Security Concerns in Automotive Systems. James Martin

Similar documents
Automotive Attack Surfaces. UCSD and University of Washington

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

Security Analysis of modern Automobile

Adversary Models. EECE 571B Computer Security. Konstantin Beznosov

University of Tartu. Research Seminar in Cryptography. Car Security. Supervisor: Dominique Unruh. Author: Tiina Turban

Experimental Security Analysis of a Modern Automobile

Hackveda Training - Ethical Hacking, Networking & Security

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Introduction to Security. Computer Networks Term A15

Fast and Vulnerable A Story of Telematic Failures

Hacking Terminology. Mark R. Adams, CISSP KPMG LLP

Development of Intrusion Detection System for vehicle CAN bus cyber security

Countermeasures against Cyber-attacks

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

An Experimental Analysis of the SAE J1939 Standard

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

GCIH. GIAC Certified Incident Handler.

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Diagnostic Trends 2017 An Overview

CompTIA A+ Accelerated course for & exams

Lecture 12. Application Layer. Application Layer 1

why we need adversary models? Adversary Models elements of an adversary model Dolev-Yao model attacks and countermeasures are meaningless without

Securing the Connected Car. Eystein Stenberg CTO Mender.io

CANalyzer.J1939. Product Information

Mobile Security Fall 2013

Port Mirroring in CounterACT. CounterACT Technical Note

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

An Agency Under MOSTI SECURITY ASSURANCE. Securing Our Cyberspace. Copyright 2008 CyberSecurity Malaysia

Security and Authentication

Automotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017

Securing Vehicle ECUs Update Over the Air

Securing the future of mobility

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Paloalto Networks PCNSA EXAM

It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to

ECE 471 Embedded Systems Lecture 22

IoT Vulnerabilities. By Troy Mattessich, Raymond Fradella, and Arsh Tavi. Contribution Distribution

CSC 170 Fall 2017 Dr. R. M. Siegfried. Study Guide for Final Exam

Experimental Security Analysis of a Modern Automobile

The Fully Networked Car. Trends in Car Communication. Geneva March 2, 2005

Wireless Network Security Spring 2015

Securing the Autonomous Automobile

CYBER RISK CONSULTING. Smartphone Security Issues

Attack Vectors in Computer Security

Chapter 9. Firewalls

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Protocol Layers, Security Sec: Application Layer: Sec 2.1 Prof Lina Battestilli Fall 2017

Car Hacking for Ethical Hackers

Wireless Network Security Spring 2016

Core Syllabus. Version 2.6 C OPERATE KNOWLEDGE AREA: OPERATION AND SUPPORT OF INFORMATION SYSTEMS. June 2006

Automotive Security Standardization activities and attacking trend

Secure Software Update for ITS Communication Devices in ITU-T Standardization

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

COMPUTER NETWORK SECURITY

Networking interview questions

Spork Installation Instructions

IT-Sicherheitsprüfverfahren im Automotive-Umfeld

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

Cyber Moving Targets. Yashar Dehkan Asl

AGL Reference Hardware Specification Document

Managing SonicWall Gateway Anti Virus Service

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM

IRL: Live Hacking Demos!

Advanced Diploma on Information Security

Overvoltage protection with PROTEK TVS diodes in automotive electronics

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Automobile Design and Implementation of CAN bus Protocol- A Review S. N. Chikhale Abstract- Controller area network (CAN) most researched

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

NC1701 ENHANCED VEHICLE COMMUNICATIONS CONTROLLER

Driven by SOLUTIONS KTS 560 / KTS 590. ECU diagnosis using ESI[tronic]

CANSPY A Platform for Auditing CAN Devices

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

13W-AutoSPIN Automotive Cybersecurity

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Foundations of Python

IS THERE A HOLE IN YOUR RISC-V SECURITY STACK? JOTHY ROSENBERG DOVER MICROSYSTEMS

CompTIA A+ Certification ( ) Study Guide Table of Contents

Vidder PrecisionAccess

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

A. Carcano, I. Nai Fovino, M. Masera, A. Trombetta European Commission Joint Research Centre Critis 2008, Rome, October 15, 2008

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Preventing External Connected Devices From Compromising Vehicle Systems Vector Congress November 7, 2017 Novi, MI

Transcription:

Security Concerns in Automotive Systems James Martin

Main Questions 1. What sort of security vulnerabilities do modern cars face today? 2. To what extent are external attacks possible and practical?

