Side-Channel Analysis
Contents
1. In the following we provide an overview of the remote diagnostics use case 2 1 Definition of remote diagnostics The term remote diagnostics may be inter preted differently by different people so first we provide a definition to ensure a common view of the use case Definition In the remote diagnostics use case there is no physical connection between the di agnostics tool and the vehicle i e communi cation between diagnostics tool and vehicle is wireless and the technician has no physical access to the vehicle and cannot perform any physical actions on the vehicle 2 2 Overview of remote diagnostics use Case An overview of the remote diagnostics use case is described as follows Modern vehicles are equipped with telematics modules that con nect the vehicles to the Internet The telem atics module also serves as a gateway between the Internet connection and the in vehicle net work e g CAN bus A diagnostics command is sent from the OEM server over the Internet and received in the target vehicle The diag nostics command could have originated from an OEM technician e g to perform data col lection or a dealer technician e g to per form diagnostics on a vehicle prior to arriving at the workshop The diagnostics command is transmitted on the relevant bus and processed by the target ECU in the vehicle The result is returned via the telematics module to the OEM server We consider the communication cha2. O O x Passive Inspection function tests Yes Yes O O A Passive Adjustment function tests Yes No N A N A N A Active Inspection function tests No No N A N A N A Active Adjustment function tests No No N A N A N A A Authenticity I Integrity C Confidentiality Required A Required if transmitted data need to be kept secret x Not required N A Not applicable 2 If issue can be resolved remotely yes otherwise no References 1 ISO 14229 1 Road vehicles Unified diag nostic services UDS Part 1 Specifica tion and requirements 2013 2 K Koscher F Roesner S Patel T Kohno S Checkoway D McCoy B Kantor D Anderson H Shacham and S Savage Experimental Security Analysis of a Modern Automo bile IEEE Symposium on Security and Privacy 2010 3 S Checkoway D McCoy B Kantor D Anderson H Shacham S Savage K Koscher A Czeskis F Roesner and T Kohno Comprehensive Experimen tal Analyses of Automotive Attack Sur faces USENIX conference on Security 2011 4 Charlie Miller Chris Valasek Adven tures in Automotive Networks and Con trol Units DEFCON 21 2013 E Autologic Diagnostics Autologic Soft ware Technical Specifications for BMW Vehicles 2013 10 11 12 13 14 15 16 17 18 Craftsman CanOBD2 Diagnostic Tool Operator s Manual 2008 Snap on
3. Solus PRO User Manual 2012 Innova Electronics Corp CanOBD2 ScanTool Owner s Manual 2008 Gore Research ProScan 2006 Banzai MST2000 2014 GIT G scan User Manual 2012 OTC Genisys User Guide 2005 SPX Modular Vehicle Communication Interface MVCI User Guide 2010 Ford Motor Company Integrated Diag nostic Software User s Guide 2008 EASE Diagnostics EASE PC Scan Tool 2012 Nissan TechNews Consult III plus CAN ECU Programming 2011 Motor Scan Tool Assessment 2005 SAE J1979 E E Diagnostic Test Modes 2012
4. considered a subset of reading values from datalist DTCs and freezeframes DTCs and freezeframes described in the fol lowing subsections and is therefore not con sidered as a separate group Standard OBD II PIDs are defined in SAE J1979 18 This group is both possible and suitable to perform remotely as it purely reads data from the ECUs and does not affect the function of the ECUs or require any active physical action by the technician This group requires the security properties authenticity and integrity and depending on the type of data that is read confidentiality may be required 3 1 2 Passive Read DTCs This group is passive and consists of reading data from the ECU and displaying the values to a technician The purpose of reading DTCs is to understand what could be wrong with a specific ECU or the vehicle and to assist in identifying the cause of vehicle trouble Ex amples of DTCs are sensor circuit malfunc tion injector circuit malfunction and cylinder 1 misfire detected This group is both possible and suitable to perform remotely as it purely reads data from the ECUs and does not affect the function of the ECUs or require any active physical action by the technician This group requires the security properties authenticity and integrity and depending on the type of data that is read confidentiality may be required 3 1 3 Passive Read freezeframe This group is passive and consists of reading data fr
5. Analysis of Performing Secure Remote Vehicle Diagnostics Dennis Kengo Oka Takahiro Furue Stephanie Bayer Camille Vuillaume 1 ETAS K K Queen s Tower C 17F 2 3 5 Minatomirai Nishi ku Yokohama Kanagawa 220 6217 Japan dennis kengo oka fixed term Takahiro Furue Camille Vuillaume etas com 2 ESCRYPT GmbH Leopoldstr 244 80807 M nchen Germany stephanie bayer escrypt com Abstract Traditionally diagnostics of vehicles is done by plugging a physical device into a diagnostics interface in the vehicle however over the last years OEMs are considering to perform remote diagnostics But connecting remotely to a vehicle opens a new entrypoint for attackers Hence it is important to secure the remote diagnostics procedure We first provide an analysis of the security properties for remote diagnostics this is done by giving a short overview over possible attacks Next we analyze and group diagnostic services and specify whether they are possible or suitable to be performed remotely Last we identify relevant security properties for each of the suitable diagnostic service groups 1 Introduction Modern vehicles are equipped with several dozen electronic control units ECUs that are responsible for the majority of functionality in a vehicle ECUs often use sensor values as inputs which are processed by the ECUs soft ware which in turn render outputs on actua tors For example the airbag receives sensor va
