How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

Similar documents
Chances and challenges

The House Intelligent Switch Control Network based On CAN bus

Additional Slides (informative)

Experimental Security Analysis of a Modern Automobile

Controller area network

CAN bus and NMEA2000 1

The Controller Area Network (CAN) Interface

A Framework Of Milk Dairy Automation Using CAN Protocol

Security Analysis of modern Automobile

FlexRay and Automotive Networking Future

A Beginner s Guide to Controller Area Network Bus Access in Modern Vehicles

Security Issues in Controller Area Networks in Automobiles

Microprocessor Communication Module Connecting On Board Diagnostic System and Personal Computer

DEFINITION AND IMPLEMENTATION OF AN ARCHITECTURAL CONCEPT FOR CONFIGURING A CAN NETWORK

Architecture concepts in Body Control Modules

J1939-based application profiles

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION. Görkem Batmaz, Systems Engineer Ildikó Pete, Systems Engineer 28 th March, 2018

Operating Systems, Concurrency and Time. real-time communication and CAN. Johan Lukkien

Vehicle Network Gateway (VNG)

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Introduction to Controller Area Network (CAN)

Serial Buses in Industrial and Automotive Applications

CAN-BUS MCP2515 MCP2551 OBD-II

Digital communication technology for teaching automatic control: the level control case

Security Concerns in Automotive Systems. James Martin

Implementation and validation of SAE J1850 (VPW) protocol solution for diagnosis application

Automobile Design and Implementation of CAN bus Protocol- A Review S. N. Chikhale Abstract- Controller area network (CAN) most researched

A Reliable Gateway for In-vehicle Networks

MATLAB Expo Simulation Based Automotive Communication Design using MATLAB- SimEvent. Sudhakaran M Anand H General Motors

Debugging CAN, LIN, and FlexRay Automotive Buses with an Oscilloscope

Intrusion Detection Adapted for Automotive Challenges for Hardware - An Implementation Example

CONTROLLER AREA NETWORK AS THE SECURITY OF THE VEHICLES

CAN Based Data Acquisition

An Experimental Analysis of the SAE J1939 Standard

Field buses (part 2): time triggered protocols

Car Hacking for Ethical Hackers

Flash Bootloader. Product Information

Course Introduction. Purpose. Objectives. Content. Learning Time

CONTROLLER AREA NETWORK (CAN)

Countermeasures against Cyber-attacks

Communication in Automotive Networks Illustrated with an Example of Vehicle Stability Program: Part I - Control Area Network

CAN FD with Dynamic Multi-PDU-to-Frame Mapping

Sri Vidya College of Engineering and Technology. EC6703 Embedded and Real Time Systems Unit IV Page 1.

Stepping Stone to Car Hacking

A modern diagnostic approach for automobile systems condition monitoring

PREEvision Technical Article

CAN-FD Flexible Data Rate CAN

CAN Protocol Implementation

CAN Connected To FlexRay

Trusted Platform Modules Automotive applications and differentiation from HSM

Enhanced Error-Recovery CAN Bus System Using Reed-Solomon Codec

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Mixed-Criticality Systems based on a CAN Router with Support for Fault Isolation and Selective Fault-Tolerance

MIGRATING TO CAN FD. Tony Adamson. Marketing Director CAN / LIN / FlexRay

Simplify CAN and LIN In-vehicle Network Testing

Vehicle Electronic Security and "Hacking" Your Car

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

AUTOMOBILE APPLICATIONS USING CAN PROTOCOL

Communication Networks for the Next-Generation Vehicles

Assessing the Accuracy of Vehicle Event Data based on CAN Messages

Physical-Fingerprinting of Electronic Control Unit (ECU) Based on Machine Learning Algorithm for In-Vehicle Network Communication Protocol CAN-BUS

USBCAN-OBD. USB to CAN adapter. User Manual. Document version 3.01 (2015/04/22)

Flexray Protocol in Automotive Network Communications

Development of Intrusion Detection System for vehicle CAN bus cyber security

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Overvoltage protection with PROTEK TVS diodes in automotive electronics

LOCK IT AND STILL LOSE IT ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS

Controller Area Network (CAN)

INTER INTRA VEHICULAR COMMUNICATION

Application. Diagnosing the dashboard by the CANcheck software. Introduction

ISO INTERNATIONAL STANDARD. Road vehicles Controller area network (CAN) Part 3: Low-speed, fault-tolerant, medium-dependent interface

Grundlagen der Automatisierungstechnik. 10. Signale und Kommunikation in der Automatisierungstechnik

UNDERSTANDING THE CONTROLLER AREA NETWORK (CAN)

Development of a CAN Slave Module with SystemC. Igor Sachs Shang Qihua

Controller Area Network

AUTOSAR stands for AUTomotive Open Systems ARchitecture. Partnership of automotive Car Manufacturers and their Suppliers

CORBA in Control Systems

Protection against attack D.o.S. in CAN and CAN-FD vehicle networks

J1939 OVERVIEW. 1

Ch 7. Network Interface

OTIDS: A Novel Intrusion Detection System for In-vehicle Network by using Remote Frame

Design and implementation of an intrusion detection system (IDS) for in-vehicle networks. Credits to my thesis partner:

Automotive Cyber Security

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

Automotive and industrial use cases for CAN FD

Figure 1. ECU Access to CAN bus

SW-Update. Thomas Fleischmann June 5 th 2015

Security and Performance Benefits of Virtualization

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Remote Keyless Entry In a Body Controller Unit Application

IT-Sicherheitsprüfverfahren im Automotive-Umfeld

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Experiences with CANoe-based Fault Injection for AUTOSAR

CAN FD. An Introduction V

Securing the future of mobility

Business update: Automotive

Syslog Technologies Innovative Thoughts

Standardized Tool Components for NRMM-Diagnostics

Transcription:

How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles Jason Staggs

Who is this guy? Jason Staggs Graduate Research Assistant Institute for Information Security (isec) Crash Reconstruction Research Consortium (TU-CRRC) TRUE Digital Security Cyber Security Analyst

Why do we hack cars? Related work Comprehensive Experimental Analyses of Automotive Attack Surfaces Experimental Security Analysis of a Modern Automobile Understanding computer and network systems on cars Underlying CAN protocol and components lack of authentication and verification of messages Understanding potential points of vulnerability Vehicle network security is in its infancy But most importantly

To prevent this..

From turning into this..

Because of this..

CAN Clock Project Research project developed as a proof of concept Manipulating CAN nodes via CAN network Reverse Engineering CAN messages 2003 Mini Cooper

Background of vehicle communication networks Began in 1980s with General Motors Common vehicle Protocols CAN (Most widely used among manufactures) FlexRay KW2000 LIN J1850 (GM/Chrysler) J1939 (Heavy Trucks) J1708/J1587 (Being phased out due to J1939) 2008: All US cars use CAN for mandated EPA diag.

Controller Area Networks Bosh CAN standard Developed in the 80s European Manufactures were early adopters Standard Format 11-bit ID header Mfg. use of proprietary IDs for each of their CAN components Extended Format 29-bit ID header Used extensively by J1939

CAN Frame SOF Start of Frame Identifier Unique identifier for message along with priority RTR Remote Transmission Request IDE Identifier extension (distinguishes between CAN standard and CAN extended) DLC Data Length Code (frames have up to 8 bytes of data) CRC Cyclic Redundant Check sum ACK Acknowledge EOF End of Frame IFS Intermission Frame Space

Interconnected vehicle networks

Electronic Control Units (ECUs) ECUs designed to control : Vehicle safety systems Engine control unit ABS braking system Door locks Infotainment systems Radio Deck HID units The list goes on Programmable ECUs Allows MFGs to update firmware on ECUs Average modern day car has ~70 ECUs

Reverse Engineering CAN Messages What we want to do: Manipulate CAN enabled vehicle components Problem: Manufactures do not publish CAN message ID information about their various CAN components Solution: A method for visually correlating physical system interactions with identifiable patterns. (Humans are good at this) Brute force (Tedious, and messy)

Reverse Engineering CAN Messages Passively captured CAN data during a staged test run In this case it was a staged automotive collision.. Mini Cooper vs. GMC Envoy (Check out TU-CRRC website for killer videos) Data capture lasted for roughly 90 seconds Data Log gives us ~106,000 data entries of CAN messages

CAN Data Log Contained ~106,000 data entries Bash cut d. f3 cooperheadion.txt sort uniq c Only 15 Unique CAN IDs!? ID Occurrences CAN IDs 12706 153 12706 1F0 12706 1F3 9460 1F5 12707 1F8 8899 316 8899 329

Vehicle Speed (MPH) Visually identifying CAN messages of interest 30 0x153 Byte 2 CAN Message 25 20 15 10 5 0 0 10 20 30 40 50 60 70 80 90 100 Time (sec)

Reverse Engineering CAN Messages Speedometer and Tachometer CAN IDs 2 methods For each CAN ID, plot data values vs. timestamp in order to determine physical significance. Given possible CAN IDs, fuzz data fields until needles start moving CAN Message ID Description 0x153 Byte 2 0x316 Byte 3 0x329 0x61A 0x61F Speedometer (Vehicle Speed) Tachometer (Engine Speed) Various indicator lights Controls the messages being displayed on the tachometer LED screen. Tachometer along with various indicator lights

Building the CAN network CAN Bus 18 gauge wire 2 x 120 ohms terminating resistors 12V DC power source Arduino Uno microcontroller CAN Bus Shield MCP2515 CAN controller MCP2551 CAN transceiver Mini Cooper Instrument Cluster Real time clock module RTC (for clock mode)

Proof of Concept Talking CAN with Arduino Arduino and CAN Controller Libraries MCP2515 (Communication with CAN transceiver) SPI (Used for communications between Arduino and CAN shield) 2 Modes of operation Clock Mode Demo Mode

Demo

Gaining physical access to CAN Via OBD2 Tapping the CAN bus (vampire tap) Under the hood Breaking a powered side view mirror Etc. 0 to pwned for less then $100 Rogue Arduino CAN node Potential conspirators Mechanics Car Rentals Coworkers/Family/Friends/Ex-girlfriends/etc.

Future Work / Conclusion Access control between vehicle network components ECU to ECU OBD2 to ECU Applying conventional NIPS & firewall methods to CAN Message anomaly prevention depending on context?

For more Information TU Research http://isec.utulsa.edu/ http://tucrrc.utulsa.edu/ Check out our research and crash tests http://tucrrc.utulsa.edu/canclock/ CAN Standards/Docs http://esd.cs.ucr.edu/webres/can20.pdf (CAN 2.0 Spec) http://www.sae.org/standards/

Questions?? jason-staggs@utulsa.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback