Security Analysis of modern Automobile Dixit Verma Department of Electrical & Computer Engineering Missouri University of Science and Technology dv6cb@mst.edu 20 Apr 2017
Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 2
Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 3
Introduction Modern automobiles are monitored and controlled by many digital computers communicating via internal vehicular networks These digital computers are called ECU s (ABS, engine control unit, power windows, telematics etc) This advancement in technology has improved efficiency and safety features such as Pre-tensioning of seat belts before a crash is predicted Varying volume of radio with speed 20 Apr 2017 Presentation Overview 4
ECUs 20 Apr 2017 Presentation Overview 5
Introduction ECUs Ref: https://technology.ihs.com/api/binary/527969 20 Apr 2017 Presentation Overview 6
Introduction A typical modern sedan may contain over 100 Mb of code along with 50-70 ECU s Recent trends in in-car technology include OBD II (on board diagnostics port) Short range wireless devices (Bluetooth, wireless tire pressure sensors) Telematics system Automatic crash response However, this has introduced new potential risks An attacker can compromise an ECU which can give him control of critical modules like brakes, power windows etc. 20 Apr 2017 Presentation 7
Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 8
Attack Surfaces In order to compromise an ECU, the attacker needs to inject malicious code This can be achieved by Indirect physical access Short-range wireless access Long-range wireless access The attacker can exploit vulnerabilities which can give him control of a module without requiring direct physical access e.g. Bluetooth, audio player, modem 20 Apr 2017 Presentation 9
Indirect Physical Access Modern cars have physical interfaces which provide direct or indirect access to internal network OBD II port which is federally mandated in the U.S. is used by service personnel for maintenance, diagnostics and ECU programming It provides direct access to key CAN buses and can be used to compromise the ECU s 20 Apr 2017 Presentation 10
Indirect Physical Access For modern vehicles a windows based computer is used at the dealership To interface with OBD II port using a PassThru device To do maintenance and diagnostics using API s (e.g. Toyota s TIS) Compromising such system at the dealership would allow the attacker to gain access to all the cars under that dealership Not a hard task as the system is generally connected to the internet PassThru device has no authentication 20 Apr 2017 Presentation 11
Indirect Physical Access 20 Apr 2017 Presentation 12
Indirect Physical Access Entertainment devices such as audio players allow a user to interface their mobile, ipod An adversary can encode a malicious code onto an audio file and convince the user to play it using social engineering Since the audio players are connected to the CAN bus in modern vehicles, this can lead to further attacks on other components 20 Apr 2017 Presentation 13
Short range Wireless access Modern automobiles use wireless interfaces that operate over short ranges. These include Bluetooth (Range=10m) Remote Keyless Entry for ignition, lights, doors Tire pressure sensors to alert drivers (TPMS) RFID car keys to lock or immobilize vehicle In addition to these some new technologies are emerging such as Using wi-fi hotspot bridged to cellular 3G network for internet access DSRC standard for collision warning and cruise control 20 Apr 2017 Presentation 14
Short-range Wireless Access An attacker can use a short range transmitter in proximity to the car s receiver orchestrate an attack The adversary can then compromise an ECU by transmitting a malicious message By exploiting any vulnerability in ECU software which parses channel messages 20 Apr 2017 Presentation 15
Long-range Wireless attacks Two types of channels are common in modern automobiles Broadcast channel Addressable channel Broadcast channels include GPS, satellite radio, digital radio and are implemented into the media system which can provide access to other ECU s via internal network e.g. CAN Addressable channels include the remote telematics system which is connected to voice and data networks (GM s OnStar, BMW s BMW assist) 20 Apr 2017 Presentation 16
Long-range wireless attacks These systems provide features such as anti-theft, diagnostics, crash reporting, and convenience (directions, weather) These can be compromised by attackers from a distance anonymously as these channels are easily accessible due to wide range of cellular network 20 Apr 2017 Presentation 17
Attack surfaces 20 Apr 2017 Presentation 18
Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 19
CAN protocol CAN or controller area network protocol is responsible for carrying out communication between the ECU s A CAN packet supports a publish-and-subscribe communication model Each packet has a CAN ID header which indicates the packet type and the packet is broadcasted to all other nodes which then decide whether to keep the message or not 20 Apr 2017 Presentation 20
CAN protocol https://manual.xanalyser.com/can%20frame%20message%20format.html 20 Apr 2017 Presentation 21
Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 22
CAN Security challenges Broadcast nature CAN packets are physically and logically broadcasted to all nodes Easy to listen to all communication on the bus and send packets to other nodes Fragility to DoS attack CAN protocol is vulnerable to DoS attacks Due to the priority-based arbitration, a node can assert a dominant state in the network indefinitely which prevents all other nodes to send messages 20 Apr 2017 Presentation 23
CAN Security Challenges No Authenticator fields CAN packets do not contain any authenticator fields or any source identifier fields So any compromised component can be used to control other components Weak Access Control CAN uses challenge response sequence to protect ECUs against unauthorized actions One challenge-response pair restricts access to reflashing the CPU and reading out sensitive memory Challenge-response keys are 16 bits and can be cracked in seven and a half days 20 Apr 2017 Presentation 24
CAN Security Challenges ECU firmware updates and diagnostic control Attackers can use ECU firmware updates to inject malicious code Similarly, the diagnostic tool presents opportunities for the attackers as weak access control is used 20 Apr 2017 Presentation 25
Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 26
Experimental Setup 20 Apr 2017 Presentation 27
Experimental Setup The experimental setup had two separate physical layers: High-speed bus used by powertrain systems The low-speed bus served less-demanding components CARSHARK tool was used by researchers to do experimental analysis and packet injection 20 Apr 2017 Presentation 28
Experimental Setup Example bench setup Example Experimental Setup Immobilized vehicle for setting up attacks 20 Apr 2017 Presentation 29
Experimental Setup CarShark tool 20 Apr 2017 Presentation 30
Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 31
Attack Methodology Three main attack methods were used Packet Sniffing and targeted probing Fuzzing Reverse Engineering Packet Sniffing and targeted probing CARSHARK tool was used to study traffic on the CAN bus and observe ECU communication Researches used replay and informed probing to control the radio, instrument panel cluster, and body control module functions Didn t work well on safety critical powertrain components 20 Apr 2017 Presentation 32
Attack Methodology Fuzzing Involves iterative testing of random or partially random packets Used CAN-based service called DeviceControl to override the normal output functionality DeviceControl service used an argument called as Control Packet Identifier (CPID) for specifying controls Sent random data as argument to valid CPIDs and correlated the input behaviour 20 Apr 2017 Presentation 33
Attack Methodology Reverse-Engineering For some ECUs such as telematics unit researchers used third party debugger to understand the operation Used CAN ReadMemory service to find out the code before debugging (record the code in memory) Useful when attacks require additional functionality to be added 20 Apr 2017 Presentation 34
Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 35
Experimentation and Results Radio Complete control of radio and its display was achieved Also able to control the car sounds such as turn signal ticks and seat belt warning sounds Able to disable user control on the radio Instrument Panel Cluster Full control was obtained Able to display arbitrary messages Falsify fuel level, speed reading 20 Apr 2017 Presentation 36
Experimentation and Results 20 Apr 2017 Presentation 37
Experimentation and Results Body Controller Through reverse-engineering control over most of BCMs functions was achieved Lock and unlock doors, open trunk, adjust lighting, wipers, windshield fluid Engine Used fuzzing of DeviceControl requests to achieve control of engine Able to boost engine temporarily, disable engine Disabling can also be done by setting the airbag deployed bit 20 Apr 2017 Presentation 38
Experimentation and Results Brakes and HVAC Control over brakes was achieved using fuzzing Able to override user control over the brakes while the vehicle was moving Control over fans, A/C was established with no manual override Generic Denial of Service Able to disrupt communication between ECUs Disabling ECM while the vehicle was at 40mph caused the reported speed reading to immediately drop to 0 Disabling BCM caused the instrument panel to freeze 20 Apr 2017 Presentation 39
Experimentation and Results Body control module DeviceControl packet analysis 20 Apr 2017 Presentation 40
Engine control module DeviceControl packet analysis 20 Apr 2017 Presentation 41
Experimentation and Results Electronic brake control module DeviceControl packet analysis 20 Apr 2017 Presentation 42
Experimentation and Results Other example packets 20 Apr 2017 Presentation 43
Composite Attacks Lights out Disabling all lights while travelling at 40mph Requires disabling front lights, speedometer lights, auxiliary lights, dome light Very dangerous when driving in the dark Can lead to accidents and may prove fatal Self-Destruct Requires control over BCM components 60 sec countdown showed on user information center After countdown engine stops and doors closed 20 Apr 2017 Presentation 44
Prevention Strategies Restrict access and improving code robustness Creating physically isolated subnetworks Using application-level encryption in PassThru device protocol Secure updates 20 Apr 2017 Presentation 45
Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 46
Conclusion Offered unique perspective to look at the vulnerabilities plaguing modern cars Attacker can get direct access to safety-critical ECU s which can cause accidents Fuzzing is likely to be a universal attack method in the near future Authentication required for some safety-critical ECUs and encryption for PassThru device connectivity 20 Apr 2017 Presentation 47
References [CMK+2011] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno, Comprehensive Experimental Analyses of Automotive Attack Surfaces, in Proceedings of the 20th USENIX Conference on Security, San Francisco, CA, August 2011. [KCR+2010] Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, Experimental Security Analysis of a Modern Automobile, in Proceedings of the IEEE Symposium on Security and Privacy (SP), Berkeley/Oakland, CA, May 2010, pp. 447 462. https://manual.xanalyser.com/can%20frame%20message%20format.html https://technology.ihs.com/api/binary/527969 20 Apr 2017 Presentation 48