6. blem could for example be a software update or replacement of a hardware component Unfortunately there are a few issues with this approach One the technician can only start the analysis once the vehicle arrives at the dealer workshop which leaves the techni cian little actual time to perform the analysis prepare any spare parts that are necessary and perform any replacements or software updates Second the vehicle owner typically has to wait for the technician to finish the work before the vehicle is returned which causes inconvenience for the vehicle owner Third OEMs can only collect information about vehicle troubles and other types of data once the vehicle arrives at the dealer workshop The data extracted from the vehicle is uploaded to the OEM servers from the technician diagnostic tool To rem edy the issues with this approach the trend is to perform remote diagnostics Remote di agnostics allows reading out DTCs and other diagnostic data from vehicles remotely using for example the telematics module equipped on vehicles Consequently it would address the three issues above respectively One the technician can perform part of the work prior to the vehicle even arriving at the dealer work shop That is the technician can first perform remote diagnostics to extract data necessary for the analysis and perform the analysis in advance The technician can also prepare any When the vehicle is available at the dealer work
7. d connection there was no need to separate or define diagnos tics groups other than for the purpose of or ganizing the diagnostics functions to ease the technicians job to perform the actual diagnos tics For example to easily find the desired functions in the diagnostics tool the functions are grouped and typically displayed under cor responding menus However in allowing re mote diagnostics there is an important need to define diagnostics into various groups with OEMs need to deter mine which diagnostics functions are allowed specific requirements or suitable to be performed remotely For the diagnostics groups that are allowed to be per formed remotely proper security requirements and solutions need to be implemented As future work we will investigate such require ments and suggest a suitable implementation option Secure remote diagnostics will provide OEMs with multiple new business models and will al low increasing the efficiency to diagnose faulty vehicles as well as reducing the waiting time for the vehicle owner Table 2 Summary of diagnostics groups and whether they are possible suitable to be performed remotely and respective security properties Possible Suitable Security properties 1 Group remotely remotely A I C Passive Read datalist Yes Yes O O A Passive Read DTC Yes Yes O O A Passive Read freezeframe Yes Yes O O A Passive Clear DTC Yes Yes
8. lues such as wheel speed brake impact seat belt status and passenger position Based on these sensor values airbags situated on differ ent places in the car can be inflated at differ ent times at different rates to reduce the like lihood of injuries in crashes and decrease the likelihood of airbag related injuries Software is run on the ECUs to control such function ality In addition the software also monitors the vehicle or ECU conditions and can pro vide information regarding vehicle trouble In such cases diagnostic trouble codes DTCs are typically set on the corresponding ECUs During vehicle maintenance dealer workshops would then investigate the vehicle trouble based on the set DTCs which are extracted using various diagnostics commands It is important for OEMs to be able to perform this type of diagnostics to identify problems with software or vehicle components as well as calibrate and test functionality Currently in case of vehicle trouble vehicle owners typically need to bring their vehicle to a dealer workshop where a technician phys ically plugs an external test equipment tool i e a diagnostics tool into the OBD II port in the vehicle The technician can then send various diagnostic commands from the diag nostic tool which could be a standalone hard ware tool or software running on a PC The technician uses the diagnostic data extracted from the vehicle to analyze the problem The solution to the pro
9. nnel between the OEM technician dealer technician and the OEM server to be secured using traditional IT security means The ISO 14229 1 provides the standard for unified diagnostics services UDS The stan dard defines a number of diagnostics services where a diagnostic tool can control diagnostic functions in an ECU For example there are services such as changing the diagnostic ses sion resetting the ECU and reading or writ ing data to the ECU Although the ISO 14229 standard also covers ECU programming we have chosen to separate ECU programming from the remote diagnostics use case as it is very different from the rest of the diagnostics services and serves a different purpose i e not used to diagnose a vehicle but rather to fix an issue by updating the software 2 3 Attacker model The attacker model in the remote diagnos tics use case is defined as follows e The attacker can inject modify or listen to any messages in the communication chan nel between the OEM server and telemat ics module on the vehicle e The attacker has physical access to the ve hicle and can inject modify or listen to any messages in the communication chan nel between the telematics module and the target ECUs As aresult rather than considering to point to point secure two separate communication channels between OEM server and telematics module and between telematics module and target ECUs we only consider securing the end t
10. nt security properties not allowed to be performed remotely for each group that is suitable to be performed remotely 3 1 Diagnostics breakdown Common vehicle diagnostics tools provide a plethora of diagnostics capabilities 5 6 7 8 9 10 11 12 13 14 15 16 17 We use these capabilities as a basis for our analysis Differ ent tool manufacturers and OEMs use slightly different terminology for the various diagnos tics capabilities Although terminology may be different we believe that the respective ca pabilities can be assigned into one of the cat egories in our summary breakdown shown in Table 1 First we breakdown the diagnostics proce dure itself into two categories Passive and Active The definition for passive is no phys ical action on the vehicle by the technician is necessary Conversely the definition for active is requires physical action on the vehicle by the technician Physical action is defined as phys ical input or physical inspection e g visual In no cases is the vehicle user required to be involved At the next level there are three categories Read Clear and Function test Read indicates any diagnostics that comprises reading data from an ECU Clear represents clear DTCs Function test covers all function tests The last level shows the individual groups of diagnostics which are further explained sepa rately in below sections The analysis and the Table 1 Breakdown of diagnostics in
11. ntication at all or use fixed keys Researchers have shown that they can execute arbitrary diagnostics com mands to control the ECUs or read out the memory from the ECUs 2 4 2 Integrity Integrity is equally important as authentic ity It is imperative that messages that are sent between the communicating parties have not been modified while in transit If mes sages can be modified an attacker could mod ify requests sent from the OEM server to exe cute commands other than the intended ones or prevent a vehicle with vehicle trouble from going to a dealer workshop by modifying the trouble indicating responses with responses that the vehicle is fine 2 4 3 Confidentiality There exist manufacturer specific diagnostic commands and responses which OEMs would prefer to keep secret Moreover some of the data collected from vehicles may contain sen sitive information Therefore for such data there is a need to provide confidentiality in the communication channel If an attacker is able to sniff the traffic secret or sensitive data could be leaked for example secret diagnos tics commands or data related to the privacy of the vehicle owner 3 Analysis of Secure Remote Diagnostics In this section we analyze and breakdown diagnostics services into groups and identify which are possible suitable to perform remotely and which are not We deem the groups that are not suitable to be performed remotely as We also identify the releva
12. o end communication channel between originator OEM technician dealer technician and target ECUs Although the focus is on securing the end to end communication chan nel some messages in transit could be encap sulated in a lower level protocol that may al ready provide some additional security features 2 4 Security properties We analyze the remote diagnostics use case and consider the following security properties desirable A simplistic view of secure remote diagnostics would only consider to secure the communication channel between the OEM server and the telematics module because what hap pens between the telematics module and the target ECU is similar to the existing diagnos tics use case today between the ODB II port and the target ECU However in this paper we consider securing the end to end communi cation channel and therefore consider the ap propriate security properties for this channel 2 4 1 Authenticity One important security property is authen ticity It is paramount to ensure that a di agnostic message is actually coming from the correct entity and has not been spoofed That is the receiving entity needs to be able to properly verify that a message comes from the claimed originator Researchers 2 3 4 have shown cases where they have broken the simple seed key authen tication that is implemented for diagnostic ac cess in some vehicles Even worse some cases seem to be not employing any authe
13. om the ECU and displaying the values to a technician When a fault occurs and a DTC is set the ECU records the conditions present when the fault occurred and stores it as a freezeframe For example the conditions recorded could include fuel system status the coolant temperature and engine RPM The freeze frame data helps the technician to understand the conditions of the ECU when the DTC oc curred to assist in troubleshooting the prob lem This group is both possible and suitable to perform remotely as it purely reads data from the ECUs and does not affect the function of the ECUs or require any active physical action by the technician This group requires the security properties authenticity and integrity and depending on the type of data that is read confidentiality may be required 3 1 4 Passive Clear DTCs This group is passive but rather than read ing data from the ECU it makes changes to the ECU by clearing or erasing DTCs that have been previously set DTCs are typically cleared after the corresponding fault has been remedied by for example updating the soft ware on the ECU or replacing the faulty com ponent This group is possible to perform remotely although it does make changes to the ECUs it does not require any active physical action by the technician N B some vehicles may re quire that the ignition key is in the on position with the engine off However the clear DTC function is typically performed af
14. shop the techni necessary spare parts cian can immediately start working based on the results of the analysis that has been made beforehand and replace any components using the prepared spare parts Second the wait time for the vehicle owner has been reduced to only the actual work needed to do the re placements or software updates which means the happy vehicle owner will be back on the streets much faster Third OEMs can contin uously collect diagnostic data which contain information about vehicle troubles and other types of data This allows OEMs to analyze a larger set of data much sooner and would help in identifying any failure trends and in prepar ing to handle any large scale vehicle trouble in cidents as well as improving existing software with new features much quicker To allow remote diagnostics security is nec essary For example only authorized parties should be allowed to perform remote diagnos tics Moreover some diagnostic commands may be considered too dangerous or not useful to perform remotely In this paper we make the following contri butions e We provide an analysis of the security prop erties for remote diagnostics e We analyze and group diagnostic services and specify whether they are possible or suitable to be performed remotely e We identify relevant security properties for the diagnostic service groups that are suit able to be performed remotely 2 Remote Diagnostics Overview
