Fast and Vulnerable A Story of Telematic Failures

Similar documents
Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Automotive Attack Surfaces. UCSD and University of Washington

Security Analysis of modern Automobile

Security Concerns in Automotive Systems. James Martin

Experimental Security Analysis of a Modern Automobile

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Securing the Connected Car. Eystein Stenberg CTO Mender.io

IoT Vulnerabilities. By Troy Mattessich, Raymond Fradella, and Arsh Tavi. Contribution Distribution

Cradlepoint ARC CBA850

In-Vehicle Computers

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

3G/WiFi In-Vehicle Surveillance & GPS Tracking System

Firmware RELEASE NOTES

Document Version: 1.0. LG308 LoRaWAN Gateway User Manual. LoRaWAN Gateway User Manual ---Update: / 30

EXPRESS. Users Guide. Version 3.5

MTXM2M. Modems, Gateways & Routers for M2M-IoT

IndustrialPro Routers (SN/RAM Series)

An Experimental Analysis of the SAE J1939 Standard

WIRELESS SOLUTIONS FOR EVERYONE

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

EMBEDDED SOFTWARE. August 2016

WatchGuard AP - Remote Code Execution

Fleet Management - Smart, Secure and Easy

Cradlepoint AER1600/AER1650

Hackveda Training - Ethical Hacking, Networking & Security

Quick Start Guide LES1308A, LES1316A LES1332A, LES1348A. Securely manage data center and network equipment from anywhere in the world.

Vodafone MachineLink 3G Plus

Live Demo: A New Hardware- Based Approach to Secure the Internet of Things

Banner Connected Data Solutions Web Service

Secure Software Update for ITS Communication Devices in ITU-T Standardization

Micronet SmartHub. Platform Datasheet. The Next Generation Rugged On-Board Computing Platform. Preliminary February, 2019.

Countermeasures against Cyber-attacks

M!DGE/MG102i Release notes Firmware version xxx

List of firmware changes (new features and bug fixes) of Weidmüller Router models

1. Introduction. 1.1 Cosmo Specifications

Standard protocol support (e.g. MODBUS, SNMP, M-Bus), possibility to install dedicated user protocols

IoTECH* *Internet of Things Extensible Car Hub. MDR Presentation

SMS Power Controller. User Documentation. V Feb

Chapter 2. Switch Concepts and Configuration. Part II

RediGate 400 Series Getting Started Guide

AER3100/AER3150. All-in-One, Cloud-Managed Networking Solution. Quick Start Guide

PXA270 EPIC Computer with Power Over Ethernet & Six Serial Protocols SBC4670

CompTIA A+ Accelerated course for & exams

Communication Gateway

Spork Installation Instructions

List of FW changes

Final Report. Project Title: Dial A Whip

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Triconex TriStation Emulator Denial of Service

IndustrialPro Routers (SN/RAM Series) Wireless Modems

NI Linux Real-Time. Fanie Coetzer. Field Sales Engineer SA North. ni.com

Adversary Models. EECE 571B Computer Security. Konstantin Beznosov

OBD GPS Tracker CW-601 User Manual

Introduction Video Camera Support Option TREQ Platform Datasheet. January Rev. 2 A-317 Video Getting Started Guide 1 / 6

Timing Report - By distance, angle, time. connection. Sleep/Deep sleep. Digital output/input. Analog input - Able to enable/disable

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

ALEOS Release Notes

Remote Console Manager with GSM Modem QS Guide

COR Series Router IBR600 / IBR650

Green Diesel Flash-Scan 3 Tool Instructions

EQ/OS Release Notes

Skyus DS Quick Start Guide

STW s Connectivity Solution for Mobile Equipment: The Vehicle Data System (VDS) and VDS-Remote (VDS-R) 31 July 2009, STW, Norcross, Bob Geiger

Technical Specification H9303 Media WiFi Router

VScom NET-CAN 120 WLAN

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Change log for Weidmüller Industrial Security Routers IE-SR-2/6GT series

Remote Console Manager with GSM Modem QS Guide

VEHICLE FORENSICS. Infotainment & Telematics Systems. Berla Corporation Copyright 2015 by Berla. All Rights Reserved.

Effective Immediately: (For internal and external distribution) Vanguard 3000 Firmware Upgrade Instructions

Wireless OBD II CAN Bus Embedded System Design

Embedded lightweight unix

Lab Configure Basic AP security through GUI

Souran Q2686 Design Guide

802.11p ETSI TC ITS Wireless Communication System, On Board Unit. Model: OBU-102

IoE Workshop. Marc Khayat, CCIE #41288, Leonard Janer Technical Managers. June 16

GE Fanuc Intelligent Platforms

GenIP : Intelligent gateway dedicated to most critical industrial applications

Arm11 Based Accident Alert and Vehicle Tracking Using GSM and GPS

Skyus DS2. by Inseego. Quick Start Guide

AER Series Router AER2100 / AER2150

COR Series Router IBR600B / IBR650B

TestOut PC Pro - English 6.0.x COURSE OUTLINE. Modified

Connected Car. Start Guide. Device by

General Notice Introduction Functional Description Product Troubleshooting Driver Setup...

