SFD Vehicle Controller Protection
The aim of SFD Product analyses in the VW Group have shown that there is an increased requirement for protection of data in vehicles. This is also the case for Vehicle Diagnostic Protection.
The previous procedure (activation of security access by way of a 5-digit login code) no longer conforms to the state of the art. As of 2020 – beginning with the market entry of the MQB37W (Golf 8) – there will be a crossbrand introduction of the SFD procedure in order to provide Vehicle Diagnostic Protection.
SFD will be introduced in two project stages: Stage 1 comprises access protection of protected diagnostic objects in control units and the verifiability of this access on an individual level. The protection requirement will be defined for specific control units and diagnostic objects. The protection requirement is limited to specific writing services (codings, adjustments, parametrisations) and routines.
Normal reading services (e.g. readout of control unit event memories) will not be SFD-protected. The functions of data string downloading with boot loader data strings, flashing and/or update programming as well as flash data security are also not affected by SFD. Stage 2 includes, as a supplement to stage 1, tamper protection of diagnostic contents upon integration of the diagnostic contents by end-to-end safeguarding of diagnostic data between VAG IT back end systems and control units.
In order to be able to log access to diagnostic contents requiring protection in future, the IT security organisation requires strong user authentication to be enforced. It is therefore necessary to use two-factor authentication, which can be implemented, for example, by using • PKI-cards • SecurID-cards • Applications that generate one-time passwords (e.g. Google Authenticator or Microsoft Authenticator).
In a first transition phase, however, weak authentication by way of a username and password will initially be introduced when using the Dealer Portal. The transition to strong authentication by means of the Group Retail Portal will be developed in parallel. The SFD process requires the vehicle diagnostic tester to have an online connection.
Functioning of SFD Two methods will be offered: online activation and offline activation. The offline activation is a fall-back solution in the event that, for example, the online connection of the vehicle diagnostic tester in the workshop is unavailable at short notice.
1. Online activation (standard case)
Components involved: The control unit in the vehicle contains the diagnostic objects to be protected and grants or refuses access.
The vehicle diagnostic tester is operated by the user in order to select diagnostic objects in the control unit.
The SFD back end contains the user database with authorizations and issues activation tokens.
Basic process: 1 It is a prerequisite that the user is registered in the SFD IT back end and in the Dealer Portal (in future, the Group Retail Portal).
2. The user would like to carry out SFD-protected services on one or more SFD protected control units as part of a vehicle diagnosis.
3. The control unit reports that it is SFD-protected and asks for an activation token.
4. The vehicle diagnostic tester sends an activation request with the ID mark of the control unit and the desired scope to the SFD IT back end.
5. The SFD IT back end checks and authorizes the request and sends a signed activation token to the tester. The SFD IT back end logs the access (user ID, CU ID mark, time etc.).
6. The vehicle diagnostic tester sends the activation token to the control unit. The control unit checks the activation token and grants access to the relevant diagnostic object.
2. Manual SFD activation (offline – fall-back solution)
Process for an offline activation:
1. A direct online token generation with the vehicle diagnostic tester does not work.
2. The workshop employee saves the activation request structure of the control unit that will be necessary for the generation of the token.
3. The user logs into the Dealer Portal (in future, the Group Retail Portal) using a different computer and accesses the token generation website of the SFD back end via the SFD application.
4. The user enters the activation request structure of the control unit, generates an activation token with it, and copies this over to the vehicle diagnostic tester (e.g. using a USB stick).
5. The user executes a function on the tester in order to send the activation token manually to the control unit.
6. The control unit checks the activation token and grants access to the relevant diagnostic object
Registration of users in the Dealer Portal and in the SFD IT back end
Upon the introduction of SFD in the first half of 2020, diagnostic users must be in a position to authenticate themselves in the SFD IT back end in accordance with the two activation options described above. In order to achieve this, it is necessary to register on the SFD back end in advance.
The local administrators of the Dealer Portal only have to assign the standard role in the “SFD” application to the affected users in the “Local user administration”. Synchronisation with the SFD IT back end then takes place overnight, so the users are able to execute SFD-protected functions after no more than 24 hours
Please read more information below in the document.