15. spection by the technician It would be pos sible to execute the first half of the test which is for the vehicle to perform an action but the second half of the test requires a physical ac tion in the sense of physical inspection Since it is not suitable i e not allowed to execute the function tests in this group re motely security properties for this group are not applicable 3 1 8 Active This group is active and includes function tests that are used for adjustment and pro vide support for repair This group comprises tests that allow calibration of sensors cam eras or steering and as well as various learn ing tests For example an active adjustment function test would be the steering end learn ing where a technician physically has to turn the steering wheel from the center position to Adjustment function tests the very far left position and then back to the very far right position and finally back to the center position This group is not possible nor suitable to perform remotely as it requires active physi cal input by the technician Moreover typi cally adjustment function tests would occur in conjunction with actual repair where physical access is necessary anyway Since it is not suitable i e not allowed to execute the function tests in this group re motely security properties for this group are not applicable 4 Conclusion As vehicle diagnostics was traditionally done over a cable i e a wire
16. t secret confiden tiality is also required 3 1 6 Passive tests Adjustment function This group is passive and consists of func tion tests that are used for adjustment and provide support for repair This group would contain tests that allow reset and initialization of ECUs or adjust certain parameters For example adjusting the height of head lights or adjusting the tire size would be considered passive adjustment tests This group is possible to perform remotely although it does make changes to the ECUs it does not require any active physical action by the technician However typically adjust ment function tests would occur in conjunc tion with actual repair or replacement where Thus it would technically be possible to perform these tests physical access is necessary remotely but in practice it would not be suit able Since it is not suitable i e not allowed to execute the function tests in this group re motely security properties for this group are not applicable 3 1 7 Active Inspection function tests This group is active and consists of function tests that actively change something which a technician typically can physically inspect Turn ing on off the wipers or the hazard light lock ing unlocking the doors and moving the power windows up and down are examples of active inspection function tests This group is not possible nor suitable to perform remotely because it requires physical in
17. ter the cor responding fault has been remedied and there fore may not be suitable to be performed re motely unless the issue can be resolved and verified remotely This group requires the security properties authenticity and integrity Assuming that the clear DTCs commands are not secret confi dentiality is not required 3 1 5 Passive Inspection function tests This group is passive and includes function tests that are used for inspection Typically this group includes tests that change a value which then can be inspected by checking the These For example status or by reading a specific value tests could also be self tests check or toggle valve open close or perform solenoid test This group is used for testing in dividual functionality by inspecting i e read ing a value that the correct behavior is occur ring This group is both possible and suitable to perform remotely although it does make changes to the ECUs it does not require any active physical action by the technician The inspec tion can be performed remotely by reading out the relevant data N B there might exist some tests that require the vehicle to be in a certain state e g vehicle speed 0 or gear in park It is assumed that the vehicle will be in this state at some point naturally and thus does not re quire any physical action This group requires the security properties authenticity and integrity If the function test commands need to be kep
18. to groups Diagnostics Passive Active Read Clear Function test Function test Datalist DTC Freezeframe DTC Inspection Adjustment Inspection Adjustment decision whether a diagnostics group is possi ble to be performed remotely is based on the actions required to perform the functions in the group Moreover some vehicles may re quire that a battery charger is connected to the vehicle or ensuring that the ignition key is in the on position with the engine off for some of the functions in the group to be ex ecuted However the purpose of this break down is to provide an overview of the groups and therefore does not go into all the details necessary for individual actions or tests within each group The results of the analysis are summarized in Table 2 For diagnostics groups that are not suitable i e not allowed to be performed re motely no specific security properties are iden tified as they are not applicable N A 3 1 1 Passive Read datalist This group is passive and consists of read ing data from the ECU and displaying the val ues to a technician These values are used to understand the current status or condition of the ECUs cle speed engine RPM engine coolant tem Example values include vehi perature open close status of valves and gear position Furthermore reading law mandated vehicle emission related data OBD II PIDs from the ECU is
Download Pdf Manuals
Related Search