Closed sam-m-weber closed 5 years ago
Feel free to send a PR with a wording change that clarifies. I don't see the issue you do when I read it.
Hi,
Both SAE and ISO have committees working on explicitly securing and authenticating all OBD port and UDS interfaces within vehicles.
AUTOSAR has very poorly designed SecOC security mechanisms for use between ECUs.
A number of Tier 1 suppliers (and OEMs) have propriety schemes for securing inter-ECU communications.
Ethernet in-vehicle doesn't help (everyone thought naively it would), because OEMs and suppliers use cost reasons to avoid deploying IEEE standards for Datalink layer 2 security and IETF standards for Network layer 3 security (IPsec) and Transport layer 4 security (TLS).
Insecure communication between ECUs is certainly not limited to OBD and UDS interfaces. The functional safety of vehicles is at risk because of the lack of ubiquitous authenticated ECU-to-ECU communications in current models.
Cheers,
Ira McDonald (Musician / Software Architect) Co-Chair - TCG Trusted Mobility Solutions WG Co-Chair - TCG Metadata Access Protocol SG Chair - Linux Foundation Open Printing WG Secretary - IEEE-ISTO Printer Working Group Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG IETF Designated Expert - IPP & Printer MIB Blue Roof Music / High North Inc http://sites.google.com/site/blueroofmusic http://sites.google.com/site/highnorthinc mailto: blueroofmusic@gmail.com PO Box 221 Grand Marais, MI 49839 906-494-2434
On Wed, Feb 20, 2019 at 11:31 AM Justin Cappos notifications@github.com wrote:
Feel free to send a PR with a wording change that clarifies. I don't see the issue you do when I read it.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/uptane/uptane-standard/issues/49#issuecomment-465653406, or mute the thread https://github.com/notifications/unsubscribe-auth/ATe6Ozu_3c_9ICvDbTyTiuAAHLZAbBIqks5vPXh-gaJpZM4bFPgB .
Authentication of communications between ECUs is a problem that isn't restricted to OBD/UDS programming.
I agree with @JustinCappos here--I don't think there's a problem. "Such as" quite clearly indicates that the statement is non-exclusive.
Perhaps [...] the threat model explicitly state that compromised ECUs can take advantage of unauthenticated communication channels between ECUs?
I think that's already very clearly addressed. From Section 4.2 (emphasis added):
We assume that attackers may [...] Intercept and modify network traffic (i.e., perform man-in-the-middle attacks) [...] Inside the vehicle, intercepting and modifying traffic on one or more vehicle buses (e.g. via an OBD port or using a compromised ECU as a vector)
In the "Out of Scope" section, it says that "Problems associated with OBD or UDS programming of ECUs, such as authentication of communications between ECUs" are out of scope. Authentication of communications between ECUs is a problem that isn't restricted to OBD/UDS programming. This statement could be misread to imply that either
I presume that neither of these are meant. Perhaps a better example could be chosen, and the threat model explicitly state that compromised ECUs can take advantage of unauthenticated communication channels between ECUs?