IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Similar documents
Automotive Security An Overview of Standardization in AUTOSAR

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

盤技術Approaches for Secure and Efficient In-Vehicle Key Management*

EB TechPaper. Combining the strengths of Elektrobit's SecOC with Argus IDPS. elektrobit.com

Cyber security mechanisms for connected vehicles

Security Concerns in Automotive Systems. James Martin

Linux in the connected car platform

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Software Architecture for Secure ECUs. Rudolf Grave EB TechDay-June 2015

Uptane. Securing Over-the-Air Updates Against Nation State Actors. Justin Cappos New York University

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Efficient testing of ECUs despite Security

Heavy Vehicle Cyber Security Bulletin

CAN protocol enhancement

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Trusted Platform Modules Automotive applications and differentiation from HSM

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Automotive Anomaly Monitors and Threat Analysis in the Cloud

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Automotive Cybersecurity: A steep learning curve

Introducing Hardware Security Modules to Embedded Systems

SGX Security Background. Masab Ahmad Department of Electrical and Computer Engineering University of Connecticut

How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

Uses of Cryptography

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

Market Trends and Challenges in Vehicle Security

Automotive Attack Surfaces. UCSD and University of Washington

Securing the future of mobility

Automotive Security: Challenges and Solutions

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Summary on Crypto Primitives and Protocols

Uptane. Securing Over-the-Air Updates Against Nation State Actors. Justin Cappos New York University

Securing Software Updates for IoT Devices with TUF and Uptane. Ricardo Salveti Principal Engineer

Sancus 2.0: Open-Source Trusted Computing for the IoT

Countermeasures against Cyber-attacks

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Securing Vehicle ECUs Update Over the Air

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Secure Software Update for ITS Communication Devices in ITU-T Standardization

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

New Approaches to Connected Device Security

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

Security Analysis of modern Automobile

Cyber security of automated vehicles

Lecture 1 Applied Cryptography (Part 1)

AUTOSAR Overview and Classic Platform

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

VEHICLES incorporate a multitude of systems which

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

An Experimental Analysis of the SAE J1939 Standard

LOCK IT AND STILL LOSE IT ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

CAN Obfuscation by Randomization (CANORa)

Fast and Vulnerable A Story of Telematic Failures

10 FOCUS AREAS FOR BREACH PREVENTION

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

Open Source in Automotive Infotainment

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

Automotive Cyber Security

CIS 4360 Secure Computer Systems Applied Cryptography

PROTECTING CONVERSATIONS

Certified Secure Web Application Engineer

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

The case for a Vehicle Gateway.

18-642: Security Mitigation & Validation

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

The Internet of Things. Steven M. Bellovin November 24,

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

CS 161 Computer Security

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Notes on NFC ticket design on MIFARE Ultralight C (updated ) Tuomas Aura. Application is a data structure

Development of Intrusion Detection System for vehicle CAN bus cyber security

Risk-based design for automotive networks. Eric Evenchik, Linklayer labs & Motivum.io Stefano Zanero, Politecnico di Milano & Motivum.

Firmware Updates for Internet of Things Devices

Secure automotive on-board networks

OBD Simulator. Software to simulate and re-play a vehicle.

OS Security IV: Virtualization and Trusted Computing

System Structure. Steven M. Bellovin December 14,

Network Security and Cryptography. December Sample Exam Marking Scheme

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

HSL SECURITY SOLUTION FOR. VoIP PHONES PROTECTION

System-level threats: Dangerous assumptions in modern Product Security. Cristofaro

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Practical Experiences with crypto on 8-bit

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Public-key Cryptography: Theory and Practice

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Cyber security for embedded communications. Author Title Organization Lars Wolleschensky CTO ESCRYPT

Message Authentication and Hash function

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

200 IT Security Job Interview Questions The Questions IT Leaders Ask

EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS

T Cryptography and Data Security

Transcription:

SESSION ID: SBX3-W1 IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION Jeffrey Quesnelle Director of Software Development Intrepid Control Systems @IntrepidControl

Introduction Spent 15 years working for a global tools supplier in automotive networking Everything we will talk about today is from open standards Perquisite knowledge: What is CAN bus? What is an ECU? Follow along with the slides: http://jeffq.com/rsa_secoc.pptx 2

The Insecure Era In automotive networking we re still in an insecure by default mindset Except for a few cases (i.e. the immobilizer) the messages are accepted as-is Helpful for when simulating and testing, but potentially dangerous in the real world In general, an attacker that can send arbitrary CAN messages on a vehicle has complete power 3

Implicit Availability The dominant paradigm in automotive networking in implicit availability The ID of the message refers to the contents of the message Leads to nodes that are highly decoupled from each other Low end car doesn t have backup camera? Okay, no backup camera messages Swap in a new node if one goes bad Complete separation of concerns 4

Implicit Availability Any node could send RPM message Would be accepted as genuine Okay since vehicles were the ultimate air-gapped network Changing rapidly as cars become more connected We would like a system that prohibits this But maintains advantages of implicit availability 5

Threat Model When designing a security system we need to analyze our threat model What are we trying to prevent? What are the likely attacks our system might face? Assuming some of our defenses are breached, what are the consequences? Can a partial compromise be mitigated? To help us create our threat model, let s look at some recent attacks on automotive networks 6

Miller, C. and Valasek, C. 2015 Remote Exploitation of an Unaltered Passenger Vehicle aka Uconnect hack Certain 2013-2015 FCA vehicles with Uconnect had head units that were listening on port 6667 on 3G modem (public IP address) Port 6667 was D-Bus, a Linux remote procedure call (RPC) protocol Could remotely issue D-Bus commands to perform any action the head unit could (control HVAC, music, etc.) Head unit not directly connected to CAN bus proxied through a microcontroller over SPI D-Bus service to reflash the micro Firmware file was not authenticated Attackers remotely reflashed the micro with custom firmware giving remote arbitrary CAN access 7

