Critical Security Flaw Found in Automotive ECUs
A practical security assessment has revealed that many modern vehicle Electronic Control Units (ECUs) can be compromised by brute-forcing diagnostic keys. The vulnerability exploits weaknesses in the Unified Diagnostic Services (UDS) and On-Board Diagnostics (OBD) protocols, potentially allowing attackers to reprogram firmware or disable safety features.
- The Unified Diagnostic Services (UDS) protocol, defined by the ISO 14229 standard, provides a common language for diagnostic tools to communicate with the 40 to 150 Electronic Control Units (ECUs) in a modern vehicle, regardless of the underlying communication bus like CAN, CAN-FD, or Ethernet. - The underlying Controller Area Network (CAN) bus, over which diagnostic messages are often sent, was developed in the 1980s and lacks modern security features like encryption and authentication, making it susceptible to various attacks. This inherent vulnerability allows any device with access to the bus to potentially send counterfeit commands. - The concept of remotely hacking vehicles was famously demonstrated in 2015 when security researchers Charlie Miller and Chris Valasek wirelessly took control of a Jeep Cherokee from 10 miles away, manipulating its steering, brakes, and transmission. This event led to the recall of 1.4 million vehicles by Fiat Chrysler. - While the UDS standard includes a "Security Access" service (service 0x27) that implements a seed-key authentication mechanism to protect sensitive ECU functions, the standard itself does not mandate its use, leaving implementation at the discretion of the vehicle manufacturer. - Attackers have exploited CAN bus vulnerabilities for vehicle theft by physically accessing the network, often through an exposed wiring harness behind a headlight, and injecting fake authorization messages to start the engine without a key. - In response to growing threats, new regulations and standards are being enforced, such as UNECE R155 and ISO/SAE 21434, which mandate that automotive manufacturers implement comprehensive cybersecurity management systems and secure their vehicles by design. - Aftermarket OBD-II dongles, used for services like usage-based insurance or vehicle tracking, have been identified as a significant attack vector, with studies finding that many devices could allow remote attackers to send dangerous commands to a vehicle's critical systems.
