Exploring Unified Diagnostic Services with uds-zoo
uds-zoo is a project created by Chris Bellows and Tom Steele at Atredis Partners.
Today we are releasing a new project that will be useful for learning and exploration of attacking and defending automotive targets, specifically Unified Diagnostic Services (UDS/ISO-14229).
There are many resources (books/blogs/papers) that can get you started down the path of learning to interrogate automotive systems. These typically focus on the controller area network (CAN) bus as the target. It is easy to follow along using an inexpensive USB adapter and (if you have the stomach for it) your vehicle, or alternatively a simulator. In contrast, UDS is usually only given a cursory overview. Most sources focus on conducting discovery of servers and services on the network, with examples interacting with a handful of services.
While it is possible for someone to follow along on their own vehicle, executing discovery and enumeration of UDS services (which is a great learning exercise), you are not guaranteed to run into a vulnerability or misconfiguration. For example, on a secured device most interesting services require the client to establish a non-default session and successfully authenticate as seen in the following table:
It is worth noting that the UDS specification (ISO-14229) is intended to be a guide and leaves the underlying implementations up to the developer, so the items marked with * may or may not be accessible depending on the service implementation or request parameters.
Besides using your own vehicle, the other option that is available would be to buy an engine control unit (ECU) to test outside of a car directly. This option is much cheaper than purchasing an entire car, except it still requires providing power as well as any signals the device may require to enter a running state. You may ultimately end up in the same situation where the device has been designed to require authentication to access most services.
These pain-points led to the idea of creating a framework designed to allow someone to explore example UDS servers with common vulnerabilities. After some internal brainstorming on how to implement the framework, we decided to abstract away all of the underlying layers (CAN/ISO-TP) and emulate only the UDS application layer. By only emulating the application layer, the tool is not tied to a specific platform and does not require the user to setup or configure system interfaces or drivers (CAN/ISO-TP).
The application is designed to be extensible and includes a handful of example “levels” that provide a capture-the-flag style experience. In addition to the example levels, a bare-bones example level is provided to get you started designing your own. By default the application provides its own interface to interact with and complete the included levels that is accessible using a web browser:
The framework and associated application server is written in Go, and we have provided Docker tooling for convenience.
For those who would rather have a more realistic experience, we also created a small Python program (isotp_gateway) that that will expose the challenges over a virtual can interface:
$ python gateway.py start starting thread for id: 0x01 level: Level1 rxid: 0x01 txid: 0x90 starting thread for id: 0x02 level: Level2 rxid: 0x02 txid: 0x90 starting thread for id: 0x03 level: Level3 rxid: 0x03 txid: 0x90 starting thread for id: 0x04 level: Level4 rxid: 0x04 txid: 0x90 starting thread for id: 0x05 level: Level5 rxid: 0x05 txid: 0x90
After starting the gateway, each level will be accessible over the virtual can interface and can be interacted with using whatever tool you’d like. For instance, using isotpsend to interact with Level1:
$ echo 22 13 37 | isotpsend -s 0x01 -d 0x90 vcan0
We look forward to community contributions and implementing additional exercises in the future.
Source of uds-zoo and additional documentation can be found at GitHub: https://github.com/atredispartners/uds-zoo