Thuen, C. 2015 Remote Control Automobiles aka Progressive Snapshot hack Progressive Insurance gave customers an OBD-II dongle to plug into their vehicles Monitored standard OBD-II PIDs Discounts are offered for good drivers Dongle contained modem which reported data back to Progressive servers No cellular authentication, anyone with a SDR could simulate a base station and send commands to the dongle As with Miller 2015 there was no authentication of firmware updates 8

Threat Model The Uconnect hack prototypical is threat remote vulnerability on an OEM module with full network access Complete compromise The Progressive hack can be mitigated through alternative measures Goal: A system that Maintains the advantages of our current network architectures Ensures that messages are only produced and consumed by the intended nodes 9

AUTOSAR Cars are like Lego models little pieces all snapped together One car may have ECUs developed by ten different vendors Even the same ECU may have software developed by multiple parties AUTOSAR is a worldwide partnership of defines standards for software architecture Open specifications for each different software layer Gained widespread market adoption Estimated that by 2020 every car will have AUTOSAR based ECUs If you re pentesting an ECU, it probably uses AUTOSAR 10

AUTOSAR Secure Onboard Communications SecOC is an AUTOSAR module that provides PDU (message) integrity and authentication Ensures the freshness of the PDU (protecting against replay attacks) Generic system that can use either symmetric or asymmetric cryptography Not specified: key distribution Greatly affects the effectiveness of the system 11

Data ID and Freshness Value Every PDU has a unique numeric identifier known as the SecOCDataID For example on CAN networks this can just be the ID of the message Every sender/receiver of a PDU must maintain some freshness state for that PDU SecOC suggests two different freshness strategies Freshness timestamps Freshness counters 12

SecOC SecOC in counters mode using symmetric crypto 13

Creating a Secured I-PDU A Secured I-PDU contains the original message (the Authentic I-PDU) as well as freshness value and the MAC Freshness value is incremented on every transmit Input to the MAC/digital signature algorithm is calculated as SecOCDataID + AuthenticIPDU + FreshnessValue Use secret key on the data to create the authenticator In symmetric mode simply chop off some MAC bits Security decreases linearly with MAC size 14

Creating a Secured I-PDU Diagram of a symmetric Secured I-PDU 15

Verifying a Secured I-PDU Only the least significant bits (LSBs) of the freshness value are sent Compute full candidate freshness value by overwriting the LSBs of the last received value If the LSBs from the incoming I-PDU are less than those of the last received value we increment the MSBs Forces the counter or timestamp to always be monotonically increasing Calculate the authenticator value for the received Authentic I-PDU using secret key, ID, full candidate freshness value, and the date bytes If the authenticator value matches, accept the I-PDU and set the new freshness value Otherwise the I-PDU is rejected 16

Analysis of SecOC SecOC uses cryptographic primitives to ensure the integrity and authenticity of messages Maintains most advantages of implicit availability The freshness value is independently maintained by the sender and receiver and changes on each transmission Since this value is included in the data sent to the authentication algorithm each authenticator will be different Even for the same data, valid messages cannot be recorded and replayed, since the freshness value in the receiver will be different For regular CAN, only 27 bits used for MAC May be brute forceable 17

Analysis of SecOC What happens if we have to replace a node, or a node misses a message? Freshness values can become de-synced Need a way to synchronize freshness values This can be OEM/implementation dependent Synchronization of freshness values can introduce stateful data that has to be maintained between nodes (across power cycles) 18

Synchronization Dealing with de-sync is left up to each OEM This secret sauce is probably the first area to look at when pentesting De-sync can happen even in non-adversarial conditions CAN errors can happen due to environmental conditions, buggy ECU startup code, etc. Not all ECUs may take the same time to boot up, or may only turn on conditionally Most basic sync strategy (suggested by the spec) is to periodically transmit the full freshness value 19

Unforeseen Consequences If ECUs are de-synced there will be a soft fail Normal CAN has deterministic failure Receiving node may be de-synced and the transmitter would not know this Can t do one-off messages without some kind of acknowledgment Simplest sync strategy (periodically transmit full freshness) is vulnerable to brute force Solution is to require multiple correct MACs before re-syncing Exacerbates the soft fail scenarios 20

Key Management Achilles heel of a cryptosystem: key management. How are keys generated and stored? Potential solution: One global key Simplest, can replace nodes with no configuration Key leaks once the whole system is caput Potential solution: One key per vehicle Have to preload key to replace a module If an attacker gains code execution on one module, they can send any message Only protects against unauthorized transmission from a rogue OBD/hardwired device (e.g. the Progressive hack) 21

Key Management Potential solution: one key per message Ideal in asymmetric mode, but this is too slow to be practical In symmetric mode all receivers of a message could become rogue transmitters Requires lots of keys Possible compromise: partial networking One key per logical group of messages 22

Apply Even with keys for each message, would SecOC protect against the Uconnect hack? Attacker would still be able to send those messages the head unit could send and receive (i.e. those it needed the keys for) Take away: RCE (remote code execution) will almost always be a full compromise Modules should adhere to separation of concerns/least privilege principles Code for playing MP3s should not be able to send CAN frames If using a multitasking OS like Linux, isolate processes Use a secondary processor for sending messages with a defined interface Uconnect did this, but unauthenticated firmware updates rendered it useless 23

The End! Contacting me Email: jeffq@intrepidcs.com Twitter: @realjeffq Website: http://jeffq.com http://jeffq.com/rsa_secoc.pptx 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback