UDS Fuzzing and the Path to Game Over
The automotive industry presented significant advances in the sector in the last decade, to catch up with the technological advances of the world. Lack of proper regulations and security standards meant that automotive companies had to develop custom solutions most of the time, which resulted in a lot of security issues. Security testing also fell behind, as there was no significant need till now to test and research those devices, but with more and more connected components the risks are increasing rapidly.
In this paper, we discuss security testing and more specifically fuzzing, of the diagnostics protocol in automotive devices, which can give access to some of their most critical functions. We will make a brief introduction to the different fuzzing methodologies that can be applied in the UDS protocol till now, and we will present a new fuzzing methodology. This paper explains how this methodology helped us get complete access to some of the most critical components of Tier 1 automotive suppliers and how we ended up developing our own tool to automate fuzzing and exploitation of those issues.
A paper analyzing all the different used UDS fuzzing techniques, as well as our own fuzzing technique for UDS security access algorithms and a demo of our own tooling developed for it.
- Introduction to key terms (UDS, Seed, security access, CAN messages, etc.) 1a. Overview of the basic terminology needed for the rest of the presentation.
- Fuzzing the UDS, an Overview and a penetration testing methodology: 2a. Fuzzing Arbitration IDs: Here we will analyze how to discover new server and client arbitration IDs, which will help us generate new messages to obtain information about the device. 2b. Fuzzing for available UDS services: There are several standardized and custom UDS services that exist in devices using diagnostics. These can be fuzzed by covering the full spectrum of possible services and listening for responses from the server. 2c. Fuzzing for diagnostic session types: Next, fuzzing of the different session types will be presented, which is needed in order to execute different diagnostic functions and services. 2d. Fuzzing for security levels: Several security levels are usually implemented in UDS in order for users and maintainers to get authorized access to the device and perform specific actions. A brief description of the fuzzing methodology for finding the available security levels is presented. 2e. Fuzzing data identifiers: Data identifiers can leak data and give information regarding the underlying system that can help with further exploitation of the system. Fuzzing it is really straightforward, but something that is usually ignored.
- Fuzzing and hunting for security seeds 3a. Security seed mechanism overview: Introduction to the UDS security seed mechanism, how it works, and common seed/key cryptography methodologies. 3b. How attackers obtain seed/key pairs: A brief overview of the ways that attackers can use to obtain seed and “pre-calculated” key pairs.
- Old tricks becoming new (and the illusion of randomness) 4a. CANdid vulnerability: Description of the CANdid research that presents how ECUs with limited resources are seeding the random number generator with the system timer, and how that can affect the seed/key mechanism of UDS.
- Seed Randomness Fuzzer 5a. Implementing a new fuzzing methodology: Based on previous research we automated the discovery and exploitation of seed randomness vulnerabilities. We developed a tool (which was then incorporated into caringcaribou), that programmatically sets the delay of a seed request after an “ECUReset” message, to request and evaluate seeds for their randomness. 5b. Tool demo
- Delay Fuzzer 6a. Exploiting our findings: Our second fuzzer implements the same methodology but targets already proven vulnerable devices. It parses a seed (for which the attacker possibly owns a pre-calculated key), and supplies different delays to the ECU. When the desired seed is found, the delay is saved and the attacker can use this delay to request the desired seed, supply the key and get elevated access to the ECU. 6b. Tool demo
- Closing remarks 7a. In this section we will conclude with potential avenues for the industry, how penetration testers and researchers have to start building a robust toolset and methodology and how the automotives have to start implementing some of the already tested and working defending solutions to their hardware and protocols.