Thanks. Very interesting how a group that just wants to modify the car's firmware to add new vehicle function is the same group unfortunately that is publicly doing lot of the really hard SW reverse engineering work to make their future thief tools easier to deploy. If the 2nd gen NX is using a HSM in all the vehicle 's ECU at least today they do not know yet how to extract the stored key. However, they seem to imply the weak security implementation of the bootloader firmware is likely the easier entry attack point to possible just bypass the HSM stored key. The problem with all security SW/HW is the bar always has to keep rising to keep them out! Hopefully the bar is raised high enough that most thiefs will not have the tools, money or skills to pull this off for sometime. LOL Just a note: Since some might think the extracted key can simply be published for all to use on the internet, just to be clear, the key has to be extracted per car. And I assume the key is changed in the car at some reasonable time interval. If true, that means someone like in service could extract a key and later pass it to a thief. They seem to say that the current encrypted key is used as the "seed" tfor the new secure key.- as I understand.
You are totally correct with this team doing a reverse engineering job and opening another way for others to crack open the way to other purposes. Every car has their own key, so getting a key from one car does not mean it can be used on your car. A new key is generated with the Master ECU Key or the current SecOC key. I do not think these keys will change overtime if you do not get a new ECU added to the system. The area where they talk about the freshness value and all that good stuff, is related to the canbus messages being sent. Every message comes with an unique message that changes so that the messages cannot be replayed. Example is if you unlock the car, and a device is installed to capture the message - that same message cannot be reused to perform an attack. That is how I understood the blog.
@@lsft Yeah, your probably right - the unique key per car probably does not change. It may be a best security practice, but it would be interesting how all the possible ECU that that have the key would be key in sync. It could be quite daunting and I am sure some of the car ECU capabilities are probably very limited in processing power and memory. Message replay attack is a good raising of the security level. I am frankly not too concern. Reverse SW engineering of code trends to be very brittle code in itself. Overtime even minor car firmware updaes would likely break the code and at least require some to see research the changes again even if it was just addresses offsets. Any major changes Toyota implements, like the HW stored key, is likely a major undertaking again. BTW, really like you keeping the community aware of the relatively nerded things. LOL
.............................. I always use a RED combo Lock for steering wheel & Foot brake.adj Locks in RED...additional Air Tags hidden and warning stickers...cover Vin #.........Park on corner WELL LIT on Street! Garage LOCKED Vehicle whenever Parked at night
Thanks. Very interesting how a group that just wants to modify the car's firmware to add new vehicle function is the same group unfortunately that is publicly doing lot of the really hard SW reverse engineering work to make their future thief tools easier to deploy.
If the 2nd gen NX is using a HSM in all the vehicle 's ECU at least today they do not know yet how to extract the stored key. However, they seem to imply the weak security implementation of the bootloader firmware is likely the easier entry attack point to possible just bypass the HSM stored key.
The problem with all security SW/HW is the bar always has to keep rising to keep them out! Hopefully the bar is raised high enough that most thiefs will not have the tools, money or skills to pull this off for sometime. LOL
Just a note: Since some might think the extracted key can simply be published for all to use on the internet, just to be clear, the key has to be extracted per car. And I assume the key is changed in the car at some reasonable time interval. If true, that means someone like in service could extract a key and later pass it to a thief. They seem to say that the current encrypted key is used as the "seed" tfor the new secure key.- as I understand.
You are totally correct with this team doing a reverse engineering job and opening another way for others to crack open the way to other purposes.
Every car has their own key, so getting a key from one car does not mean it can be used on your car. A new key is generated with the Master ECU Key or the current SecOC key. I do not think these keys will change overtime if you do not get a new ECU added to the system. The area where they talk about the freshness value and all that good stuff, is related to the canbus messages being sent. Every message comes with an unique message that changes so that the messages cannot be replayed. Example is if you unlock the car, and a device is installed to capture the message - that same message cannot be reused to perform an attack.
That is how I understood the blog.
@@lsft Yeah, your probably right - the unique key per car probably does not change. It may be a best security practice, but it would be interesting how all the possible ECU that that have the key would be key in sync. It could be quite daunting and I am sure some of the car ECU capabilities are probably very limited in processing power and memory. Message replay attack is a good raising of the security level.
I am frankly not too concern. Reverse SW engineering of code trends to be very brittle code in itself. Overtime even minor car firmware updaes would likely break the code and at least require some to see research the changes again even if it was just addresses offsets. Any major changes Toyota implements, like the HW stored key, is likely a major undertaking again.
BTW, really like you keeping the community aware of the relatively nerded things. LOL
I'm glad you enjoy this info and trying to decode as much as possible for folks who aren't as tech savvy.
.............................. I always use a RED combo Lock for steering wheel & Foot brake.adj Locks in RED...additional Air Tags hidden and warning stickers...cover Vin #.........Park on corner WELL LIT on Street! Garage LOCKED Vehicle whenever Parked at night
Thanks for sharing