Car hacks 2018 (BMW, Audi) for the "not so hands-on"

Similar documents
Experimental Security Assessment of BMW Cars: A Summary Report

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Hacking Exposed Wireless: Wireless Security Secrets & Colutions Ebooks Free

CANSPY A Platform for Auditing CAN Devices

Preventing External Connected Devices From Compromising Vehicle Systems Vector Congress November 7, 2017 Novi, MI

The Value of Automated Penetration Testing White Paper

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Protect Your Organization from Cyber Attacks

Open Source in Automotive Infotainment

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

AUTOMOTIVE FOUNDATIONAL SOFTWARE SOLUTIONS FOR THE MODERN VEHICLE

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Integrated Access Management Solutions. Access Televentures

Precision Tec Diagnostics PO Box 2431 Cartersville, GA

Secure Car. The Technology and Trends Influencing Future Vehicle Access Systems REPORT SAMPLE SEC

Medical Device Safety in a Connected World

Risk-based design for automotive networks. Eric Evenchik, Linklayer labs & Motivum.io Stefano Zanero, Politecnico di Milano & Motivum.

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Lookout's cybersecurity predictions

Securing the future of mobility

ISDP 2018 Industry Skill Development Program In association with

Examining future priorities for cyber security management

UEFI and the Security Development Lifecycle

How to Create, Deploy, & Operate Secure IoT Applications

CoreMax Consulting s Cyber Security Roadmap

VEHICLE FORENSICS. Infotainment & Telematics Systems. Berla Corporation Copyright 2015 by Berla. All Rights Reserved.

CompTIA Mobility+ Certification

Driven by SOLUTIONS. The new generation of vehicle diagnostic solutions. ESI[tronic], KTS and DCU from Bosch

ISG Provider Lens TM

Product Security Program

CompTIA Security+ Study Guide (SY0-501)

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Quick Lockdown Guide. Firmware 6.4

DIS10.1 Ethical Hacking and Countermeasures

SECURING THE CONNECTED ENTERPRISE.

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Effective Threat Modeling using TAM

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Why This Major Automaker Decided BlackBerry Cybersecurity Consulting was the Right Road to Protecting its Connected Cars

Security Testing. John Slankas

Cisco s Security Dojo: Raising the Application Security Awareness of 20,000+ Chris Romeo, Security Journey; formerly of Cisco Systems

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

13W-AutoSPIN Automotive Cybersecurity

SGS CYBER SECURITY GROWTH OPPORTUNITIES

MARCH Secure Software Development WHAT TO CONSIDER

DIS10.1:Ethical Hacking and Countermeasures

Chapter 5: Vulnerability Analysis

Christoph Schmittner, Zhendong Ma, Paul Smith

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team

Descriptions for CIS Classes (Fall 2017)

Understanding Perimeter Security

Implementing ITIL v3 Service Lifecycle

MIS Week 9 Host Hardening

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

The SD-WAN security guide

IE156: ICS410: ICS/SCADA Security Essentials

Automated, Real-Time Risk Analysis & Remediation

AGL Reference Hardware Specification Document

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Agenda. About TRL. What is the issue? Security Analysis. Consequences of a Cyber attack. Concluding remarks. Page 2

The New USB-C Standard and How to Select a Matching Docking Station

The Need for Confluence

The Information Age has brought enormous

Presentation's title

Automotive Gateway: A Key Component to Securing the Connected Car

Building cyber resilience into our railway s DNA. Matthew Simpson. Technical Director, Cyber Security

Training for the cyber professionals of tomorrow

T22 - Industrial Control System Security

Shifting focus: Internet of Things (IoT) from the security manufacturer's perspective

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

About Cronus Cyber Technologies

A Passage to Penetration Testing!

Cyber security tips and self-assessment for business

Heavy Vehicle Cyber Security Bulletin

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

CPTE: Certified Penetration Testing Engineer

Automotive Cyber Security

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

The case for a Vehicle Gateway.

IMPORTANT. Installing your EASE Scan Tool Software

locuz.com SOC Services

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

A Model for Penetration Testing

Retail Security in a World of Digital Touchpoint Complexity

Clinical Segmentation done right with Avaya SDN Fx for Healthcare

Transcription:

Car hacks 2018 (BMW, Audi) for the "not so hands-on" Computest (VW/Audi) published their research on the VW/Audi vulnerabilities and Keen Security Lab (BMW) published theirs on BMW. Even though the OEMs are different, there are more similarities than one would expect the vehicles architectures, protocols, vulnerability identification approaches and, at a high-level, even the vulnerabilities. Though the vulnerabilities are not presented in technical detail (to help the script kiddies), the results from the publications are relevant to every automotive professional (not just cyber security professionals). This FEV article s aim is to spark a discussion of the hacks similarities and differences so everyone can not only learn from their findings, but also take a look at their own products driving on the road every day. Let s start with a combined summary of the hacks, aka vulnerabilities, illustrated in these publications. The Scope The research scope included the following vehicle models: BMW research from Keen Security Labs - BMW i3 94 (+REX), manufacturing year 2017 - BMW X1 sdrive 18Li, manufacturing year 2016 - BMW 525Li, manufacturing year 2016

- BMW 730Li, manufacturing year 2012 VW/Audi research from Computest - Volkswagen Golf GTE, model year 2015 - Audi A3 e-tron, model year 2015 At this point you might be thinking these are 2015, 2016, and 2017 vehicles so the vulnerabilities are outdated and, since you are most certainly working on building an impenetrable shield to protect your future models, this information isn t relevant to you. However, even superman was weak against Kryptonite. The vulnerabilities highlighted by these publications are foremost architectural and process weaknesses common throughout the automotive industry with a secondary focus on OEM specific vulnerabilities. Lessons applicable to future architectures, even yours. Getting Started The process of vulnerability identification has high-level similarities across OEMs and you can implement this process of security analysis within your own teams. Traditional teams for hardware and software design, development, testing and release can all learn valuable lessons from these examples. Cyber security-specific teams are no exception; although, they have a different mindset than the traditional teams since security testing is part art and part science. Your penetration testing team runs on creativity, but as an automotive professional you might not be accustomed to the unpredictability of the creative process and want a more quantifiable standardized process. This vulnerability process should put you in the direction to achieve a standardized, predictable methodology which is aligned with your development life-cycle. Both research teams started by analyzing which targets were ripe for investigation. They selected models with certain features such as WiFi, USB, Cellular, Bluetooth and a connectivity app i.e. connectivity features. So what is the first lesson learned? Connectivity is the target. Attention has moved away from CAN or solely physical or component attacks to connected services in the automotive domain. Hence, focus your strengths and might more towards securing connectivity. The primary target modules from there on are the Infotainment Unit, Telematics Unit and Central Gateway a typical architecture for any car on the road (any car!). It is a sensible idea to have a central gateway segregating the in-vehicle network with the external world of connectivity. However, the BMW architecture is a bit odder than the rest. It has a Telematics Unit connected to the Infotainment Unit over USB! Why choose such a unique architecture? The reasons are not clear and raise many questions. Without delving very far into the pros and cons, just know that it is not a good idea to peak a security researcher s interest with unusual features, keep it subtle. Chances are, if they dig deep enough, they will find a vulnerability anywhere they look, but if something catches their interest like an abnormal architecture that will be their focus. Don t give them that head s up. Exception, not in this case though as they had other " Ay, caramba!" moments with Cellular, WiFi and other interfaces. Once the target vehicles are shortlisted and the target modules are identified, it s time to go through each interface. Both the publications perform respective analysis on cellular, Bluetooth, USB, OBD-II, and the holy connectivity of application interfaces the phone.

The BMW research identifies vulnerabilities in USB (USB-to-Ethernet), Bluetooth and are able to take advantage of the cellular interface to showcase a remote hack. They also leverage the OBD-II interface and demonstrate a physical attack scenario. Computest (VW/Audi) targets the USB (USB-to-Ethernet), Wi-Fi, and the cellular interfaces. How they did it! The Keen Security Lab (BMW) researchers presented and focused on both remote and physical attack scenarios resulting in a demonstrable attack. Computest (VW/Audi), on the other hand, focused solely on proving remote attacks by illustrating individual component vulnerabilities and, in some instances, theoretical attack scenarios. Even though the focus was on remote attacks, if they had the requisite time and effort they most likely would have identified more vulnerabilities. But there are certainly lessons to be learned in what they did identify, so please read on. Focusing on the physical attack is also important, as highlighted by Keen Security Lab (BMW). Buzz words such as risk profile, insider threat, mass impact and of course, CAN are probably already floating in your mind. Yes, it might not be a mass-impact attack. Yes, it might not have a high-risk profile. And yes, your company might be working on or has already worked on securing CAN so your in-vehicle network will be secure in future models. What is more important are the architecture changes that can be adopted for security. These are the lessons that must be learned. The attack process So what do you do first? You scan any and all available interfaces which is precisely what the researchers did. They scanned the USB, OBD-II, and cellular interfaces to determine what was there. A USB (specifically USB-to-Ethernet) port scan using Nmap was used to identify what services were running on the vehicle. Nmap is not rocket science (inner functionality may be, definitely not its usage). It uses simple command line instructions and is available for both Windows and Linux. Not surprisingly, the researchers all reached the same destination QNX. Lesson two, simple tools are all you need to start your journey towards security. With their first scans they found vulnerabilities and were able to get root access to Infotainment Units running QNX. Wink-wink, even your systems are probably using QNX. QNX has 50% market share (as reported in 2015); 50 million vehicles have QNX running. Not included in the vehicles researched in these studies are QNX-using vehicles from GM, Mercedes-Benz, Toyota, Porsche, and Land Rover.

Once both research teams got root access to the Infotainment Units, they were able to perform local code executions. After earning this right, what more do you need? You are in the Infotainment Unit and have access to QNET, the bridge between the common automotive architecture and the in-vehicle network of respective targets. Root access grants the same privileges as software developers or service personnel. They did not stop with USB; both research teams upped the ante by going cellular. They reached similar attack goals by two different methods over cellular. Keen Security Lab (BMW) does this by setting up a local cellular network using Universal Software Radio Peripheral (USRP) and OpenBTS. Computest (VW/Audi) does this by using the client-to-client communication feature and assigning public IPv4 addresses to target vehicles from an ISP. Keen Security Lab (BMW) even analyzed Bluetooth and the E-NET OBD-II interfaces. And, as you might have guessed, they found vulnerabilities in both. However, the E-NET OBD-II is more interesting from an architecture standpoint and is discussed below. Why do vehicles have multiple ways to update? Does it make sense to allow updates using USB-to-Ethernet and OBD-II? USB-to-Ethernet allows the end consumer to update their vehicle via a USB dongle. Ok, updates are great and customer satisfaction is important. But then why allow similar firmware updates through the OBD-II interface? Most likely to allow a service individual to perform updates, but couldn t the service provider use the same USB-to-Ethernet interface to do the tasks from the OBD-II? Two interfaces performing the same task means double the vulnerabilities. Have you seen a mobile company sending a USB update to its consumers? They have OTA. Maybe all vehicles aren t ready for OTA updates, but the real point is they only have one highly reliable means to update. Lesson three master one update interface. Allocate your budget to one interface and you might have a larger budget for security. Too many interfaces doing the same functionality lead to multiple vulnerabilities, stretched budgets for security implementation and so much more. Vulnerabilities Memory corruption, remote attacks, code signing, open ports and services you name it, the vulnerabilities can be demonstrated. Here is the list of categories illustrated in the publications. The publications do not reveal the exact executable code that is vulnerable, but the high-level vulnerability areas to consider.

- Root access: Both the research teams are able to get root access to the target units. - Memory Corruption: Telematics Unit, Bluetooth, and Connected Vehicle App have memory corruption vulnerabilities. Memory corruption is a huge topic to consider. - Code Signing: Both the research teams identify code signing vulnerabilities. They are not cryptography vulnerabilities, but highlight inconsistent implementation vulnerabilities. Lesson four, deploy security solutions consistently. These vulnerabilities deserve a second look, we all do. So look for more articles detailing these vulnerabilities and more. Lessons Learned Lesson One: Connectivity is the target - Connectivity is the new normal in automotive cyber security research. The community has moved from solely in-vehicle attacks to focus primarily on Infotainment, Telematics and the Central Gateways. - The near future is going to be shared mobility services (Maven, Zipcars etc.) which increases the need for cyber security considerations. Lesson Two: Start with simple security tools that do not need Subject Matter Experts - Quick, easy and every engineer in testing, design and development can perform them. Not just for penetration or security engineers. - The ROI from an open-source tool such as Nmap is large as it is the common thread in all the hacks. - The list is enormous, but some notable open-source tools that you can use without expert knowledge are Wireshark, Metasploit (there is more than meets the eye), OpenVAS and Aircrack. Lesson Three: Master one update method - Do not have multiple ways to do the same thing. OBD-II, USB-to-Ethernet, WiFi or cellular choose one. - If you focus on the development of one master means or interface for a function, you do not need to divide the budget of the function to multiple interfaces, leaving more budget to hardening one interface. Consider the function s purpose and focus. Lesson Four: Deployment of security solutions consistently - Code signing can be bypassed in both the research publications.

- Vulnerabilities are not due to weak cryptography, but due to inconsistent implementation throughout the system. We hope you have gained some water-cooler knowledge about these most recent attacks and how to apply them to your own architectures. As mentioned, look for more articles from your FEV automotive cyber security experts. Attack Interfaces Targeted References: - Experimental Security Assessment of BMW Cars, Keen Security Lab. https://keenlab.tencent.com/en/2018/05/22/new-carhacking-research-by-keenlab- Experimental-Security-Assessment-of-BMW-Cars/#more - The Connected Car Ways to get unauthorized access and potential implications, Computest. https://www.computest.nl/wp-content/uploads/2018/04/connected-car-rapport.pdf - http://www.navpro.co.nz/media/catalog/product/cache/1/image/9df78eab33525d08d6e5fb8d 27136e95/7/1/715c.jpg (Head Unit image source)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback