Extracting SecOC Keys From A 2021 Toyota RAV4 Prime

With the recently introduced SecOC (Secure Onboard Communication) standard, car manufacturers seek to make the CAN bus networks that form the backbone of modern day cars more secure. This standard adds a MAC (message authentication code) to the CAN messages, which can be used to validate that these messages come from a genuine part of the car, and not from a car thief or some third-party peripheral.

To check that it isn’t possible to circumvent SecOC, [Willem Melching] and [Greg Hogan] got their hands on the power steering (EPS) unit of a Toyota RAV4 Prime, as one of the first cars to implement this new security standard.

As noted by [Willem], the ultimate goal is to be able to run the open source driver assistance system openpilot on these SecOC-enabled cars, which would require either breaking SecOC, or following the official method of ‘rekeying’ the SecOC gateway.

After dumping the firmware of the EPS Renesas RH850/P1M-E MCU via a voltage fault injection, the AES-based encryption routines were identified, but no easy exploits found in the main application. This left the bootloader as the next target.

Ultimately they managed to reverse-engineer the bootloader to determine how the update procedure works, which enabled them to upload shellcode. This script then enabled them to extract the SecOC keys from RAM and send these over the CAN bus. With these keys the path is thus opened to allow any device to generate CAN messages with valid SecOC MACs, effectively breaking encryption. Naturally, there are many caveats with this discovery.

As noted in the blog post, the specific MCU targeted did the crypto routines in software rather than using a more secure hardware module, while also omitting to validate the payload sent to the bootloader. That said, it might be that this approach works even with much newer SecOC implementations. Some experimentation on a 2023 Corolla Cross demonstrated that its power steering unit could also be coaxed into allowing code execution via the bootloader, but further attempts at defeating SecOC on it haven’t been made yet.

A GitHub repository containing the the software tools to extract keys and such has been made available.

While SecOC promises to make the future of CAN hacking more difficult, there’s still millions of vehicles on the road that are all too happy to let you poke around in their data networks — allowing you to do everything from pulling EV battery info to adding a backup camera so long as you have the proper tools.

• SEO Powered Content & PR Distribution. Get Amplified Today.
• PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
• PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
• PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
• PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
• Source: https://hackaday.com/2024/03/08/extracting-secoc-keys-from-a-2021-toyota-rav4-prime/