Background - Internal network of computers (ECUs) - Drivetrain, brakes, lighting, entertainment - Controller Area Network of ECUs, CAN - Components have buses - Multiple CAN buses for subsets of ECUs - For example: one for safety-critical components like the engine, one for radio/entertainment center - Not done for security reasons, but bandwidth reasons

Background - Control of only one bus is needed to compromise the entire CAN - On a given bus, each component has at least implicit access to every other component - Can spoof messages to isolated components

Attack surfaces 1. Indirect physical access i. Physical media: CD, USB, MP3 players ii. OBD-II port (more on this later) 2. Short range wireless access (up to 300m) i. Bluetooth, keyless entry, tire pressure monitoring systems (TPMS) 3. Long range wireless access (>1km) i. Broadcast receivers (XM/HD Radio) ii. Addressable channels such as OnStar (more on this later)

Vulnerabilities Highlighted in this presentation: 1. OBD-II port 2. Malicious CDs/audio 3. Bluetooth attacks 4. Addressable channel attacks

OBD-II Port - Mandated to be in every car by the US federal government - Provides direct access to CAN - Used by mechanics with diagnostic tools, or PassThru device - Standard SAE J2534 API to access and program ECUs, Windows API implemented as a DLL - Commonly connect to these devices with WiFi

OBD-II Attack - Vulnerabilities in the PassThru device itself - Runs a variant of Linux on a SoC microprocessor - Broadcasts a UDP packet over its connected network with its IP address and TCP port for access - Only a single application can access a single PassThru device

OBD-II Attack - PassThru device has a proprietary unauthenticated API for configuring network state - Vulnerable to shell injection attacks due to input validation bugs - Linux distro these devices run includes telnet, ftp, and netcat installed - Can open arbitrary telnet connections

Code injections in a comic XKCD 327: Exploits of a Mom

OBD-II Attack 1. Contact any PassThru device 2. Exploit with shell injection 3. Install malicious binary 4. Binary sends pre-programmed messages over the CAN bus for the OBD-II port 5. Installs malware onto the car s telematics unit, waits on certain environmental triggers

Conclusion - An attacker can compromise a dealership network - One PassThru device can be turned into a worm that seeks out other PassThru devices in range and infects them - Now you can infect any car that comes into the dealership and is diagnosed by a PassThru device

Malicious CD/Audio attack - Media player recognizes an ISO 9660- formatted CD with a certain file name - Reflashes the unit with data on CD if user does not press appropriate button - Media player can also parse complex files, certain vulnerabilities in the parser - Allows for a buffer overflow attack *

Malicious CD/Audio attack 1. Modified a WMA file that plays fine on PC 2. Sends arbitrary CAN packets when played by media player in car 3. Small overhead to file size 4. Easy to spread via P2P networks i. So be careful when torrenting pop music

Bluetooth attacks Indirect: - Infect smartphone with Trojan horse app that delivers a malicious payload if paired with a telematics unit Direct: - A little more involved - Once a channel is created, can deliver a payload

Bluetooth attacks - Sniff Bluetooth traffic, get Bluetooth MAC address of vehicle - Brute force pairing PIN - Takes up to 13.5 hours - But can attack in parallel, target parking garages - Expect to brute force a PIN for at least one car within a minute - Assumes the cars have been pre-paired with at least one device

Addressable channel attacks - aqlink software modem present in most North American cars - Converts between analog waveforms and digital bits - Connects cars to Telematics Call Center (TCC) operated by manufacturer - Pure data calls for remote diagnostics uses stealth mode which does not indicate a call is in progress

Addressable channel attacks - Reverse engineered aqlink protocol - Decoded parameters for demodulating digital bits from the raw analog signal - Basically found a way to send signals to the modem that were encoded into the bits they wanted - Decoded packet structure - Gateway and Command programs in the telematics unit recognize and process packets

Addressable channel attacks - Stack-based buffer overflow possible in the Gateway program - However, need to send 300 bytes for this - Authentication required within 12 seconds, takes 14 to transmit 300 bytes - Attack authentication challenge - Random three byte challenge packet - Random number generator re-initialized when telematics unit starts, seeded w/ constant

Addressable channel attacks - Code parsing authentication responses has a bug, authenticates without correct response (1 out of 256 times) - Attack is challenging with car off, telematics unit can shut down when call ends

Conclusion 1. Laptop with aqlink compatible software 2. Call car repeatedly until it authenticates 3. Change timeout from 12 to 60 seconds 4. Re-call the car and deliver payload 5. Exploit telematics unit to download code from Internet over IP-addressable 3G

It gets even easier... Found that the entire attack does not rely on the car s responses: - Encode an audio file with modulated postauthentication exploit payload - Manually dial car from office phone - Play the audio - Same results

Summary table of vulnerabilities Comprehensive Experimental Analyses of Automotive Attack Surfaces

Practicality How practical are these attacks? - Certainly take time and effort - Pretty unlikely to create mass destruction w/ malware - Theft is a real threat - Compromise car, send GPS and Vehicle Identification Number to a server, profit - Surveillance also a threat - Compromise telematics unit, use in-cabin mic to record conversations

Questions? Thanks for listening!

Sources - Comprehensive Experimental Analyses of Automotive Attack Surfaces - Experimental Security Analysis of a Modern Automobile - http://www.today.com/video/today/ 52609500#52609500 - http://drewtech.com/support/j2534/ index.html

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback