Analysis of security vulnerabilities in vehicle on-board diagnostic systems

• Autorzy: Pełechaty Piotr , Konieczny Łukasz

Identyfikatory

DOI

10.29354/diag/192162

• Języki publikacji: EN

Abstrakty

EN

The article explains the different types of on-board diagnostic systems (OBD) used in motor vehicles, as well as the impact of the latest automotive security norms on diagnostic interface security. The paper focuses on identifying potential security threats in on-board diagnostic systems used in automotive control units. During the research, a diagnostic interface device of its own design, carrying out special test procedures, was excavated. The research was conducted on several vehicles and ECUs, applying black box penetration testing. The paper's goal is to list all identified vulnerabilities in diagnostic protocol implementation and suggest some corrective actions for software that would increase security. The authors defined a list of low-cost software requirements that can be easily implemented on most modern ECUs.

Słowa kluczowe

EN

OBD; diagnostic; UDS; cybersecurity; penetration testing

• Wydawca: Polskie Towarzystwo Diagnostyki Technicznej
• Czasopismo: Diagnostyka
• Rocznik: 2024
• Tom: Vol. 25, No. 3
• Strony: art. no. 2024310
• Opis fizyczny: Bibliogr. 21 poz., rys., tab.

Twórcy

autor

Pełechaty Piotr

• Silesian University of Technology, Faculty of Transport and Aviation Engineering, Krasińskiego 8 str., 40-019 Katowice, Poland

• https://orcid.org/0009-0000-0002-7041

autor

Konieczny Łukasz

• Silesian University of Technology, Faculty of Transport and Aviation Engineering, Krasińskiego 8 str., 40-019 Katowice, Poland

• https://orcid.org/0000-0002-9501-7651

Bibliografia

• 1. ISO 15031-5:2015 Road vehicles - Communication between vehicle and external equipment for emissions-related diagnostics. Part 5: Emissionsrelated diagnostic services.
• 2. ISO 15031-3:2023 Road vehicles - Communication between vehicle and external equipment for emissions-related diagnostics. Part 3: Diagnostic connector and related electrical circuits: Specification and use.
• 3. Witaszek K, Witaszek M. Diagnosing the thermostat using vehicle on-board diagnostic (OBD) data. Diagnostyka. 2023;24(4):2023402. https://doi.org/10.29354/diag/173002.
• 4. Wierzbicki S. Evaluation of the effectiveness of onboard diagnostic systems in controlling exhaust gas emissions from motor vehicles. Diagnostyka. 2019;20(4):75-79. https://doi.org/10.29354/diag/114834.
• 5. ISO 15765-4:2021 Road vehicles - Diagnostic communication over Controller Area Network (DoCAN). Part 4: Requirements for emissionsrelated systems.
• 6. Bozdal M, Samie M, Aslam S, Jennions I. Evaluation of CAN Bus Security Challenges. Sensors 2020; 20: 2364. https://doi.org/10.3390/s20082364.
• 7. Luo A, Spencer H. Remotely hacking a car through an OBD-II Bluetooth Dongle [Video]. Youtube. https://www.youtube.com/watch?v=f19_BNgVrWQ &ab_channel=AutomotiveSecurityResearchGroup.
• 8. ISO 14229-1:2020 Road vehicles - Unified diagnostic services (UDS) - Part 1: Application layer.
• 9. Kim H, Jeong Y, Choi W, Lee DH, Jo HJ. Efficient ECU analysis technology through structure-aware CAN fuzzing. IEEE Access, 2022;10:23259-23271. https://doi.org/10.1109/ACCESS.2022.3151358.
• 10. Kang TU, Song HM, Jeong S and Kim HK. Automated reverse engineering and attack for CAN using OBD-II. 2018 IEEE 88th Vehicular Technology Conference (VTC-Fall), Chicago, IL, USA, 2018:1-7. https://doi.org/10.1109/VTCFall.2018.8690781.
• 11. Ammar M, Janjua H, Thangarajan A, Crispo B. Securing the On-Board Diagnostics Port (OBD-II) in vehicles. SAE International Journal of Transportation Cybersecurity and Privacy 2019; 2(2):83-106, 2019. https://doi.org/10.4271/11-02-02-0009.
• 12. AUTOSAR Group. Specification of secure onboard communication protocol (SecOC) R21-11, 2021. https://www.autosar.org.
• 13. ISO/SAE 21434:2021 Road vehicles - Cybersecurity engineering.
• 14. UN Regulation No. 155 - Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system, 2021.
• 15. STMicroelectronic. User Manual. UM2505 STM32G4 Nucleo-64 boards (MB1367). https://www.st.com/resource/en/user_manual/um250 5-stm32g4-nucleo64-boards-mb1367- stmicroelectronics.pdf.
• 16. STMicroelectronic. Reference manual RM0440 STM32G4 series advanced Arm®-based 32-bit MCUs https://www.st.com/resource/en/reference_manual/rm0440-stm32g4-series-advanced-armbased-32bitmcus-stmicroelectronics.pdf.
• 17. Matsubayashi M, Koyama T, Tanaka M. In-Vehicle network inspector utilizing diagnostic communications and web scraping for estimating ECU functions and CAN Topology. IEEE Access 20214; 12: 6239-6250. https://doi.org/10.1109/ACCESS.2024.3351175.
• 18. Ajin VW, Kumar LD, Joy J. Study of security and effectiveness of DoIP in vehicle networks. 2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT), Nagercoil, India, 2016; 1-6. https://doi.org/10.1109/ICCPCT.2016.7530357.
• 19. Śmieja M, Wierzbicki S, Mamala J. Sterowanie dawką wtryskiwanego paliwa w układzie Common Rail z wykorzystaniem środowiska LabView. Combustion Engines. 2013;154(3):542-548.
• 20. Mokhadder M, Zachos M, Potter J. Evaluation of Vehicle System Performance of an SAE J1939-91C Network Security Implementation (2023) SAE Technical Papers. https://doi.org/10.4271/2023-01-0041.
• 21. OWASP Application Security Verification Standard, 10 2020, [online] Available: https://owasp.org/wwwproject-application-security-verification-standard/