Evaluation and Enhancement of Security in Serial Communication for Mechatronic Systems

Most of the modern mechatronic system are equipped with a lot of MCUs that exchange a vast amount of sensitive data among themselves through serial connections, all in plain text and without any protection. This makes them vulnerable to malicious actors who could manipulate original devices and transmit unauthorized messages to sabotage the system. Therefore, there is a need to introduce protections in serial communications to avoid the decryption of the messages. To tackle this challenge, I used an STM32F401RE microcontroller as the system to hack and my PC equipped with a COM port connected to a USB-UART adapter as the hacking device. The initial step involves discovering the microcontroller's UART configuration parameters using the PC. The problem isn't simple because there are hundreds of configurations that need to be tested, and we have no prior information about the correct one. So, the only method is to test them all, starting with the most common ones and then moving on to the less-used ones, in order to find meaningful messages on the terminal. If a message is composed only of alphanumeric words, the associated configuration is saved in the list of potential configurations used by the microcontroller. Upon successfully compromising the system and observing the ease with which it was breached, it became evident that enhancing the security of microcontroller communications is paramount. To address this, I introduced the AES-128 algorithm for encrypting incoming and outgoing messages. This widely used algorithm in cryptography manipulates messages with complex mathematical operations to ensure robust encryption and decryption. The system uses a symmetric key for both encryption and decryption. While this makes it easier to implement and use as a communication system, it forces protection of the key from discovery by third parties. Analyzing the messages transmitted by the microcontroller, the smartest way to break the system was to use a data stream of a specific size, like 64 or 128 bytes, as the key and the remaining text as the encrypted message. This attack was successful, demonstrating that by sending the key in plain text along with the message, an attacker could easily recognize the communication protocol and decipher the message quickly. If this method did not yield meaningful results, other types of attacks, such as dictionary attacks and brute force, had to be adopted. These are less efficient due to their high computational cost but could be a good option if nothing smarter was available. Given the vulnerabilities of the AES system, I introduced an additional security layer called RSA, which could be combined with or used independently of the AES algorithm. This algorithm operates in a more complex way and bases its robustness on the difficulty of factoring large prime numbers, a task impractical for most computers. The biggest difference from the AES algorithm is that RSA is asymmetric: one key is public and used by anyone to encrypt data sent to the system, while the other key is private and kept secret to decrypt incoming messages. Now, with this algorithm, only the encryption key needs to be transmitted, and even if it is leaked, it cannot decrypt any messages without the corresponding private key. The only drawback is that understanding how the communication protocol works is not as immediate as with AES, but the security it provides is very high for our applications.