Security Audits

CAN DoS Recovery

Measures the load of a CAN bus, then proceeds to DoS the network preventing communication and causing errors. A few seconds later, the bus load is measured again to ensure that the network has returned to a normal state.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Baud Rate500000The baud rate of the CAN network

Fail Conditions

If the bus load at this time is vastly different from the control measurement, this test will be marked as failed.

Example CLI usage:

$ breakwater run -a dos_recovery -p device=can0 -p baud=500000

UDS Communication Control

Attempts to toggle the communication state of a module via UDS. Disabling communication of a module can cause serious issues and should not be allowed in a default session.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent

Fail Conditions

If the UDS Server responds with success to the Communication Control request, the test will be marked as failed.

Example CLI usage:

$ breakwater run -a uds_comm_control -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8

UDS IO Control

Attempts to control the IO state of a module via UDS. Controlling the IO can cause the vehicle to act in unexpected ways and should not be allowed in a default session.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent
Minimum DID0xF000Start of Data ID range to test against
Maximum DID0xFFFFEnd of Data ID range to test against

Fail Conditions

If the UDS Server replies success to the IO Control request, this test will be marked as failed.

Example CLI usage:

$ breakwater run -a uds_io_control -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8 -p min_did=0xF000 -p max_did=0xFFFF

UDS Read Memory by Address

Will iterate through memory formats and addresses attempting to read out module memory. Memory should not be directly readable in a default session.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent
Address Scan Interval0x100000The address interval that this test scans with, the lower the number the more granular the scan (which can find small memory regions), but takes more time.

Fail Conditions

If memory contents are read, this test will be marked as failed.

Example CLI usage:

$ breakwater run -a uds_read_by_addr -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8 -p scan_interval=0x100000

UDS Write Memory by Address

Will iterate through memory formats and addresses attempting to write module memory. Memory should not be directly writable in a default session.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent
Address Scan Interval0x100000The address interval that this test scans with, the lower the number the more granular the scan (which can find small memory regions), but takes more time.

Fail Conditions

If the UDS Server responds with success this test will be marked as failed.

Example CLI usage:

$ breakwater run -a uds_write_by_addr -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8 -p scan_interval=0x100000

UDS Write Data by Identifier

Will iterate through given DID range attempting to write module memory. Memory should not be writable in any session without security unlock.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent
Minimum DID0xF000Start of Data ID range to test against
Maximum DID0xFFFFEnd of Data ID range to test against

Fail Conditions

If the UDS Server responds with write successful, this test will be marked as failed.

Example CLI usage:

$ breakwater run -a uds_write_by_id -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8 -p min_did=0xF000 -p max_did=0xFFFF

UDS Request Upload

Iterates through upload formats and requests to upload files from an ECU. Request Upload can expose critical information about the firmware and calibrations, it should not be allowed without access control.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent
Address Scan Interval0x100000The address interval that this test scans with, the lower the number the more granular the scan (which can find small memory regions), but takes more time.

Fail Conditions

If the UDS Server responds with success, this test will be marked as failed.

Example CLI usage:

$ breakwater run -a uds_request_upload -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8 -p scan_interval=0x100000

UDS Request Download

Iterates through download formats and requests to download files to an ECU. Request Download can modify the firmware and behavior of a device, it should not be allowed without access control.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent
Address Scan Interval0x100000The address interval that this test scans with, the lower the number the more granular the scan (which can find small memory regions), but takes more time.

Fail Conditions

If the UDS Server responds with success, this test will be marked as failed.

Example CLI usage:

$ breakwater run -a uds_request_download -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8 -p scan_interval=0x100000

UDS Security Access

Validates security access seed strength and failure timeout. The test will validate that Service 27 always returns a unique seed of sufficient length and is protected from brute force attacks.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent
Expected Minimum Seed Length8The minimum number of bytes the seed shall be to pass this test
Number of Seeds Requested5Number of seeds requested when checking for duplicates

Fail Conditions

If duplicate seeds are obtained, or a seed of insufficient length is seen for any access level, this test will be marked as failed. If insufficient timeout is implement between seed access attempts, this test will be marked as failed.

Example CLI usage:

$ breakwater run -a uds_security_access -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8 -p min_seed_len=8 -p seeds_requested=5

XCP Upload

Tests if it is posible to read memory with XCP Upload with STD commands 0xF5 (UPLOAD) and 0xF4 (SHORT_UPLOAD) on a common range of memory addresses.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent

Fail Conditions

If the XCP server responds success to either request this test will be marked as failed.

Example CLI usage:

$ breakwater run -a xcp_upload -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8

XCP Download

Tests if it is posible to write XCP memory using the Download (0xF0) and Download Next (0xEF) services.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent

Fail Conditions

If the XCP Server responds success to either of these requests this test will be marked as failed.

Example CLI usage:

$ breakwater run -a xcp_download -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8

XCP Program

Attempts to write memory using the XCP service Program (0xD0) service.

Parameters

NameDefault ValueDescription
CAN Interfacecan0The network interface on which to interact with the CAN Bus
Extended IDFalseWhether or not to use 29 bit arbitration IDs
Request Arbitration ID0x7e0The arbitration ID to send requests to
Response Arbitration ID0x7e8The arbitration ID where replies will be sent

Fail Conditions

If the XCP Server responds success this test will be marked as failed.

Example CLI usage:

$ breakwater run -a xcp_program -p device=can0 -p extended_id=false -p req_arb=0x7e0 -p resp_arb=0x7e8