An Experimental Analysis of the SAE J1939 Standard

Similar documents
Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Security Analysis of modern Automobile

Securing the Connected Car. Eystein Stenberg CTO Mender.io

SAE J1939. Serial Control and Communications Vehicle Network

Experimental Security Analysis of a Modern Automobile

Security Concerns in Automotive Systems. James Martin

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

Securing the Autonomous Automobile

Development of Intrusion Detection System for vehicle CAN bus cyber security

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Heavy Vehicle Cyber Security Bulletin

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Heavy Vehicle Cybersecurity Update. National Motor Freight Traffic Association, Inc.

IQAN CREATIVE SOFTWARE

Fast and Vulnerable A Story of Telematic Failures

Christoph Schmittner, Zhendong Ma, Paul Smith

SAE J1939. Serial Control and Communications Vehicle Network. Presented by Wilfried Voss

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

Car Hacking for Ethical Hackers

Examining future priorities for cyber security management

IQAN CREATIVE SOFTWARE

CANoe.J1939. Product Information

The case for a Vehicle Gateway.

Securing the future of mobility

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Vehicle Trust Management for Connected Vehicles

How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

Vehicle Network Gateway (VNG)

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Vehicle Electronic Security and "Hacking" Your Car

CANalyzer.J1939. Product Information

Connect Vehicles: A Security Throwback

13W-AutoSPIN Automotive Cybersecurity

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Attack Resilient State Estimation for Vehicular Systems

Automotive Attack Surfaces. UCSD and University of Washington

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

Advanced Transportation Optimization Systems (ATOS)

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION. Görkem Batmaz, Systems Engineer Ildikó Pete, Systems Engineer 28 th March, 2018

Context-aware Automotive Intrusion Detection

Automotive Gateway: A Key Component to Securing the Connected Car

Preventing External Connected Devices From Compromising Vehicle Systems Vector Congress November 7, 2017 Novi, MI

ESOA > The Connected Automobile. Connected Automobiles Market Overview Paul Gudonis, Global Network & Services

Countermeasures against Cyber-attacks

Automobile Design and Implementation of CAN bus Protocol- A Review S. N. Chikhale Abstract- Controller area network (CAN) most researched

CAN bus and NMEA2000 1

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

J1939 OVERVIEW. 1

Vehicle To Android Communication Mode

Dedicated Short Range Communication: What, Why and How?

TRENDS IN SECURE MULTICORE EMBEDDED SYSTEMS

Standardized Tool Components for NRMM-Diagnostics

Security Issues in Controller Area Networks in Automobiles

Air Force Test Center

Hardening Attack Vectors to cars by Fuzzing

SKYNET HYBRID FLEET SOLUTION ABOUT US. Satellite Communications. SkyNet Satellite Communications

4G and 5G Cellular Technologies Enable Intelligent Transportation Use Cases

VEHICLE DATA INTERFACES

WeVe: When Smart Wearables Meet Intelligent Vehicles

Risk-based design for automotive networks. Eric Evenchik, Linklayer labs & Motivum.io Stefano Zanero, Politecnico di Milano & Motivum.

NC1701 ENHANCED VEHICLE COMMUNICATIONS CONTROLLER

Security and Privacy challenges in Automobile Systems

Open Source in Automotive Infotainment

FLEET-WIDE BACKUP & SIDE-FACING CAMERA SOLUTIONS

CAN Obfuscation by Randomization (CANORa)

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

Automotive Cyber Security

Computer Security and the Internet of Things

To realize Connected Vehicle Society. Yosuke NISHIMURO Ministry of Internal Affairs and Communications (MIC), Japan

University of Tartu. Research Seminar in Cryptography. Car Security. Supervisor: Dominique Unruh. Author: Tiina Turban

Holger Zeltwanger CAN CAN. protocol and its impacts on CANopen. CiA

Secure Software Update for ITS Communication Devices in ITU-T Standardization

SKYNET. Satellite Communications COMPLETE FLEET SOLUTIONS

Assessing the Accuracy of Vehicle Event Data based on CAN Messages

Security Challenges with ITS : A law enforcement view

Autorama, Connecting Your Car to

Physical-Fingerprinting of Electronic Control Unit (ECU) Based on Machine Learning Algorithm for In-Vehicle Network Communication Protocol CAN-BUS

Firewall Identification: Banner Grabbing

WardsAuto Interiors Conference Creating the Ultimate User Experience

STW s Connectivity Solution for Mobile Equipment: The Vehicle Data System (VDS) and VDS-Remote (VDS-R) 31 July 2009, STW, Norcross, Bob Geiger

A modern diagnostic approach for automobile systems condition monitoring

AUTOSAR stands for AUTomotive Open Systems ARchitecture. Partnership of automotive Car Manufacturers and their Suppliers

USE CASES BROADBAND AND MEDIA EVERYWHERE SMART VEHICLES, TRANSPORT CRITICAL SERVICES AND INFRASTRUCTURE CONTROL CRITICAL CONTROL OF REMOTE DEVICES

A distributed architecture to support infomobility services. University of Modena and Reggio Emilia

How to protect Automotive systems with ARM Security Architecture

Turbocharging Connectivity Beyond Cellular

The LSI Gateway. GS220, GS221, GS222 series - LSI gateways. Features:

Vehicle Safe-Mode Limp-Mode in the Service of Cyber Security

FMB204 FLEET MANAGEMENT // FMB204

5G promotes the intelligence connected vehicles. Dr. Menghua Tao Senior Solution Manager China Unicom

DriverConnect. Application User Manual. Software Version 4.4.2

The Information Age has brought enormous

Experimental Security Analysis of a Modern Automobile

MIGRATING TO CAN FD. Tony Adamson. Marketing Director CAN / LIN / FlexRay

VEHICLE FORENSICS. Infotainment & Telematics Systems. Berla Corporation Copyright 2015 by Berla. All Rights Reserved.

