UDS Security Access for Constrained ECUs 2022-01-0132

Legacy electronic control units are, nowadays, required to implement cybersecurity measures, but they often do not have all the elements that are necessary to realize industry-standard cybersecurity controls. For example, they may not have hardware cryptographic accelerators, segregated areas of memory for storing keys, or one-time programmable memory areas. Such systems must still be protected with a sufficient level of rigor against attackers who wish to modify their operation or extract confidential information from them. A critical interface to defend is the Unified Diagnostics Service (UDS) interface which is used in many areas across the whole vehicle lifecycle. While the UDS service $27 (Security Access) has a reputation for poor cybersecurity, there is nothing inherent in the way it operates which prevents a secure access-control from being implemented. This paper describes an approach to providing UDS Security Access within systems which have very constrained processors (in terms of processing power, memory size and, in particular, cybersecurity features) which can be applied to multiple vehicles across many manufacturers. It describes, in detail, methods for generating UDS-Seeds and UDS-Keys in the absence of a hardware security module (HSM) with a true-random number generator, and without use (by the user who is requesting access) of IT-infrastructure. In addition, the problem of key-management and distribution is tackled head-on and not left as an implementation detail. A threat analysis has been performed (according to ISO/SAE 21434) using model-based tools, the results of which are presented in this paper. The constraints (some of which make it difficult to properly secure certain key material) result in risks which become clear in the threat analysis. Potential future users of this scheme can use this analysis to assess the residual risks in their own applications.