00 00 00 00
0x00 - 0xFF 0x00 - 0xFF 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
11-bit IDs ISO-TP Related frame
data -
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0x0 - 0x7 1st Nibble of the Byte
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0: Singe Frame Several standardised Applicable data by 00 00 00 00 00 00 00 00
Several standardised IDs sub-function bytes for
00 00 00 00 00 00 00 00
29-bit IDs 1: First Frame each service the service 00 00 00 00 00 00 00 00
0x00000000 - 2: Consecutive Frame
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0xFFFFFFFF 3: Flow Control Frame
Rest of them are Rest of them are
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
manufacturer specific 00 00 00 00 00 00 00 00
manufacturer 00 00 00 00 00 00 00 00

ff

UDS Services
Request Response
Service
SID SID

0x10 0x50 Diagnostic Session Control

0x11 0x51 ECU Reset

0x22 0x62 Read Data by Identi er

0x27 0x67 Security Access

0x2E 0x6E Write Data by Identi er

0x3E 0x7E Tester Present

Reference: https://en.wikipedia.org/wiki/Uni ed_Diagnostic_Services


6

fi
fi
fi
UDS Services
Request Response
Service
SID SID

0x10 0x50 Diagnostic Session Control

0x11 0x51 ECU Reset

0x22 0x62 Read Data by Identi er

0x27 0x67 Security Access

0x2E 0x6E Write Data by Identi er

0x3E 0x7E Tester Present

Reference: https://en.wikipedia.org/wiki/Uni ed_Diagnostic_Services


6

fi
fi
fi
UDS Services
Request Response
Service
SID SID

0x10 0x50 Diagnostic Session Control

0x11 0x51 ECU Reset

0x22 0x62 Read Data by Identi er

0x27 0x67 Security Access

0x2E 0x6E Write Data by Identi er

0x3E 0x7E Tester Present

Reference: https://en.wikipedia.org/wiki/Uni ed_Diagnostic_Services


6

fi
fi
fi
UDS Services
Request Response
Service
SID SID

0x10 0x50 Diagnostic Session Control

0x11 0x51 ECU Reset

0x22 0x62 Read Data by Identi er

0x27 0x67 Security Access

0x2E 0x6E Write Data by Identi er

0x3E 0x7E Tester Present

Reference: https://en.wikipedia.org/wiki/Uni ed_Diagnostic_Services


6

fi
fi
fi
Negative Responses
Request Response
Service
SID SID

0x10 0x7F Diagnostic Session Control

0x11 0x7F ECU Reset

0x22 0x7F Read Data by Identi er

0x27 0x7F Security Access

0x2E 0x7F Write Data by Identi er

0x3E 0x7F Tester Present

Reference: https://en.wikipedia.org/wiki/Uni ed_Diagnostic_Services


7

fi
fi
fi
Negative Responses

Negative response codes

0x10 General Reject

0x11 Service not Supported

0x12 Sub-function not Supported

0x33 Security Access Denied

Reference: https://en.wikipedia.org/wiki/Uni ed_Diagnostic_Services


8
fi
THOMAS WORLD
x 1 TIME
001001 1-1

Requirements

LEVEL 1-1

x 3

What will I need?

•A vehicle :P

•A way to interface with the vehicle

• Some software

10

The vehicle

11
The way to interface

12
The tools

• Libraries: • Tools:

• ISO-TP • can-utils
• python-can • caringcaribou
• python cantools • Scapy
• canmap

13

Caring Caribou
• Security testing tool for Automotive

• Modular

• Zero knowledge needed

• Plug your CAN adapter and start

Reference: https://github.com/CaringCaribou/caringcaribou
14

Caring Caribou

Reference: https://github.com/CaringCaribou/caringcaribou
15
THOMAS WORLD
x 2 TIME
002001 1-1

Fuzz it already

LEVEL 1-2

x 3

Fuzzing / Enumeration
• Supply of expected or unexpected input

• Analysis of the result

• Understanding of the target system

• Monitoring of unexpected behaviour

17

You can find unexpected behaviour in the


most unexpected places
ARB ID Enumeration

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

00 00 00 00 00 00 00 00
0x00 - 0xFF 0x00 - 0xFF 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
11-bit IDs ISO-TP Related frame
data -
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0x0 - 0x7 1st Nibble of the Byte
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0: Singe Frame Several standardised Applicable data by 00 00 00 00 00 00 00 00
Several standardised IDs sub-function bytes for
00 00 00 00 00 00 00 00
29-bit IDs 1: First Frame each service the service 00 00 00 00 00 00 00 00
0x00000000 - 2: Consecutive Frame
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0xFFFFFFFF 3: Flow Control Frame
Rest of them are Rest of them are
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
manufacturer specific 00 00 00 00 00 00 00 00
manufacturer 00 00 00 00 00 00 00 00

19

ff

ARB ID Enumeration

• Target IDs?

• 11-bit or 29-bit?

• Standardised IDs or manufacturer


specific

20

ARB ID Enumeration

• UDS Request

0x001 0x02 0x10 0x01 - 0x00 0x00 0x00 0x00

21
ARB ID Enumeration

• UDS Request

0x7FF 0x02 0x10 0x01 - 0x00 0x00 0x00 0x00

• Monitorfor positive or negative


responses after each iteration

• Resendof request to prove the


existence of server and client IDs
21
ARB ID Enumeration

22
ARB ID Enumeration

23
ARB ID Enumeration

23
ARB ID Enumeration

23
ARB ID Enumeration

23
ARB ID Enumeration

24
ARB ID Enumeration

24
ARB ID Enumeration

24
ARB ID Enumeration

24
ARB ID Enumeration

24
Service ID Enumeration

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

00 00 00 00 00 00 00 00
0x00 - 0xFF 0x00 - 0xFF 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
11-bit IDs ISO-TP Related frame
data -
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0x0 - 0x7 1st Nibble of the Byte
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0: Singe Frame Several standardised Applicable data by 00 00 00 00 00 00 00 00
Several standardised IDs sub-function bytes for
00 00 00 00 00 00 00 00
29-bit IDs 1: First Frame each service the service 00 00 00 00 00 00 00 00
0x00000000 - 2: Consecutive Frame
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0xFFFFFFFF 3: Flow Control Frame
Rest of them are Rest of them are
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
manufacturer specific 00 00 00 00 00 00 00 00
manufacturer 00 00 00 00 00 00 00 00

25

ff

Service ID Enumeration
• Similar to ARB ID enumeration

• Way simpler (only 1 byte long)

• Each ECU (Server and client ARB ID


pair) has a different set of services

• Immediate response for existing services


26

Service ID Enumeration

• UDS Request

0x7FF 0x01 0x01 - - 0x00 0x00 0x00 0x00

• Monitorfor positive and negative


responses

• List of all the available services

27
Service ID Enumeration

• UDS Request

0x7FF 0x01 0x10 - - 0x00 0x00 0x00 0x00

• Monitorfor positive and negative


responses

• List of all the available services

27
Service ID Enumeration

28
Service ID Enumeration

29
Service Sub-Function
Enumeration

Protocol Control Info Request Data


Arbitration ID (PCI) Service ID Sub-Function Byte Padding
Parameters

00 00 00 00 00 00 00 00
0x00 - 0xFF 0x00 - 0xFF 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
11-bit IDs ISO-TP Related frame
data -
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0x0 - 0x7 1st Nibble of the Byte
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0: Singe Frame Several standardised Applicable data by 00 00 00 00 00 00 00 00
Several standardised IDs sub-function bytes for
00 00 00 00 00 00 00 00
29-bit IDs 1: First Frame each service the service 00 00 00 00 00 00 00 00
0x00000000 - 2: Consecutive Frame
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0xFFFFFFFF 3: Flow Control Frame
Rest of them are Rest of them are
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
manufacturer specific 00 00 00 00 00 00 00 00
manufacturer 00 00 00 00 00 00 00 00

30

ff

Service Sub-Function
Enumeration
• Enumeratingsub-functions is not as
straight forward

• Several different diagnostic sessions

• Sub-functionsmay only exist under


specific sessions or ECU modes

• (e.g. bootloader mode)

• Negativeresponses can help us clear


things out
31

THOMAS WORLD
x 3 TIME
004001 1-1

Fascinating (and dangerous) Use Cases

LEVEL 1-3

x 3

Interesting use of sub-


functions

• Several security and safety critical


ECUs

• Usually, with no applicable pre-


conditions

33

ECUReset (0x11)

• Reset of an ECU can directly affect:

• Safety critical components

• Security critical components

• Functionality of other ECUs

34

ECUReset
Service Sub-
Sub-Function Name
ID Function ID

Hard Reset 0x11 0x01

Key Off-On Reset 0x11 0x02

Soft Reset 0x11 0x02

Enable Rapid Power Shut Down 0x11 0x03

Disable Rapid Power Shut Down 0x11 0x04

35
ECUReset

36
ECUReset

37
Write Data by
Identifier (0x2E)
• Predefined memory locations

•2 byte size addresses

• Host vehicle information

• Size has to be specified and is fixed

38

Write Data by
Identifier (0x2E)

• Requestdata parameters are parsed by


the host ECU

• Supplying
unexpected amount and type
of data can potentially result in
crashes and memory overflows

• Can we exploit them further?

39

Game Over???
Not Yet…
Write Data by
Identifier (0x2E)
•A lot of use-cases with DIDs which are
writeable from un-authenticated users

• Juicy stuff can be found in them:

• Secret keys

• Passwords
• Mileage
• Commands that get executed in the
underlying OS …
41

Write Data by
Identifier (0x2E)

42
Write Data by
Identifier (0x2E)

Reference: Pšenička Tomáš. Development of vulnerable car ECU. Master’s thesis.


