一则汽车CAN总线的安全渗透题目分析
题目
目前大部分汽车采用基于CAN总线的诊断服务(ISO 14229-1),然而CAN报文有效数据最多只
有8个字节,因此引入CAN传输层协议(ISO 15765-2)以使CAN报文可以传输大于8字节的有效
数据。 白帽“小安”在做诊断相关测试的时候录制了一段Log,请帮助小安分析
1) 这段Log展示了哪个诊断服务过程?(须写明服务英文全称)
2) 这段Log体现了哪些风险?
3) 你可以利用上述某个风险基于最后两帧报文进行渗透吗?(须写明具体过程,如构造的报
文)
4) 这段Log中存在一个协议错误,你能发现出来吗?
Log
date Wed Nov 10 07:20:25.590 pm 2021
base hex timestamps absolute
internal events logged
// version 15.2.0
// Measurement UUID: 9b4ce0cd-4350-4a9e-852b-d971f4db3044
1.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 1798
1.000476 1 70E Tx d 8 10 0E 67 01 88 62 74 AA Length = 224000 BitCount = 115 ID = 1806
1.000726 1 706 Tx d 8 30 00 00 00 00 00 00 00 Length = 244000 BitCount = 125 ID = 1798
1.000958 1 70E Tx d 8 20 2D 29 C2 70 FE 01 16 Length = 226000 BitCount = 116 ID = 1806
1.001186 1 70E Tx d 8 21 B2 29 C2 70 FE 01 16 Length = 222000 BitCount = 114 ID = 1806
1.001420 1 706 Tx d 8 10 0E 27 02 B8 19 61 10 Length = 228000 BitCount = 117 ID = 1798
1.001658 1 70E Tx d 8 30 00 00 C2 70 FE 01 16 Length = 232000 BitCount = 119 ID = 1806
1.001888 1 706 Tx d 8 20 A5 44 7D 47 14 CC AD Length = 224000 BitCount = 115 ID = 1798
1.002116 1 706 Tx d 8 21 1A 44 7D 47 14 CC AD Length = 222000 BitCount = 114 ID = 1798
1.002346 1 70E Tx d 8 02 67 02 C2 70 FE 01 16 Length = 224000 BitCount = 115 ID = 1806
2.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 1798
2.000476 1 70E Tx d 8 10 0E 67 01 79 D8 77 71 Length = 224000 BitCount = 115 ID = 1806
2.000714 1 706 Tx d 8 30 00 00 7D 47 14 CC AD Length = 232000 BitCount = 119 ID = 1798
2.000944 1 70E Tx d 8 20 B1 F8 09 A9 32 B5 0F Length = 224000 BitCount = 115 ID = 1806
2.001176 1 70E Tx d 8 21 45 F8 09 A9 32 B5 0F Length = 226000 BitCount = 116 ID = 1806
2.001410 1 706 Tx d 8 10 0E 27 02 47 A1 A3 B7 Length = 228000 BitCount = 117 ID = 1798
2.001642 1 70E Tx d 8 30 00 00 09 A9 32 B5 0F Length = 226000 BitCount = 116 ID = 1806
2.001874 1 706 Tx d 8 20 98 53 54 FE B8 C1 6C Length = 226000 BitCount = 116 ID = 1798
2.002108 1 706 Tx d 8 21 E1 53 54 FE B8 C1 6C Length = 228000 BitCount = 117 ID = 1798
2.002338 1 70E Tx d 8 02 67 02 09 A9 32 B5 0F Length = 224000 BitCount = 115 ID = 1806
3.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 1798
3.000476 1 70E Tx d 8 10 0E 67 01 20 D1 89 A4 Length = 224000 BitCount = 115 ID = 1806
3.000714 1 706 Tx d 8 30 00 00 54 FE B8 C1 6C Length = 232000 BitCount = 119 ID = 1798
3.000944 1 70E Tx d 8 20 B1 F5 B6 D1 96 42 A9 Length = 224000 BitCount = 115 ID = 1806
3.001170 1 70E Tx d 8 21 6C F5 B6 D1 96 42 A9 Length = 220000 BitCount = 113 ID = 1806
3.001404 1 706 Tx d 8 10 0E 27 02 29 02 A8 5D Length = 228000 BitCount = 117 ID = 1798
3.001640 1 70E Tx d 8 30 00 00 B6 D1 96 42 A9 Length = 230000 BitCount = 118 ID = 1806
3.001868 1 706 Tx d 8 20 54 39 1B 14 EB 9D 26 Length = 222000 BitCount = 114 ID = 1798
3.002098 1 706 Tx d 8 21 F8 39 1B 14 EB 9D 26 Length = 224000 BitCount = 115 ID = 1798
3.002326 1 70E Tx d 8 02 67 02 B6 D1 96 42 A9 Length = 222000 BitCount = 114 ID = 1806
4.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 1798
4.000480 1 70E Tx d 8 10 0E 67 01 F7 BF B9 DD Length = 228000 BitCount = 117 ID = 1806
4.000714 1 706 Tx d 8 30 00 00 1B 14 EB 9D 26 Length = 228000 BitCount = 117 ID = 1798
4.000944 1 70E Tx d 8 20 20 45 7B 4C E4 19 9B Length = 224000 BitCount = 115 ID = 1806
4.001172 1 70E Tx d 8 21 80 45 7B 4C E4 19 9B Length = 222000 BitCount = 114 ID = 1806
4.001402 1 706 Tx d 8 10 0E 27 02 E5 EC C9 EB Length = 224000 BitCount = 115 ID = 1798
4.001636 1 70E Tx d 8 30 00 00 7B 4C E4 19 9B Length = 228000 BitCount = 117 ID = 1806
4.001870 1 706 Tx d 8 20 6F B4 CC EA C2 1C A0 Length = 228000 BitCount = 117 ID = 1798
4.002098 1 706 Tx d 8 21 D2 B4 CC EA C2 1C A0 Length = 222000 BitCount = 114 ID = 1798
4.002328 1 70E Tx d 8 02 67 02 7B 4C E4 19 9B Length = 224000 BitCount = 115 ID = 1806
5.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 1798
5.000476 1 70E Tx d 8 10 0E 67 01 7E 5C A4 95 Length = 224000 BitCount = 115 ID = 1806
5.000714 1 706 Tx d 8 30 00 00 CC EA C2 1C A0 Length = 232000 BitCount = 119 ID = 1798
5.000946 1 70E Tx d 8 20 57 05 AD 37 FD 05 67 Length = 226000 BitCount = 116 ID = 1806
5.001178 1 70E Tx d 8 21 CC 05 AD 37 FD 05 67 Length = 226000 BitCount = 116 ID = 1806
6.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 1798
6.000480 1 70E Tx d 8 10 0E 67 01 42 D0 0A B3 Length = 228000 BitCount = 117 ID = 1806
6.000718 1 706 Tx d 8 30 00 00 CC EA C2 1C A0 Length = 232000 BitCount = 119 ID = 1798
6.000948 1 70E Tx d 8 20 3F 63 1B 91 B1 8E 06 Length = 224000 BitCount = 115 ID = 1806
6.001174 1 70E Tx d 8 21 4D 63 1B 91 B1 8E 06 Length = 220000 BitCount = 113 ID = 1806
7.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 1798
7.000480 1 70E Tx d 8 10 0E 67 01 FC 10 11 2C Length = 228000 BitCount = 117 ID = 1806
7.000718 1 706 Tx d 8 30 00 00 CC EA C2 1C A0 Length = 232000 BitCount = 119 ID = 1798
7.000948 1 70E Tx d 8 20 BA CB 0F 34 A8 26 EF Length = 224000 BitCount = 115 ID = 1806
7.001176 1 70E Tx d 8 21 CF CB 0F 34 A8 26 EF Length = 222000 BitCount = 114 ID = 1806
解答:
1 ) 服务过程英文名: SecurityAccess
该服务用于安全验证。
根据以下特征判断出服务:
请求种子: 27 01
响应: 02 67 02
SecurityAccess的详细资料参考以下链接:
ISO14229:2013 之 安全访问SecurityAccess(0x27) - 张小力 - 博客园
2 ) 安全算法为栅栏算法,算法简单;安全算法采用静态算法,不能防止爆破,利用已有的
Seed-Key 匹配关系,可以通过爆破复现在匹配关系中的 Seed ,从而查找相应的 Key ,
通过安全访问
栅栏算法暴力破解参考以下链接:
暴力破解栅栏密码(Python)_清风阁-CSDN博客_栅栏密码解法
3 ) 考察栅栏算法的构造,正确密钥为: 0x91 0x85 0xB3 0x81 0xBD 0xBB 0x0E 0x48 0x37 0x03
0x3B 0xF9 ,报文构造注意符合 CAN 传输层协议,连续帧可以从 0x20 开始,以符合实际
Log
4 ) 连续帧开始的第一个帧应以 0x21 开始,直到 0x2F 之后的下一个连续帧才从 0x20 开始