Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Security Evaluation of the Electronic Control Unit Software Update Process
KTH, School of Information and Communication Technology (ICT).
2014 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

A modern vehicle is controlled by a distributed network of embedded devices - Electronic Control Units. The software of these devices is updated over an easily accessible and standardised diagnostic interface. Their hardware capabilities are very low, and thereby the security implementations are fairly minimalistic.

This thesis analyses the Electronic Control Units used in the heavy-duty vehicle company Scania for security vulnerabilities. First, a list of security requirements was compiled. The implementation of these requirements was verified on several Electronic Control Units by the application of software testing methods. Testing identified two potentially dangerous shortfalls: short encryption seeds used in the authentication challenge, and a lack of reliable software source verification.

These vulnerabilities were validated by performing experimental attacks. A brute-force attack was performed on a device with 2-byte seeds and keys. Next, an active man-in-the-middle attack was successfuly carried out to bypass authentication and ash the Electronic Control Unit with arbitrary software. Additionally, a passive man-in-the-middle attack was performed to sniff and store software files. The final attack was a combination: a valid seed and authentication code pair was sniffed over a flashing session, followed by using the pair to gain access later. To mitigate these attacks, it is most important to use long authentication seeds and keys, and implement all security standards.

Public-key cryptography may also be an alternative for authentication. Software data encryption could be considered for integrity and confidentiality. A less computation-intense solution would be adding cryptographic signatures to messages.

Place, publisher, year, edition, pages
2014. , 94 p.
Series
TRITA-ICT-EX, 2014:208
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
URN: urn:nbn:se:kth:diva-188171OAI: oai:DiVA.org:kth-188171DiVA: diva2:934083
Educational program
Master of Science -Security and Mobile Computing
Examiners
Available from: 2016-06-08 Created: 2016-06-08 Last updated: 2016-06-08Bibliographically approved

Open Access in DiVA

fulltext(465 kB)178 downloads
File information
File name FULLTEXT01.pdfFile size 465 kBChecksum SHA-512
f80477e2586b25c99c540eb707443a2cac5b2f4a608452fecf23230d75fab3a68b315b6ca469a817bf8440f3760882160d56a94074efc18ffbb922f8b89cd32f
Type fulltextMimetype application/pdf

By organisation
School of Information and Communication Technology (ICT)
Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 178 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 113 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf