Beneath the Bonnet: a Breakdown of Diagnostic Security

Jan Van Den Herrewegen, Flavio Garcia

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)
1406 Downloads (Pure)


An Electronic Control Unit (ECU) is an automotive computer essential to the operation of a modern car. Diagnostic protocols running on these ECUs are often too powerful, giving an adversary full access to the ECU if they can bypass the diagnostic authentication mechanism. Firstly, we present three ciphers used in the diagnostic access control, which we reverse engineered from the ECU firmware of four major automotive manufacturers. Next, we identify practical security vulnerabilities in all three ciphers, which use proprietary cryptographic
primitives and a small internal state. Subsequently, we propose a generic method to remotely execute code on an ECU over CAN exclusively through diagnostic functions, which we have tested on units of three major automotive manufacturers. Once authenticated, an adversary with access to the CAN network can download binary code to the RAM of the microcontroller and execute it, giving them full access to the ECU and its peripherals, including the ability to read/write firmware at will. Finally, we conclude with recommendations to improve the diagnostic security of ECUs.
Original languageEnglish
Title of host publicationProceedings of the 23rd European Symposium on Research in Computer Security
Number of pages20
ISBN (Electronic)978-3-319-99073-6
ISBN (Print)978-3-319-99072-9
Publication statusE-pub ahead of print - 8 Aug 2018
Event23rd European Symposium on Research in Computer Security - Barcelona, Spain
Duration: 3 Sept 20187 Sept 2018

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference23rd European Symposium on Research in Computer Security


Dive into the research topics of 'Beneath the Bonnet: a Breakdown of Diagnostic Security'. Together they form a unique fingerprint.

Cite this