File Transfers. Contents

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Guide. Cloudistics Ignite: Setup and Configuration Guide

Xiamen Caimore Communication Technology Co.,Ltd. Specification of Vehicle 4G LTE FDD WIFI Router

SA Quick Start Guide

SKYNET HYBRID FLEET SOLUTION ABOUT US. Satellite Communications. SkyNet Satellite Communications

Teltonika Operating System for Networking products

M2MD Communications Gateway: fast, secure and efficient

Automotive Security Standardization activities and attacking trend

CompTIA A+ Certification ( ) Study Guide Table of Contents

JANUS EXPLORER. Janus Explorer Version 1.4 Quick Guide

Cradlepoint ARC CBA850 Specifications

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Transcription:

Fast and Vulnerable A Story of Telematic Failures Center for Automotive Embedded Systems Security Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage

Telematic Control Units Connects to car s OBD-II port Monitors vehicle state Local sensors Transmits data off device GPS Accelerometers Cellular, WiFi, Bluetooth Common uses: Fleet tracking Remote diagnostics

Our TCU Mobile Devices Ingenierie - C4E (munic.box) ARM 11 5MHz CPU 64 MB RAM 256 MB Flash Storage Sensors GPS 3D accelerometer 3 axis gyroscope Communication GSM modem USB Debug port OBD Connector

Controller Area Network (CAN Bus) Connects various ECUs in cars Message based protocol Identifier for addressing destination Previously shown to be vulnerable Charlie Miller and Chris Valasek UCSD & UW image source: munic.io

CAN Frame Identifier can0 can0 can0 can0 can0 can0 442 440 442 440 620 442 Size Data [8] [8] [8] [8] [8] [8] 42 42 40 42 10 40 01 02 02 02 02 80 40 80 'B...' 'B...' '@...' 'B...' '...@..' '@...'

Attack Surface Local USB debug port NAND flash Adversary has physical access to the TCU. Do not consider the automobile communications in this model. Remote SMS 2G/3G Adversary does not have physical access to the TCU, and may not even know where the TCU is geographically located.

Local Attacks

Debug Interface Exposes USB network Web & Telnet server for debug console SSH Server FTP Server for log retrieval and update uploading

NAND Dump Filesystem layout pulled from debug logs dmesg NAND flash removed and dumped de-soldered & read using hardware reader NAND flash simulated from dump nandsim Linux kernel module Partitions mounted for reading Unsorted Block Image File System (UBIFS)

SSH Mounting the NAND flash dump revealed the private key for the root user.

SSH Mounting the NAND flash dump revealed the private key for the root user. The same private key worked on all C4 TCUs we tested.

SSH Mounting the NAND flash dump revealed the private key for the root user. The same private key worked on all C4 TCUs we tested. /etc/shadow was identical across devices and included weak passwords.

CAN Bus Capabilities PIC Coprocessor Used by devices with older firmware. Custom interface for sending & receiving can messages. Required ACC or ignition to be on to function. Bypassed by reflashing PIC firmware without this check. SocketCAN Used on devices with newer firmware. Exposes the CAN interface as a traditional network interface. Shipped with can-utils package. Supports reading, saving, creating, and replying CAN messages.

Local Access Summary No authentication for debug consoles USB provides root access via web, telnet console, and SSH. Can send and receive arbitrary CAN messages.

Remote Attacks

IP (2G) All services bound to all network interfaces. web telnet console SSH Same local network attacks work over the internet. Some devices protected by wireless carrier s NAT implementation.

SMS The device responds to SMS commands Examples: status gps position reset remote update

Normal Update Procedure 1. 2. 3. 4. SCP UpdateFile.txt from update server to device SCP new files from UpdateFile.txt from update server to temp folder Move new files from temp folder to destination directory Optionally perform an additional action a. clear b. identify c. status d. reset

Normal Update Procedure Problems 1. 2. Updates are not cryptographically signed. TCU does not authenticate the update server, instead the update server authenticates the TCU.

Exploiting Update Replaced a binary (console) that was called post update to execute commands: 1. 2. 3. 4. Replace console with console.bak (original) Start reverse SSH tunnel to update server Send SMS notification when reverse shell is ready Execute original console command

Remote Access Summary Same local debug consoles exposed remotely. SMS allows access if wireless carrier uses NAT. Can obtain root shell from IP or SMS. Send arbitrary can packets remotely. Get GPS coordinates remotly.

Finding Devices Need to know either IP address (without NAT) or SMS number. SMS numbers were found to be from the 566 area code, which is reserved for personal communication devices Numbers were not random; appeared to be sequentially assigned. Could likely enumerate them all by sending a status SMS request to all numbers.

Shodan Search SSH Server Fingerprint Telnet Console Prompt

Proof of Concept Attack

Proposed Solutions 1. 2. 3. 4. 5. 6. 7. Require update authentication Disable remote SMS administration Don t distribute identical private keys Use strong passwords Disable WAN administration Require debug console authentication Maintain update server

Disclosure June 29th - Reach out to Mobile Devices with details of vulnerabilities July 2nd - Mobile-devices responds Developer SIM Advanced debug mode Older software version July 8th - Reach out to Metromile with details of vulnerabilities July 8th - Metromile responds, will disable debug mode and disable SMS.

Disclosure - CERT July 12th - Inform CERT of vulnerabilities found in C4 platform July 14th - CERT responds, assigned vulnerability #209512 August 6th - CERT assigned 5 CWEs: CWE-306: Missing Authentication For a Critical Function CWE-321: Use of a Hard-Coded Cryptographic Key CWE-798: Use of Hard-Coded Credentials CWE-285: Improper Authorization CWE-345: Insufficient Verification of Data Authenticity Ongoing - Creating CVEs.

Thank You Questions? idfoster@cs.ucsd.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback