It is quite common, that devices with CAN interface also support updating its firmware via the CAN interface. In the past, the security protection for such bootloaders was often minimal, as the CAN network was mostly a “closed” network. Starting a firmware update was only possible with physical access to the network.
Today, more and more CAN networks feature remote access to support diagnostic functions or IoT data mining or access. This gives intruders additional attack vectors and Embedded Ransomware attacks (link to blog article) can become a reality, if the bootloading process is not properly secured.
CANcrypt can be used to add an additional security layer to CAN or CAN-FD based bootloader implementations. Applications that support firmware update via CAN(-FD) may use different security levels. Traditionally the first layer is to encrypt and authenticate the firmware update file transferred to the microcontroller receiving the new code. An additional CANcrypt security layer ensures that the host communicating with the bootloader on CAN(-FD) level is authorized to perform the update. This ensures that only an authorized host can activate the booloader and erase Flash memory.
Our secure bootloader implementation uses two symmetric keys to protect both the code and the bootloader activation process separately. The manufacturer uses a code protection key to encrypt and authenticate the firmware (here using AES-GCM). An additional CANcrypt connection key is used to connect an authorized update utility to the bootloader. This allows an additional protection level, as only an authorized system integrator, technician or utility can activate the bootloader in the first place.
The initial keys, bootloader and firmware need to be programmed in a secure, trusted environment:
The firmware update process now requires the following steps: