一则汽车CAN总线的安全渗透题目分析

题目

目前大部分汽车采用基于CAN总线的诊断服务（ISO 14229-1），然而CAN报文有效数据最多只

有8个字节，因此引入CAN传输层协议（ISO 15765-2）以使CAN报文可以传输大于8字节的有效

数据。 白帽“小安”在做诊断相关测试的时候录制了一段Log，请帮助小安分析

1） 这段Log展示了哪个诊断服务过程？（须写明服务英文全称）

2） 这段Log体现了哪些风险？

3） 你可以利用上述某个风险基于最后两帧报文进行渗透吗？（须写明具体过程，如构造的报

文）

4） 这段Log中存在一个协议错误，你能发现出来吗？

Log

date Wed Nov 10 07:20:25.590 pm base hex timestamps absoluteinternal events logged// version 15.2.0// Measurement UUID: 9b4ce0cd-4350-4a9e-852b-d971f4db30441.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 17981.000476 1 70E Tx d 8 10 0E 67 01 88 62 74 AA Length = 224000 BitCount = 115 ID = 18061.000726 1 706 Tx d 8 30 00 00 00 00 00 00 00 Length = 244000 BitCount = 125 ID = 17981.000958 1 70E Tx d 8 20 2D 29 C2 70 FE 01 16 Length = 226000 BitCount = 116 ID = 18061.001186 1 70E Tx d 8 21 B2 29 C2 70 FE 01 16 Length = 222000 BitCount = 114 ID = 18061.001420 1 706 Tx d 8 10 0E 27 02 B8 19 61 10 Length = 228000 BitCount = 117 ID = 17981.001658 1 70E Tx d 8 30 00 00 C2 70 FE 01 16 Length = 232000 BitCount = 119 ID = 18061.001888 1 706 Tx d 8 20 A5 44 7D 47 14 CC AD Length = 224000 BitCount = 115 ID = 17981.002116 1 706 Tx d 8 21 1A 44 7D 47 14 CC AD Length = 222000 BitCount = 114 ID = 17981.002346 1 70E Tx d 8 02 67 02 C2 70 FE 01 16 Length = 224000 BitCount = 115 ID = 18062.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 17982.000476 1 70E Tx d 8 10 0E 67 01 79 D8 77 71 Length = 224000 BitCount = 115 ID = 18062.000714 1 706 Tx d 8 30 00 00 7D 47 14 CC AD Length = 232000 BitCount = 119 ID = 17982.000944 1 70E Tx d 8 20 B1 F8 09 A9 32 B5 0F Length = 224000 BitCount = 115 ID = 18062.001176 1 70E Tx d 8 21 45 F8 09 A9 32 B5 0F Length = 226000 BitCount = 116 ID = 18062.001410 1 706 Tx d 8 10 0E 27 02 47 A1 A3 B7 Length = 228000 BitCount = 117 ID = 17982.001642 1 70E Tx d 8 30 00 00 09 A9 32 B5 0F Length = 226000 BitCount = 116 ID = 18062.001874 1 706 Tx d 8 20 98 53 54 FE B8 C1 6C Length = 226000 BitCount = 116 ID = 17982.002108 1 706 Tx d 8 21 E1 53 54 FE B8 C1 6C Length = 228000 BitCount = 117 ID = 17982.002338 1 70E Tx d 8 02 67 02 09 A9 32 B5 0F Length = 224000 BitCount = 115 ID = 18063.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 17983.000476 1 70E Tx d 8 10 0E 67 01 20 D1 89 A4 Length = 224000 BitCount = 115 ID = 18063.000714 1 706 Tx d 8 30 00 00 54 FE B8 C1 6C Length = 232000 BitCount = 119 ID = 17983.000944 1 70E Tx d 8 20 B1 F5 B6 D1 96 42 A9 Length = 224000 BitCount = 115 ID = 18063.001170 1 70E Tx d 8 21 6C F5 B6 D1 96 42 A9 Length = 220000 BitCount = 113 ID = 18063.001404 1 706 Tx d 8 10 0E 27 02 29 02 A8 5D Length = 228000 BitCount = 117 ID = 17983.001640 1 70E Tx d 8 30 00 00 B6 D1 96 42 A9 Length = 230000 BitCount = 118 ID = 18063.001868 1 706 Tx d 8 20 54 39 1B 14 EB 9D 26 Length = 222000 BitCount = 114 ID = 17983.002098 1 706 Tx d 8 21 F8 39 1B 14 EB 9D 26 Length = 224000 BitCount = 115 ID = 17983.002326 1 70E Tx d 8 02 67 02 B6 D1 96 42 A9 Length = 222000 BitCount = 114 ID = 18064.