Automotive Network Scans with Scapy
This talk shows a novel scanners and fuzzers for automotive network communication. Over the last two years we’ve developed automated tools for transport- and application-layer scans of automotive protocols based on Scapy. We explain the usage and advantages of these tools and dive into the complexity of system states of ECUs. Finally, we show how custom fuzzers for stateful network fuzzing can be created. The following protocols are covered: CAN, ISOTP, UDS, GMLAN, OBD, DoIP, HSFZ.
Automotive software of control units uses state machines all over the place. The attack surface of an ECU is extremely dependent on the current system state. Therefore, any penetration test on ECUs has to be performed with the system state in mind. Since Troopers 2019, where we first showed the use of Scapy for automotive penetration testing, we’ve created fully automated tools for Transport-Layer and Application-Layer network scans. We will explain these scanners in detail and show how they can be used for penetration testing. Furthermore, we will show examples of systems states by reverse engineering automotive firmware. We explain how the gathered information can be transferred to an automated tool based on our scanner. This covers details of the software-update process of automotive systems and examples of system states found during normal operation. Finally, we show how the scanner tool can be transformed in a stateful automotive network fuzzer, with just a few modifications.