43
Czech Technical University in Prague, Faculty of Information Technology, 2022.

Noteworthy Services

• Communication Control (0x28)

• Write Memory by Address (0x3D)

• Routine Control (0x31)

• Request Upload (0x35)

44

THOMAS WORLD
x 5 TIME
006001 2-2

UDS Security Access

LEVEL 2-1

x 2

UDS Security Access


• Mainsolution to restrict UDS functions
under a security mechanism

• Different levels of security access

• Seed/Key
Algorithm implemented and
obscured by the manufacturer

46

UDS Security Access


Client ECU

Seed Request

1. Generate “random” seed

2. Calculate key
Random Seed Send

3. Calculate key
Send Calculated Key

Grand Access 4. Verify Key

Reference: https://www.riscure.com/uploads/2018/06/Riscure_fault-injection-on-diagnosis-protocols-presentation.pdf
47
UDS Security Access

48
ARB ID Enumeration

49
ARB ID Enumeration

49
ARB ID Enumeration

49
ARB ID Enumeration

49
ARB ID Enumeration

49
Common Attacks
• Pre-Calculated Key Fuzzing and brute-
forcing

• Fault Injection

• Fallback function triggers

• Algorithm reverse engineering


50

What randomness means either way?


UDS Security Access
Client ECU

Seed Request

1. Generate “random” seed

2. Calculate key
Random Seed Send

3. Calculate key
Send Calculated Key

Grand Access 4. Verify Key

52
UDS Security Access
Client ECU

Seed Request

1. Generate “random” seed

2. Calculate key
Random Seed Send

3. Calculate key
Send Calculated Key

Grand Access 4. Verify Key

52
THOMAS WORLD
x 7 TIME
008001 2-2

Is it really random?

LEVEL 2-2

x 2

Seed Randomness
• Whatif we could request the same seed more
than once?

• Common “issue” in the embedded world due to


limited resources

• Sekar Kulandaivel - Carnegie Mellon University

• RevisitingRemote Attack Kill-Chains on


Modern In-Vehicle Networks

• CANdid vulnerability
54

Seed Randomness

• Randomness based on processor uptime

• Processor uptime resets during boot

• Weak source of randomness

• Most of the industry is affected

55

Seed Randomness
Client ECU

Seed Request

1. Generate “random” seed

2. Calculate key
Random Seed Send

3. Calculate key
Send Calculated Key

Grand Access 4. Verify Key

56
THOMAS WORLD
x 8 TIME
019001 2-2

Finding dat seed

LEVEL 3-1

x 2

Fuzzing for the seed

• Custom scripts in Python or C

• Customisation for each target ECU was


needed

• Why don’t we automate it?

58

Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

Desired Seed?

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

No
Desired Seed?

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

No
Desired Seed?

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

Yes
Desired Seed?

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

Yes Pre-Calculated
Desired Seed?
Key Send

59
fi
Seed Randomness
Issue hard ECUReset to the target ECU

ECU Reboots

Wait for a pre-de ned amount of time

Issue Seed Request to the ECU

Seed Received

Yes Pre-Calculated Security Access


Desired Seed?
Key Send Obtained

59
fi
UDS_FUZZ Module

60
UDS_FUZZ Module
• CaringCaribou seemed like the proper
target

• Open-source and modular

• Really helpful community

• Implementedboth for CAN and DoIP


implementations of UDS
61

Seed_Randomness_Fuzzer

62
Demo time
Seed_Randomness_Fuzzer

64
Seed_Randomness_Fuzzer

65
Seed_Randomness_Fuzzer

65
Seed_Randomness_Fuzzer

66
Seed_Randomness_Fuzzer

66
Seed_Randomness_Fuzzer

66
Seed_Randomness_Fuzzer

66
Seed_Randomness_Fuzzer
• Evaluationscript for the source of
randomness in the tested ECU

• Accurate microcontroller might be


needed

• If20% of the requested seeds are


duplicates we can safely say that the
ECU is vulnerable
67

019001 2-2
x 9 TIME
THOMAS WORLD

Welcome to the other side


LEVEL 3-2
x 1

Delay_Fuzzer
• Whatif we already have a seed/pre-
calculated key pair?

• Weneed to find the delay between an


ECUReset and a seed request that
corresponds to this pair

• Fuzzof the delay, until we find a


successful match
69

Delay_Fuzzer

70
Demo time^2
Delay_Fuzzer

72
Game Over
Delay_Fuzzer

74
Delay_Fuzzer

74
Delay_Fuzzer

74
Delay_Fuzzer

74
Delay_Fuzzer

74
Delay_Fuzzer

74
Pre-calculated key
interception
Client ECU

Seed Request

1. Generate “random” seed

2. Calculate key
Seed Send

3. Calculate key
Send Calculated Key

Grand Access 4. Verify Key

75
Pre-calculated key
interception

• Keycan be leaked by weak links in the


supply chain

• Service shops are the main target

• MaliciousECUs can be also used to


leak pre-calculated keys

• Online sources and forums

76

THOMAS WORLD
x 0 TIME
000000 0x00

Mitigations and Outcome

LEVEL \x00

x 0

Mitigations
• HSMs start to appear on embedded devices

• Several modes are still affected, even


when using HSMs in normal operation

• Usually these modes are easily


accessible and unrestricted

• Random seeds have to ALWAYS use a


proper source
78

Do they even care?


Hack cars
Make love
Not war
Thank you for your attention

Thomas Sermpinis

cr0wsplace.com

You might also like