Automotive network security ECU attacks

From the perspective of automotive electronics and electrical architecture, a car is a structure composed of ECUs (points) and buses (lines) (wireless sensing is rarely used inside the car, and gateways, T-BOX, etc. are also collectively referred to as ECUs. ). Attacking cars actually involves attacking different ECUs. What are the attack vectors of ECUs and how to attack an ECU are the most interesting topics for hackers, and they are also the first thing to figure out for vehicle defense.

First, let’s take a look at what the ECU looks like from several different angles.

1.Physics

Taking apart an ECU, the most intuitive point of view is that an ECU can be divided into two parts:

Chip/PCB + interface;

2. Operating system

Looking at the ECU from the perspective of the operating system is to understand how the firmware runs and to crack the ECU's firmware;

3.Program structure

This is a unique part of the car's controller. From this classification perspective, specific attack methods targeting different ECU modules can be further clarified.

Let’s first look at the ECU from these three perspectives. These three perspectives involve hardware, operating system/program running method, and automotive electronic software. Each part is very detailed. I hope I can explain it in detail in the future.

The previous section talked about what an automotive ECU is, and from what angles it is classified hierarchically, so as to obtain the attack vector in this section. The above three angles can be unified into the following three layers:

Network (interface): Protocol attacks (from the first and third perspectives)

Firmware (FLASH): Reverse of firmware (from the first, second, and third perspectives)

Chip/PCB: Physical Attack (from a first perspective)

Network attack vectors can pass through wireless networks and wired networks; wired networks are mainly CAN networks; CAN network attacks can be divided into attacks on RAW frames and attacks on protocol messages; attacks on RAW frames are mainly caused by the attributes of CAN itself of:

1. No authentication

   
   

2. priority

   
   

3. broadcast

   
   

4. bus error

For protocol messages, you can look at it from a third perspective:

diagnostic message

application message

Network management messages

Firmware acquisition: There are many ways to obtain firmware, and there are many introductions; from a first point of view, firmware acquisition can be directly extracted from FLASH, read from the debugging port, and even dynamically debugged.

Firmware analysis: Let’s look at this from the second perspective first. General-purpose operating systems have their own tool chains, which are relatively troublesome. If there is no distinction between operating systems and programs, you can directly use dynamic and static analysis tools.

Exploiting vulnerabilities: For general-purpose operating systems, there are many ways to exploit them; for another, you can steal some data and change some parameters, but persistent exploitation is a problem.

At the chip level, there are some physical attack methods, the most typical ones are side channel analysis and fault injection. Refer to a picture from NXP.

Let’s talk briefly about protection. There should be corresponding protection measures against various attacks. The foundation of protection is still based on cryptography. At present, it is necessary to ensure hardware security and establish a trustworthy system. The main ones used are hardware security modules, such as HSM and TPM.

HIS SHE

This specification mainly talks about the hardware security module based on symmetric encryption (AES), how to manage its keys, how to use them, and introduces processes such as secure boot.

EVITA SHE

This project introduces the use of different security level designs for different scenarios, divided into three types: FULL Medium Light, and also divides the message security levels.