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 17984.000480 1 70E Tx d 8 10 0E 67 01 F7 BF B9 DD Length = 228000 BitCount = 117 ID = 18064.000714 1 706 Tx d 8 30 00 00 1B 14 EB 9D 26 Length = 228000 BitCount = 117 ID = 17984.000944 1 70E Tx d 8 20 20 45 7B 4C E4 19 9B Length = 224000 BitCount = 115 ID = 18064.001172 1 70E Tx d 8 21 80 45 7B 4C E4 19 9B Length = 222000 BitCount = 114 ID = 18064.001402 1 706 Tx d 8 10 0E 27 02 E5 EC C9 EB Length = 224000 BitCount = 115 ID = 17984.001636 1 70E Tx d 8 30 00 00 7B 4C E4 19 9B Length = 228000 BitCount = 117 ID = 18064.001870 1 706 Tx d 8 20 6F B4 CC EA C2 1C A0 Length = 228000 BitCount = 117 ID = 17984.002098 1 706 Tx d 8 21 D2 B4 CC EA C2 1C A0 Length = 222000 BitCount = 114 ID = 17984.002328 1 70E Tx d 8 02 67 02 7B 4C E4 19 9B Length = 224000 BitCount = 115 ID = 18065.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 17985.000476 1 70E Tx d 8 10 0E 67 01 7E 5C A4 95 Length = 224000 BitCount = 115 ID = 18065.000714 1 706 Tx d 8 30 00 00 CC EA C2 1C A0 Length = 232000 BitCount = 119 ID = 17985.000946 1 70E Tx d 8 20 57 05 AD 37 FD 05 67 Length = 226000 BitCount = 116 ID = 18065.001178 1 70E Tx d 8 21 CC 05 AD 37 FD 05 67 Length = 226000 BitCount = 116 ID = 18066.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 17986.000480 1 70E Tx d 8 10 0E 67 01 42 D0 0A B3 Length = 228000 BitCount = 117 ID = 18066.000718 1 706 Tx d 8 30 00 00 CC EA C2 1C A0 Length = 232000 BitCount = 119 ID = 17986.000948 1 70E Tx d 8 20 3F 63 1B 91 B1 8E 06 Length = 224000 BitCount = 115 ID = 18066.001174 1 70E Tx d 8 21 4D 63 1B 91 B1 8E 06 Length = 220000 BitCount = 113 ID = 18067.000246 1 706 Tx d 8 02 27 01 00 00 00 00 00 Length = 240000 BitCount = 123 ID = 17987.000480 1 70E Tx d 8 10 0E 67 01 FC 10 11 2C Length = 228000 BitCount = 117 ID = 18067.000718 1 706 Tx d 8 30 00 00 CC EA C2 1C A0 Length = 232000 BitCount = 119 ID = 17987.000948 1 70E Tx d 8 20 BA CB 0F 34 A8 26 EF Length = 224000 BitCount = 115 ID = 18067.001176 1 70E Tx d 8 21 CF CB 0F 34 A8 26 EF Length = 222000 BitCount = 114 ID = 1806

解答：

1） 服务过程英文名：SecurityAccess 该服务用于安全验证。 根据以下特征判断出服务： 请求种子：27 01响应：02 67 02SecurityAccess的详细资料参考以下链接： ISO14229: 之 安全访问SecurityAccess(0x27) - 张小力 - 博客园 2） 安全算法为栅栏算法，算法简单；安全算法采用静态算法，不能防止爆破，利用已有的 Seed-Key 匹配关系，可以通过爆破复现在匹配关系中的 Seed，从而查找相应的 Key， 通过安全访问 栅栏算法暴力破解参考以下链接： 暴力破解栅栏密码（Python）_清风阁-CSDN博客_栅栏密码解法 3） 考察栅栏算法的构造，正确密钥为：0x91 0x85 0xB3 0x81 0xBD 0xBB 0x0E 0x48 0x37 0x03 0x3B 0xF9，报文构造注意符合 CAN 传输层协议，连续帧可以从 0x20 开始，以符合实际 Log 4） 连续帧开始的第一个帧应以 0x21 开始，直到 0x2F 之后的下一个连续帧才从 0x20 开始

如果觉得《一则汽车CAN总线的安全渗透题目分析》对你有帮助，请点赞、收藏，并留下你的观点哦！