Vehicle Electronic Security and "Hacking" Your Car

Transcription

1 Vehicle Electronic Security and "Hacking" Your Car Jeremy Daily, Ph.D., P.E. Associate Professor of Mechanical Engineering James Johnson Ph.D. Candidate in Computer Science Andrew Kongs Undergraduate in Electrical Engineering

2 Overview Introduction How we got involved in vehicle electronics through crash testing What is Hacking? What does Cyber Security mean to Automotive systems? Technology Overview Controller Area Network (CAN) fundamentals Connecting Hardware to the Network Reverse Engineering Signals Automotive Security Testing and Vulnerabilities Literature Review Security Analysis Tools (Fuzzing, Debugging, etc) Digital Forensics for Automotive Systems Sensor Simulators Chip Level Examination

3 The University of Tulsa Private co-ed doctoral university with about 4500 students. TU is in the top 100 among national doctoral universities Institutions for information security designated by the NSA as one of its Centers of Academic Excellence in Information Assurance Education. Many privately funded research consortia

4 Crash testing around the country Leverage on-board sensors for data acquisition CAN bus monitoring 8 SAE Publications Videos on website: 4

5 What is a Hacker? A technically inclined person who is really curious about how things work but don t have the manual (or don t use it) Most engineer s are hackers to some extent. Hacker + complicated kids toy = dad at Christmas Hacker + patent attorney = inventor Hacker + business opportunity = entrepreneur Hacker + university = researcher Hacker + prankster = drain on society Hacker + evil empire = national security threat Outcome depends on the context of the Hack and the ethics of the hacker

6 Hacking Cars Tuners and Street Racers Event Data Recorders Third party EDR testing and verification CAN Data Interpretation Decoding library is proprietary Things Unpleasant Stealing Cars Breaking and Entering Or worse

7

8 8

9 Consequences of Unpleasant Hacks Public paranoia has commercial implications Customers may start pushing for improved security Attribution is difficult We don t know who the perpetrator is. Consequences can be scary Unintended Accelerations Loss of brakes Pulling the steering wheel Remote interfaces eliminate the need for physical access.

10 Why Cars are Hackable? Its the Network! Introduction to Automotive Networks Measurement and Control Systems System Models Sensing and Converting Controller Area Network Basics Standards and Protocols J1939, J1708, J1587 Demonstrations

11 Purpose of Measurement and Control Enable optimal operation across broader ranges Fuel map changes with altitudes Enable compliance with stricter environmental regulations Improve economy and performance Increase longevity and enable machine condition monitoring Enable data logging for warranty disputes Provide fleet management tools and safety monitoring

12 Sensing and Control Functional Block Diagram Data Logger Sensor Signal Conditioner Transmitter Controller CAN Bus Plant (Process) Actuator 12

13 Converting Analog to Digital Considerations Rate, Range and Resolution Signal Sampling (Rate) Converts a continuous signal into a discrete signal Frequency? Range Amplify or attenuate signal to match A/D converter electronics Example: Voltmeters don t operate at 120 V Quantization (Resolution) Converts a discrete signal into a digital word Quantizing bits, N Number of combinations: 2 N 12 bit = 2 12 = bit = 2 16 = Least Significant Bit Value = Full Scale Range / 2 N 13

14 Digital Concepts Binary: Represented by ones and zeros (bits) Native computer language Cumbersome and long Hexadecimal: 0-F 16 values 4 binary bits (nibble) 2 hex values = 8 bits = 1 byte (256 values) Quantizing Table decimal = binary = D9 hex 14

15 Standards and Protocols Since computers speak binary, we need conversions ASCII: American Standard Code for Information Interchange SAE Standards for Heavy Trucks J1939 (many parts) J1708 J1587 ISO11992 Standards compliant vehicles contain common elements Useful for Horizontal Integration 15

16 CAN Basics Controller Area Network (CAN) serial bus introduced by Bosch in mid 1980s A 2-wire bus with multi-master capability with Collision Detection, Arbitration, and Error Checking Result: nearly 100% data integrity in harsh environments Implemented using CAN transceiver hardware Inexpensive Single quantity prices around $4.00 with big benefits in economies of scale jeremy-daily@utulsa.edu

17 Controller Area Networks Bosch CAN Specification is free online. SAE J1939: Recommended Practice for a Serial Control and Communications Vehicle Network J2284: High Speed CAN (HSC) for Vehicle Applications at 250 Kbps J2411: Single Wire CAN Network for Vehicle Applications 17

18 Physical Transmission Media Up to 40 meters of twisted pair with 120 ohm terminating resistors. Linear bus with 1m stubs CAN is resilient; deviations may not affect performance. CAN Bus

19 Physical Transmission Media

20 Connector Standards (9-Pin) Pin A: Battery (-) Pin B: Battery (+) Pin C: CAN High Pin D: CAN Low Pin E: CAN Shield Pin F: J1708 (+) Pin G: J1708 (-) Pin H: OEM Use or 2 nd CAN High Pin J: OEM Use or 2 nd CAN Low Source: J jeremy-daily@utulsa.edu

21 Except Caterpillar Pin A: Battery (+) Pin B: Battery (-) Pin C: CAN Shield Pin D: CAT Data Link Hi Pin E: CAT Data Link Lo Pin F: CAN/J1939 Lo Pin G: CAN/J1939 Hi Pin H: J1708 Lo Pin J: J1708 Hi Source: DG Technologies ( 17 January 2

22 Message Structure 29-bit Identifier (Arbitration) Control Field Data Field Error Checking Data typically transferred up to 8 bytes at a time jeremy-daily@utulsa.edu

23 CAN Collisions and Arbitration Problem: All have access to the bus at the same time Multiple devices try to send data at once Solution: CAN Arbitration where the highest Priority message comes through Others wait and retry Arbitration Message Identifier (MID) determines priority 0 is dominant, so lowest MID wins jeremy-daily@utulsa.edu

24 Extended CAN Format for J1939 SOF = Start of Frame EDP = Extended Data Page DP = Data Page PDU = Protocol Data Unit PF = PDU Format PG = Parameter Group SRR = Substitute Remote Request IDE = Identifier Extension Bit RTR = Remote transmission request jeremy-daily@utulsa.edu

25 29-bit Identifier Example Some messages have higher priority over others.

26 11-bit Identifiers Light vehicles typically use Standard CAN 500 kbps (250kpbs for J1939 on heavy trucks) Also known as Class C, or High Speed CAN Example: 2010 Dodge Ram 17 January 2

27 17 January 2

28 17 January 2

29 Observations Logic Levels 0 Volts = Binary 1 1 Volt = Binary 0 (Dominant Bit) Bit Stuffing Oscilloscope shows Binary 0 s for decoded FF Used to ensure timing Taken care of with hardware Starting procedure shows many more messages when engine is running Two traces: High Speed CAN and Comfort CAN jeremy-daily@utulsa.edu 17 January 2

30 Wiring Schematic Obtained from: 17 January 3

31 Wireless Control Module: What does that do? 17 January 3

32 Crash Testing 17 January 3

33 Crash Testing 17 January 3

34 Mini Cooper GPS Speed 17 January 3

35 8 April

36 Vehicle Speed (MPH) Plot Combinations of Bytes 0x153 Byte 2 CAN Message Time (sec) jeremy-daily@utulsa.edu 17 January 3

37 Mini Cooper CAN IDs 17 January 3

38 Reverse Engineering 17 January 3

39 Synchronizing CAN and Crash 17 January 3

40 Cadillac vs. Tractor Trailer 17 January 4

41 Event Data Recorder Accuracy 17 January 4

42 EDR Rig Testing 17 January 4

43 Truck-In-A-Box and Chip-Level Forensics

44 Truck-In-A-Box Our Truck-In-A-Box was designed to simulate a vehicle for an ECM, including active and passive sensors Funded by DARPA through the Cyber Fast Track Program Our first TIB simulated a vehicle for a Navistar MaxxForce 13 ECM Included Instrument Cluster, ECM and simulated ABS Computer Science /

45

46 Active Signal Simulation Characterized real vehicle sensor signals Created programs to generate the signals Feed the signals to the ECM in the Truck-In-A-Box Recorded data during driving tests in real vehicles, played back data to the ECM using a Truck-In-A-Box Also replayed J1939 traffic from the drive tests

47

48

49

50 What is it for? Very Flexible Testing and research framework for heavy vehicle ECMs Forensic Recovery of Functional ECM Data Security and Pen Testing for Vehicle Networks Can be used to simulate driving sequences, set hard brake events on some ECMs (Key-on Engine-Off has limitations) Much lower acquisition cost than an actual vehicle

51 More Trucks-in-Boxes Since the first one (which got shipped away to DARPA), we ve build boxes for about 10 different ECMs Includes Detroit Diesel, Caterpillar, Cummins, Navistar Simplest one is the DDEC IV, most complicated so far is Navistar Complexity largely depends on the ECM and what it requires

52 What happens when an ECM is damaged in a crash, but may contain valuable data?

53 Chip Level Forensics Follow on project to Truck-In-A-Box through DARPA s Cyber Fast Track program Researching ways to recover data from the ECM directly, not over the vehicle network Use Trucks-in-boxes to simulate driving sequences with ECMs, tear down the ECM, remove the chips, read the data Ongoing project

54

55

56

57

58 Challenges All of the ECMs have environmental protection conformal coatings and sealants Seems as if none of them were designed to be taken apart, much less have things recovered from them after broken Getting inside the case is a big challenge BGA chips and Data interpretation are also difficult

59 Goals Tear down ECMs, survey the device internals in the industry Develop techniques for investigators to open the devices Map and Identify information within the raw data Investigate the possibilities of tampering with data

60 Future Work Expand the breadth to encompass more devices and models Add more features and improve the accuracy of the TIB s simulated sensors and networks Vulnerability analysis of extracted code running on devices Improvements to the forensic extraction techniques

61 How I Learned to Quit Worrying and Love Hackers 61

62 Car Hacking Is Hot Experimental Security Analysis of a Modern Automobile Koscher et al Comprehensive Security Analyses of Automotive Attack Surfaces Checkoway et al Adventures in Automotive Networks and Control Units Miller & Valasek

63 2010 A shot across the bow Researchers fuzzed an automotive network Locked doors, perma-on, disabled brakes Also did some scary visual effects

64 2011 Twisting the knife More complete exploration of attack surfaces Compromise through service tools, music player, Bluetooth, Cellular Unauthenticated remote exploits of automobiles

65 2011 Twisting the knife More complete exploration of attack surfaces Compromise through service tools, music player, Bluetooth, Cellular Unauthenticated remote exploits of automobiles Translation: This Is Really Bad

66 2013 Charlie Miller Covered attacks possible with network access Attacked Prius and Ford Escape Controlled brakes, acceleration, and steering Also reverse engineered OEM maintenance software Obtained passwords, etc.

67 67

68 FUD: Fear, Uncertainty, and Doubt All this has upset the automotive industry and everyone else We can t think like the hackers Need to demystify hackers and hacking

69 Hackers Origin Story MIT TMRC, late 60s A person who delights in having an intimate understanding of the internal workings of a system RFC 1392 Playful cleverness Current usage stems from too much playfulness

70 Tools of the Trade Black Box Testing Fuzzing Fault injection testing Dynamic Analysis Static Analysis

71 Black Box Testing Zero knowledge of system internals Inject input Random Semi-random Replay Observe results This can best be explained by an example

72 Tools: BeagleBone Black, CANCape Total cost ~$100 Inject random traffic using custom Python script Time invested: ~1/2 hour Preliminary testing resulted in only slight damage to vehicle 72

73 Dynamic Analysis Observe system in running state Partial knowledge of system Software tools Debuggers Sysinternals Developer tools Another brief example: a truck maintenance software file format.

74 74

75 75

76 Static Analysis Detailed analysis of static code Most complete, safest Also incredibly time consuming Tools of the trade Disassemblers Decompilers Yet another example involving truck maintenance software encryption

77 77

78 Current Trends Vehicles continue to get more networked

79 Current Trends Vehicles continue to get more networked What about heavy trucks? Bigger attack surface, more impact.

80 Current Trends Vehicles continue to get more networked What about heavy trucks? Bigger attack surface, more impact. Significant academic interest in vehicle security Telematics interfaces Smart grid to vehicle communications Example: ESCAR

81 Current Trends Vehicles continue to get more networked What about heavy trucks? Bigger attack surface, more impact. Significant academic interest in vehicle security Telematics interfaces Smart grid to vehicle communications Example: ESCAR OEMs are beginning to take this seriously

82 Current Trends Vehicles continue to get more networked What about heavy trucks? Bigger attack surface, more impact. Significant academic interest in vehicle security Telematics interfaces Smart grid to vehicle communications Example: ESCAR OEMs are beginning to take this seriously SAE J3061 is on the way!