Security Analysis of modern Automobile

Similar documents
Experimental Security Analysis of a Modern Automobile

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

Computer Security and the Internet of Things

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Some example UW security lab projects, related to emerging technologies. Tadayoshi Kohno CSE 484, University of Washington

Security Concerns in Automotive Systems. James Martin

University of Tartu. Research Seminar in Cryptography. Car Security. Supervisor: Dominique Unruh. Author: Tiina Turban

Experimental Security Analysis of a Modern Automobile

Automotive Attack Surfaces. UCSD and University of Washington

Adversary Models. EECE 571B Computer Security. Konstantin Beznosov

Automotive Intrusion Detection Based on Constant CAN Message Frequencies Across Vehicle Driving Modes

Development of Intrusion Detection System for vehicle CAN bus cyber security

Embedded Automotive Systems Security:

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

Securing the Autonomous Automobile

Security of Safety-Critical Devices

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION. Görkem Batmaz, Systems Engineer Ildikó Pete, Systems Engineer 28 th March, 2018

Fast and Vulnerable A Story of Telematic Failures

CAN Bus Risk Analysis Revisit

An Experimental Analysis of the SAE J1939 Standard

IT-Sicherheitsprüfverfahren im Automotive-Umfeld

How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Automotive Cyber Security

INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

MATLAB Expo Simulation Based Automotive Communication Design using MATLAB- SimEvent. Sudhakaran M Anand H General Motors

Automobile Design and Implementation of CAN bus Protocol- A Review S. N. Chikhale Abstract- Controller area network (CAN) most researched

why we need adversary models? Adversary Models elements of an adversary model Dolev-Yao model attacks and countermeasures are meaningless without

The Car as an Internet-Enabled Device, or how to make Trusted Networked Cars

DOWNLOAD OR READ : US CELLULAR ANSWER WIRELESS PDF EBOOK EPUB MOBI

The Fully Networked Car. Trends in Car Communication. Geneva March 2, 2005

Physical-Fingerprinting of Electronic Control Unit (ECU) Based on Machine Learning Algorithm for In-Vehicle Network Communication Protocol CAN-BUS

Car Hacking for Ethical Hackers

Agenda. About TRL. What is the issue? Security Analysis. Consequences of a Cyber attack. Concluding remarks. Page 2

Automotive Security Standardization activities and attacking trend

A modern diagnostic approach for automobile systems condition monitoring

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

Countermeasures against Cyber-attacks

INSTRUMENT CLUSTER 2.0

Service Technical Resources MUT-III. (Multi-Use Tester-III*) Quick Reference Guide

Security Issues in Controller Area Networks in Automobiles

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

CDR File Information. Comments Toyota 86 Registration 1ETM870 Speedometer Reading Kms. Data Limitations CDR Record Information:

Anomaly Detection Approach Using Adaptive Cumulative Sum Algorithm for Controller Area Network

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Cybersecurity Solutions for Connected Vehicles

Gateway Architecture for Secured Connectivity and in Vehicle Communication

2014 Civic Sedan LX and HF

Automotive Gateway: A Key Component to Securing the Connected Car

Hardening Attack Vectors to cars by Fuzzing

Application. Diagnosing the dashboard by the CANcheck software. Introduction

Cross-Domain Security Issues for Connected Autonomous Vehicles

Autologic Technical Specifications JAGUAR

CONTROLLER AREA NETWORK AS THE SECURITY OF THE VEHICLES

ITS (Intelligent Transportation Systems) Solutions

Electrification of Mobility

Introduction to VANET

Securing the future of mobility

ARM processors driving automotive innovation

Architecture concepts in Body Control Modules

TRENDS IN SECURE MULTICORE EMBEDDED SYSTEMS

2014 Accord Coupe LX-S

BLUETOOTH. INSTRUMENT PANEL p.4. HANDSFREELINK p.16. VOICE RECOGNITION p.8. NAVIGATION p.14. AUDIO p.19

VEHICLE FORENSICS. Infotainment & Telematics Systems. Berla Corporation Copyright 2015 by Berla. All Rights Reserved.

QUICK REFERENCE GUIDE

Dealer Ordering Guide

MKV Vag-Com Tweaks. Central Convenience Module

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Phone: La Jolla, CA Website:

Connected Car. Dr. Sania Irwin. Head of Systems & Applications May 27, Nokia Solutions and Networks 2014 For internal use

AGL Reference Hardware Specification Document

Connected Cars as the next great consumer electronics device

U0001-CAN C BUS. Theory of Operation LX - CHRYSLER L V8 HEMI MDS V.V.T. (EZD)

SMART KEY SYSTEM DIAGNOSTICS

Overvoltage protection with PROTEK TVS diodes in automotive electronics

Examining future priorities for cyber security management

Accelerating solutions for highway safety, renewal, reliability, and capacity. Connected Vehicles and the Future of Transportation

Infotainment. file://c:\program Files\cosids\DATA\TMP\ rtf.html

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

Mixed-Criticality Systems based on a CAN Router with Support for Fault Isolation and Selective Fault-Tolerance

RESEARCH INSIGHTS. Sector Focus: Automotive. Author: David Clare

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Turbocharging Connectivity Beyond Cellular

Automotive Audio Bus A B Transceiver Data Sheet

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 5 Host, Application, and Data Security

Securing Vehicle ECUs Update Over the Air

Chalmers Publication Library

Monitoring Driver Behaviour Through Mobile Phones OSeven

Dedicated Short Range Communication: What, Why and How?

