skip to main content
10.1145/3689936.3694695acmconferencesArticle/Chapter ViewAbstractPublication PagescscsConference Proceedingsconference-collections
research-article
Open access

(Un)authenticated Diagnostic Services: A Practical Evaluation of Vulnerabilities in the UDS Authentication Service

Published: 20 November 2024 Publication History

Abstract

Diagnostic communication is an attractive entry point for attackers because of its accessibility and degree of standardization. The prevalent diagnostic protocol used in modern vehicles is Unified Diagnostic Services (UDS). To prevent misuse of diagnostic functions, UDS provides the Authentication Service to authenticate diagnostic testers securely. A previous study [16] revealed two vulnerabili- ties in the Authentication Service by theoretically analyzing its specification. By leveraging the identified vulnerabilities, a Man-in-the-Middle (MitM) attacker could theoretically manipulate the communication between a diagnostic tester and an Electronic Control Unit (ECU), with the tester believing that the communication is securely authenticated and encrypted. In this work, we examine the practical applicability of these vulnerabilities and the proposed mitigations. By implementing the MitM attacker against a diagnostic tester and ECU, simulated by a state-of-the-art industrial tool, we show that standard-conform diagnostic clients and servers cannot detect the described attacks and the manipulation can be successfully applied. Based on this practical evaluation, we derive realistic estimates for attack feasibility and impact, which can be used in a Threat and Risk Analysis (TARA) according to ISO/SAE 21434. In addition, we evaluate the performance of the proposed mitigations and show that their overhead is comparable low.

References

[1]
AUTOSAR. 2023. Specification of Diagnostics, Adaptive Platform, R23--11.
[2]
David Basin, Cas Cremers, Jannik Dreier, Simon Meier, Ralf Sasse, and Benedikt Schmidt. 2024. Tamarin Prover. https://tamarin-prover.github.io/
[3]
Meriem Benyahya, Teri Lenard, Anastasija Collen, and Niels Alexander Nijdam. 2023. A Systematic Review of Threat Analysis and Risk Assessment Methodologies for Connected and Automated Vehicles. In Proceedings of the 18th International Conference on Availability, Reliability and Security (Benevento, Italy) (ARES '23). Association for Computing Machinery, New York, NY, USA, Article 99, 10 pages. https://doi.org/10.1145/3600160.3605084
[4]
Plappert Christian, Zelle Daniel, Gadacz Henry, Rieke Roland, Scheuermann Dirk, and Krauß Christoph. 2021. Attack Surface Assessment for Cybersecurity Engineering in the Automotive Domain. In 2021 29th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP). IEEE, Valladolid, Spain, 266--275. https://doi.org/10.1109/PDP52278.2021.00050
[5]
Sam Curry, Neiko Rivera, Brett Buerhaus, Maik Robert, Ian Carroll, Justin Rhinehart, and Shubham Shah. 2023. Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More. https://samcurry.net/web-hackers-vs-the-auto-industry
[6]
Jürgen Dürrwang, Johannes Braun, Marcel Rumez, and Reiner Kriesten. 2017. Security Evaluation of an Airbag-ECU by Reusing Threat Modeling Artefacts. In 2017 International Conference on Computational Science and Computational Intelligence (CSCI). 37--43. https://doi.org/10.1109/CSCI.2017.7
[7]
Dan Goodin. 2023. There's a new form of keyless car theft that works in under 2 minutes. https://arstechnica.com/information-technology/2023/04/crooks-are-stealing-cars-using-previously-unknown-keyless-can-injection-attacks/
[8]
Simon Greiner, Maike Massierer, Claudia Loderhose, Bernd Lutz, Frederic Stumpf, and Franziska Wiemer. 2022. A supplier's perspective on threat analysis and risk assessment according to ISO/SAE 21434. In 20th escar Europe. https://doi.org/10.13154/294--9357
[9]
International Standards Organization / SAE. 2021. ISO/SAE 21434:2021 Road vehicles ? Cybersecurity engineering. https://www.iso.org/standard/70918.html
[10]
ISO. 2016. Road vehicles Diagnostic communication over Controller Area Network (DoCAN) Part 2: Transport protocol and network layer services. ISO Standard 15765--2:2016. International Organization for Standardization, Geneva, Switzerland. https://www.iso.org/obp/ui/#iso:std:iso:15765:-2:dis:ed-4:v1:en
[11]
ISO. 2016. Road vehicles Diagnostic communication over Internet Protocol (DoIP) Part 3: Wired vehicle interface based on IEEE 802.3. ISO Standard 13400--3:2016. International Organization for Standardization, Geneva, Switzerland.
[12]
ISO. 2019. Road vehicles Diagnostic communication over Internet Protocol (DoIP) Part 2: Transport protocol and network layer services. ISO Standard 13400--2:2019. International Organization for Standardization, Geneva, Switzerland.
[13]
ISO. 2020. Road vehicles Unified diagnostic services (UDS) Part 1: Application layer. ISO Standard 14229--1:2020. International Organization for Standardization, Geneva, Switzerland.
[14]
Patrick Kiley. 2021. The UDS Security Model of the Tesla CAN Bus and Battery Management System. https://www.rsaconference.com/Library/presentation/USA/2021/the-uds-security-model-of-the-tesla-can-bus-and-battery-management-system
[15]
Sekar Kulandaivel. 2021. Revisiting remote attack kill-chains on modern in-vehicle networks. Ph.,D. Dissertation. Carnegie Mellon University.
[16]
Timm Lauser and Christoph Krauß. 2023. Formal Security Analysis of Vehicle Diagnostic Protocols. In Proceedings of the 18th International Conference on Availability, Reliability and Security (Benevento, Italy) (ARES '23). Association for Computing Machinery, New York, NY, USA, Article 21, 11 pages. https://doi.org/10.1145/3600160.3600184
[17]
Timm Lauser, Daniel Zelle, and Christoph Krauß. 2020. Security Analysis of Automotive Protocols. In Computer Science in Cars Symposium (Feldkirchen, Germany) (CSCS '20). Association for Computing Machinery, New York, NY, USA, Article 11, 12 pages. https://doi.org/10.1145/3385958.3430482
[18]
Sen Nie, Ling Liu, and Yuefeng Du. 2017. Free-fall: Hacking tesla from wireless to can bus. Black Hat USA (2017), 1--16.
[19]
Ramiro Pareja and Santiago Cordoba. 2018. Fault injection on automotive diagnostic protocols. escar USA (2018).
[20]
Stephen Powley. 2020. Comparative Evaluation of Cybersecurity Methods for Attack Feasibility Rating per ISO/SAE DIS 21434. https://www.researchgate.net/publication/339390034_Comparative_Evaluation_of_Cybersecurity_Methods_for_Attack_Feasibility_Rating_per_ISOSAE_DIS_21434
[21]
United Nations Economic Commission for Europe (UNECE). 2021. UN Regulation No. 155 - Cyber security and cyber security management system. https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security
[22]
Jan Van den Herrewegen and Flavio D. Garcia. 2018. Beneath the Bonnet: A Breakdown of Diagnostic Security. In Computer Security, Javier Lopez, Jianying Zhou, and Miguel Soriano (Eds.). Springer International Publishing, Cham, 305--324.
[23]
Vector Informatik GmbH. 2024. Vector CANoe. https://www.vector.com/de/de/produkte/produkte-a-z/software/canoe
[24]
Nils Weiss, Sebastian Renner, Jürgen Mottok, and Václav Matouvsek. 2021. Automated Threat Evaluation of Automotive Diagnostic Protocols. In Proceedings of the Embedded Security in Cars Workshop (ESCAR) 2021. Virtual.
[25]
Haohuang Wen, Qi Alfred Chen, and Zhiqiang Lin. 2020. Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 949--965. https://www.usenix.org/conference/usenixsecurity20/presentation/wen
[26]
Hannah Wieser, Thomas Schäfer, and Christoph Krauß. 2024. Penetration Testing of In-Vehicle Infotainment Systems in Connected Vehicles. In 2024 IEEE Vehicular Networking Conference (VNC). 156--163. https://doi.org/10.1109/VNC61989.2024.10575976
[27]
Daniel Zelle, Christian Plappert, Roland Rieke, Dirk Scheuermann, and Christoph Krauß. 2022. ThreatSurf: A method for automated Threat Surface assessment in automotive cybersecurity engineering. Microprocessors and Microsystems, Vol. 90 (2022), 104461. https://doi.org/10.1016/j.micpro.2022.104461

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CSCS '24: Proceedings of the 2024 Cyber Security in CarS Workshop
November 2024
84 pages
ISBN:9798400712326
DOI:10.1145/3689936
This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 November 2024

Check for updates

Author Tags

  1. automotive
  2. diagnostics
  3. iso/sae~21434
  4. security

Qualifiers

  • Research-article

Conference

CCS '24
Sponsor:

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 497
    Total Downloads
  • Downloads (Last 12 months)497
  • Downloads (Last 6 weeks)161
Reflects downloads up to 13 Feb 2025

Other Metrics

Citations

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media