Foreword to the Reader. What Do You Mean by Commercial Vehicles and How Did We Happen on This Path of Cybersecurity? by Gloria D Anna 1

Transcription:

Truck Hacking: An Experimental Analysis of the SAE J1939 Standard 10th USENIX Workshop On Offensive Technologies (WOOT 16) Liza Burakova, Bill Hass, Leif Millar & Andre Weimerskirch

Are trucks more secure than cars?

Outline I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain VI. Tools & Test Environment VII. Future Work VIII. Defenses

Why Heavy Vehicles? Disconnect between consumer automotive and heavy vehicle industries Higher impact than consumer vehicles Heavy vehicles physically massive Expensive & hazardous cargo More susceptible to bad driving conditions Backbone of economy And...

there are a couple potentially affected industries

Heavy Trucks

Buses

Recreational Vehicles (RVs)

Agriculture Machinery

Forestry Machinery

Construction Vehicles

Heavy Haul & Passenger Locomotives

Military Vehicles (MiLCAN)

Marine Navigation Systems (NMEA2000)

Prior Work - CAN Exploits Consumer automobile segment scrutinized after public hacks in 2015 Pattern of physical exploit ---> remote exploit Unknown Make Physical Exploits Karl Koscher, et al 2010 2011 Unknown Make Remote Exploits Karl Koscher, et al 1 1.4M Recall 2 Over-the-air Update Toyota Prius & Ford Escape Physical Exploits Miller, Valasek 2014 2015 Jeep Cherokee1 Remote Exploits Miller, Valasek Tesla Model S2 Physical Exploits 2016 Heavy Truck Physical Exploits

So what is CAN?

CAN Overview Broadcast transceiver Allows microcontrollers to communicate with each other Nodes see everything on the network CAN_H CAN_L

Extended CAN Frames

But what is J1939

What is J1939? Not CAN Built on top of it Physical & link layer == CAN Application Network Link Defines network -> application layers Physical Detailed documentation publicly available through Society of Automotive Engineers (SAE)

SAE J1939 Overview Successor to SAE J1708/J1587 J1708 == physical & link J1587 == transport & application Inside the CAN ID: PGN SRC & DST

J1939 Overview Continued

Is security built on top? IP/TCP + HTTP (no security) IP/TCP + HTTPS (yay security!) :D CAN + Car app. layer (no security) CAN + J1939 (security???) \_(ツ)_/

Our Targets 2001 Model School Bus 2006 Model Semi Tractor

Typical Heavy Truck Network

Instrument Cluster Attack Experiment Progression: Packet snooping & packet injection Heavily relied on by vehicle operators

Hydraulic & Pneumatic Brakes

Powertrain Attack Experiment progression: Packet recording, replay attack, packet injection script

Powertrain Attack Part 2: Electric Boogaloo Unmodified attack from 2006 model year truck on 2001 model year school bus

A very powerful message Single PGN for all these attacks Remove driver s ability to input via accel. pedal Disable engine brake Command high and low RPM values Largest hurdle: implementing checksum No RE required... checksum is public as well!

Making It Happen

Tools PEAK USB-PCAN Data Collection Packet Injection Python APIs Fuzzing Script Vector CANoe Data Collection Packet Injection CAPL Scripting language Diagnostic Tool ABS valve modulation Engine cylinder cutoff

Test Environment 1. Idle Truck Initial data gathering Attack development 2. Public Roads Data gathering in motion 3. MCity Attacks while in motion

Looking towards the future...

Remote Compromises? Telematic Gateway Unit (TGU) Cellular, Bluetooth, CAN (J1939) interfaces C4MAX - Telnet port open by default Fleet Management Systems Ubiquitous in several industries GPS data, CAN bus access C4MAX units on public IP space

Further Areas of Interest Diagnostics tool emulation More safety critical attacks Malicious trailers

So Many Activities... Autonomous Semi Trucks Connected Vehicles V2V / V2I Cargo Ships Aircraft

Vulnerability Mitigation Techniques Securing the Vehicle Bus: Network Segregation & Isolation Intrusion Detection Systems Message Ownership Verification Message Authentication Strict Message Timing Detection Best Practices from traditional security domain: Passwords on externally facing devices Vendor Review

Travel to this workshop and future research is sponsored by National Motor Freight Traffic Association, Inc. (NMFTA). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of NMFTA.

Truck Hacking: An Experimental Analysis of the SAE J1939 Standard 10th USENIX Workshop On Offensive Technologies (WOOT 16) ybura, billhass, ltmillar @umich.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback