Previously, the car is isolated, physical isolation, and therefore difficult to remote hacker intrusion inside the car computer (ECU), unless physical invasion, and this is the high cost of crime needs. With the Internet’s evolution, when golo3 this car networking products through OBD (On Board Diagnostics) diagnostic socket inside the car ECU networking, remote network attacks by the car is no longer a suspect. It can be predicted that once the popularity of car networking products, cars were attacked on actual cases and more and more will appear.
Just look at the cars on the highway are artificially controlled engine suddenly stalled, will be like a finale? You scared yet?
An OBD diagnostic seat and topology ECU
Before the safety car networking discussed in detail, first we have to understand the next OBD diagnostic seat, below the SAE J1962 standard definition of OBD diagnostic seat:
OBD diagnostic seat is one that contains the female 16pin, pin definitions given in addition to the figure, the other did not give the pin by car manufacturers own definition. ECU different communication protocols may use different pin, KWP (key word protoctol) keyword is used in the 7th protocol pin or 15-pin, the most common 500kbaud of iso15765 protocol (high-speed CAN) uses 6 No pin and 14 pin. OBD diagnostic socket is generally located below the steering wheel, different models may not be the same as the specific location, the following figure shows the specific location of the Toyota Camry 2011 classic version of OBD diagnostic seat:
Next we need to understand the topology between the ECU and the ECU. ECU (Electronic Control Unit) electronic control unit, the popular saying, it is actually used to control the number of records or change the status of the car, or ARM microcontroller chip. Now, there will be general automotive interior dozen to several dozen ranging ECU, ECU different charge different modules, such as the engine control module (PCM) will accept the sensor signal, through complex calculations to control the supply of fuel, Air rationing (electronic throttle), fuel injection and ignition timing, intake air pressure adjustment, but also according to temperature, load, knock, combustion conditions and other factors to determine the compensation control engine. According to different functions, we can put ECU into power, body, chassis, other other categories. The following table lists the high profile of the 2011 classic version of the Camry some ECU module.
In addition to automotive interior ECU, there will be a large number of sensors and actuators and other components, through their joint coordination complex intelligence operations. ECU and then the ECU, ECU and other components is how to communicate it? Topology is as shown between the various components of the vehicle interior
Actual situation more complex than the above figure, there are also differences between the different models, may also occur between the various components are connected directly, the whole principle is about the same, equal to connect all components on the CAN bus. CAN bus with low cost, high bus utilization, physical characteristics and reliable fault tolerance, high-speed transfer rate. It is based on a broadcast format, meaning that any node on the same bus to the bus message, other nodes on the bus can receive the message, then the message according to the head to determine whether a message is sent to their own . Accomplished through a gateway between different baud signal adaptation bus.
OBD II diagnostic socket by what we can do
We know OBD diagnostic seat is designed to be used in automotive diagnostic, it is the only interface to interact with the outside automotive ECU, that we can do auto diagnostic equipment can do, let’s take a look at the diagnostic line with market requirements instrument should have the function:
1 automotive ECU can read information, such as 17 vin code, ECU hardware information.
2 can read the current state of the car, such as current speed, tire pressure and so on.
3 can read fault codes of the car, the car quickly locate the fault location and clear fault codes.
4 cars be able to conduct a pre-set number of actions tests. Such as window lift, etc.
5 In addition to these basic diagnostic functions, may also have the power brush, odometer changes, key match, airbag reset other complex special features.
In addition, we know that the form is based on the CAN bus to transmit the broadcast message and when the message is sent to the CAN bus, the ECU receives this message is unable to determine from which node the message is sent, i.e., the message does not contains the source address or destination address, the message header is just an identifier, ECU is only based on the identifier to identify whether it is sent to their own. This design flaw will naturally lead to message forgery and spoofing attacks. OBD diagnostic seat as a node on the bus, not only to monitor the CAN bus at the news, but also to forge a message (such as sensor messages) to deceive the ECU, so as to achieve the purpose of changing the state of the car behavior.
Taking these two cases, we can put a message on the CAN bus is divided into the following two categories:
1 message communication between diagnostic and automotive ECU called a diagnostic message.
2 messages for communication between automotive interior components called inside information.
Any kind of message sequence defined above by carefully constructed bus, a malicious attacker could change state sent to the car.
Here you can enumerate the consequences brought about several attacks and attacks. For example, a malicious attacker can send a message through a sequence of body systems to unlock car doors and trunk, so as to achieve the purpose of stealing property owners; another example, an attacker can construct a sequence of messages sent to the OBD diagnostic seat to force the vehicle to run on high-speed turn off the engine, so as to achieve the purpose of the car crash.
Three ways to attack the car networking
An element of any communication between the elements and the OBD car from the cloud server networking products, mobile APP, a box of three basic elements, attack them, are able to drive networking devastating blow. I include here a few points:
1. Diagnostic data logic invasion cloud service side, the service side of tampering, to change the behavior of the car purpose
2. Informed communication logic between the phone and the box APP through reverse engineering, pseudo-vehicle networking products resulting sequence of messages sent to mobile phone APP box malicious.
3 attacks via WIFI, Bluetooth communication channels and so on….