Change search
ReferencesLink to record
Permanent link

Direct link
Security Evaluation of the Electronic Control Unit Software Update Process
KTH, School of Information and Communication Technology (ICT).
2014 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

A modern vehicle is controlled by a distributed network of embedded devices - Electronic Control Units. The software of these devices is updated over an easily accessible and standardised diagnostic interface. Their hardware capabilities are very low, and thereby the security implementations are fairly minimalistic.

This thesis analyses the Electronic Control Units used in the heavy-duty vehicle company Scania for security vulnerabilities. First, a list of security requirements was compiled. The implementation of these requirements was verified on several Electronic Control Units by the application of software testing methods. Testing identified two potentially dangerous shortfalls: short encryption seeds used in the authentication challenge, and a lack of reliable software source verification.

These vulnerabilities were validated by performing experimental attacks. A brute-force attack was performed on a device with 2-byte seeds and keys. Next, an active man-in-the-middle attack was successfuly carried out to bypass authentication and ash the Electronic Control Unit with arbitrary software. Additionally, a passive man-in-the-middle attack was performed to sniff and store software files. The final attack was a combination: a valid seed and authentication code pair was sniffed over a flashing session, followed by using the pair to gain access later. To mitigate these attacks, it is most important to use long authentication seeds and keys, and implement all security standards.

Public-key cryptography may also be an alternative for authentication. Software data encryption could be considered for integrity and confidentiality. A less computation-intense solution would be adding cryptographic signatures to messages.

Place, publisher, year, edition, pages
2014. , 94 p.
TRITA-ICT-EX, 2014:208
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
URN: urn:nbn:se:kth:diva-188171OAI: diva2:934083
Educational program
Master of Science -Security and Mobile Computing
Available from: 2016-06-08 Created: 2016-06-08 Last updated: 2016-06-08Bibliographically approved

Open Access in DiVA

fulltext(465 kB)24 downloads
File information
File name FULLTEXT01.pdfFile size 465 kBChecksum SHA-512
Type fulltextMimetype application/pdf

By organisation
School of Information and Communication Technology (ICT)
Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 24 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 5 hits
ReferencesLink to record
Permanent link

Direct link