OlegMikheev.com

Inside the Software Lockdown of Modern Cars

The days when you could connect to your car via OBD-II and make it do magic stuff are over – something I realized after spending some time with a recent Audi/VW fleet car.

In the good old days, about six years ago, the VW platform was surprisingly open to coding and very popular with car enthusiasts. By “coding” I don’t mean hacking the car; it was more like adjusting built-in options that already existed. A good example would be setting the temperature level of the steering wheel heater, or enabling the magnificent matrix headlights, that were disabled in the US market due to ancient FMVSS 108 restrictions that fortunately have just been lifted.

As cars became more connected, especially with EVs and Tesla showing a very locked-down, software-controlled model, manufacturers and governments started worrying about security.

Modern cars aren’t just mechanical anymore. They’re networks of computers. If someone can freely modify software, it could affect safety systems like brakes, airbags, or driver assists.

All of that led VW to introduce a system called SFD (Schutz Fahrzeug Diagnose), which protects its cars starting with the 2020 model year.

SFD protects a wide array of features and can be unlocked for 90 minutes, provided you have access to VW systems through an authorized entity or partner, such as a dealer or even a phone diagnostic app that connects to the OBD port. The process looks like this:

  1. Car generates a challenge (just a random number)
  2. Challenge is sent to VW servers via authorized partner (which attaches its certificate)
  3. VW server:
    • Generates a payload instructing the car to unlock SFD. Payload includes the challenge, VIN and ECU ID
    • Signs the payload with VW private key
  4. Payload is delivered back to the car by the authorized partner
  5. Car verifies the signature using the VW public key and unlocks SFD for 90 minutes

So you can still make changes, but only during that limited window and only through someone with official access. It was annoying, but still manageable. Enthusiasts could work around it by using paid services – about $20 per session.

With SFD VW was not aware and not tracking the exact modifications that were done on cars. In addition, subsequent UNECE R155/R156 cybersecurity regulations started to require stricter protections, which is when VW came out with SFD2, essentially killing these cars for enthusiasts.

SFD2 goes much further than SFD. It stores the car’s full feature profile on VW servers, and protection is no longer blanket but per coding action or feature. On top of that, the connection between VW and the car is encrypted, so the partner can’t see or modify what’s being transferred. VW uses Certificate Authorities to keep track of PKI infrastructure. The process works like this (to the best of my understanding):

  1. Mutual TLS Handshake (Authentication)
    • Partner’s tool establishes TLS connection to VW server
    • Server sends its certificate + random challenge (nonce)
    • Car provides its certificate + signs the handshake transcript (including server’s challenge)
    • Server verifies car’s certificate chain and signature
  2. Partner’s tool sends a request for specific operation to VW
  3. VW server:
    • Checks user account / car permissions / operation validity
    • Generates command payload
    • Signs the payload with VW private key
    • Encrypts payload with car’s public key
  4. Payload is delivered to the car by the authorized partner
  5. Car decrypts and verifies the payload signature using the VW public key and executes the specific operation
  6. Car returns (encrypted?) result to VW server

In practice, SFD2 means:

  1. To perform coding, you must find an entity or partner with VW access and schedule an online session using an OBD-II → USB → virtual COM port connection accessed remotely over the Internet
  2. You pay per coding action, often hundreds of dollars per session
  3. You have to trust the partner with remote access to your car’s internals
  4. Every time the car goes in for a dealer software update, it automatically gets restored to the target configuration stored on VW servers. Fortunately, most partners provide lifetime free re-coding
SHARE
         

Posted

in

,

by

omikheev

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *