Rear Body and Immobilizer Hooks

I/O etc. defined for the chassis node which owns the devices fixed at the back of the car. That means most tail lamps, the luggage compartment light and its switch, the fuel filler flap latch, the fuel pumps and the fuel level sensor.

Immobilizer hooks have been hinted for steering column, left-front and rear body nodes. Establishing trust between master and slave nodes is worth investigating as it would preclude an “evil master” being hooked onto the LINbus instead of the real master, injecting commands to bypass the immobilizer.  Here’s what I’m thinking:

Leaning towards “registering” slaves with a hashed master key when the node is initialised to the bus, based on random keys stored uniquely within each node (requiring trust). A double-hash of the master key would be stored in EEPROM of the slave and the slave secrets hidden in the EEPROM of the master.  Of course those data shouldn’t be readable by diagnostic queries.

“De-trusting” could be done if the master is still functioning, to tell the slave that it’s no longer trusted, using the secret key. The slave will, if it’s still functioning, erase the trust keys and confirm that it’s done so. Once the confirmation has been read by the master, the slave will “scramble” its previous random, secret key, invalidating any possibility of that node being reused on the LINbus without re-establishing trust.

When the master gets a satisfactory response to the de-trust request, or if the slave fails to respond at all, the master wipes the slave’s key, device ownership and “interests” relationships from its own EEPROM. The slave node, should it still be functional, may be connected to another LINbus and establish a trust relationship with that LINbus’ master. A replacement slave node may be installed and establish trust only if it doesn’t have a hash of a master’s secret key.

If the master node is pining for the Fjords, then all the slave nodes which have a trust relationship will have to be re-flashed to erase their EEPROM as none actually had the master’s secret key; only their hash of it. This raises the bar to bypassing an immobilizer.

In order to “hack” the secret master key, a slave node has to (potentially) establish trust thousands of times to calculate the master’s key. This is precluded by the master associating the need for trust with an object which the slave says it owns. If another slave already owns that object (and is therefore trusted), then the imposter slave won’t be initialised, nor be sent a hash of the master’s secret key.

Also, looking around for a source of building blocks for an immobilizer node that’s cryptographically strong, for remote control in what is nowadays considered to be a hostile environment.

Mulling over adding a node to the front of the car which’d own the high-current consumers like injectors, λ-sensor heater, ignition and wipers. The primary motivation is shorter, heavy wires.

A bonus is that it’ll be closer to the engine management brain so it can sniff signals that may be interesting, especially when trouble-shooting. There’s no diagnostic interface provided by the engine management unit. No CAN, no KW-whatever. So sensors and actors have to be tested individually to diagnose a problem.


Your say

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s