BMW Diag F Series / USEN/TWCH/JPJP/KRKR 2014/5/12

Applying Lessons Learned to V2X Communications for China

Keywords - Bluetooth, DTMF, Arduino Pro-Mini, Arduino IDE, power supply, automobile security, Vehicle theft.

Prevention of Information Mis-translation by a Malicious Gateway in Connected Vehicles

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Aula Mercedes Benz : Table of Contents THEORY (20 HOURS) 1.- BASIC INTRODUCTION TO VEHICLE TELEMATICS IN-VEHICLE NETWORKS - 30 MINS

Ubiquitous services and applications: needs of mobile users

2013 CES (Consumer Electronics Show) C/net Best of Show.

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Transcription:

Security Analysis of modern Automobile Dixit Verma Department of Electrical & Computer Engineering Missouri University of Science and Technology dv6cb@mst.edu 20 Apr 2017

Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 2

Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 3

Introduction Modern automobiles are monitored and controlled by many digital computers communicating via internal vehicular networks These digital computers are called ECU s (ABS, engine control unit, power windows, telematics etc) This advancement in technology has improved efficiency and safety features such as Pre-tensioning of seat belts before a crash is predicted Varying volume of radio with speed 20 Apr 2017 Presentation Overview 4

ECUs 20 Apr 2017 Presentation Overview 5

Introduction ECUs Ref: https://technology.ihs.com/api/binary/527969 20 Apr 2017 Presentation Overview 6

Introduction A typical modern sedan may contain over 100 Mb of code along with 50-70 ECU s Recent trends in in-car technology include OBD II (on board diagnostics port) Short range wireless devices (Bluetooth, wireless tire pressure sensors) Telematics system Automatic crash response However, this has introduced new potential risks An attacker can compromise an ECU which can give him control of critical modules like brakes, power windows etc. 20 Apr 2017 Presentation 7

Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 8

Attack Surfaces In order to compromise an ECU, the attacker needs to inject malicious code This can be achieved by Indirect physical access Short-range wireless access Long-range wireless access The attacker can exploit vulnerabilities which can give him control of a module without requiring direct physical access e.g. Bluetooth, audio player, modem 20 Apr 2017 Presentation 9

Indirect Physical Access Modern cars have physical interfaces which provide direct or indirect access to internal network OBD II port which is federally mandated in the U.S. is used by service personnel for maintenance, diagnostics and ECU programming It provides direct access to key CAN buses and can be used to compromise the ECU s 20 Apr 2017 Presentation 10

Indirect Physical Access For modern vehicles a windows based computer is used at the dealership To interface with OBD II port using a PassThru device To do maintenance and diagnostics using API s (e.g. Toyota s TIS) Compromising such system at the dealership would allow the attacker to gain access to all the cars under that dealership Not a hard task as the system is generally connected to the internet PassThru device has no authentication 20 Apr 2017 Presentation 11

Indirect Physical Access 20 Apr 2017 Presentation 12

Indirect Physical Access Entertainment devices such as audio players allow a user to interface their mobile, ipod An adversary can encode a malicious code onto an audio file and convince the user to play it using social engineering Since the audio players are connected to the CAN bus in modern vehicles, this can lead to further attacks on other components 20 Apr 2017 Presentation 13

Short range Wireless access Modern automobiles use wireless interfaces that operate over short ranges. These include Bluetooth (Range=10m) Remote Keyless Entry for ignition, lights, doors Tire pressure sensors to alert drivers (TPMS) RFID car keys to lock or immobilize vehicle In addition to these some new technologies are emerging such as Using wi-fi hotspot bridged to cellular 3G network for internet access DSRC standard for collision warning and cruise control 20 Apr 2017 Presentation 14

Short-range Wireless Access An attacker can use a short range transmitter in proximity to the car s receiver orchestrate an attack The adversary can then compromise an ECU by transmitting a malicious message By exploiting any vulnerability in ECU software which parses channel messages 20 Apr 2017 Presentation 15

Long-range Wireless attacks Two types of channels are common in modern automobiles Broadcast channel Addressable channel Broadcast channels include GPS, satellite radio, digital radio and are implemented into the media system which can provide access to other ECU s via internal network e.g. CAN Addressable channels include the remote telematics system which is connected to voice and data networks (GM s OnStar, BMW s BMW assist) 20 Apr 2017 Presentation 16

Long-range wireless attacks These systems provide features such as anti-theft, diagnostics, crash reporting, and convenience (directions, weather) These can be compromised by attackers from a distance anonymously as these channels are easily accessible due to wide range of cellular network 20 Apr 2017 Presentation 17

Attack surfaces 20 Apr 2017 Presentation 18

Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 19

CAN protocol CAN or controller area network protocol is responsible for carrying out communication between the ECU s A CAN packet supports a publish-and-subscribe communication model Each packet has a CAN ID header which indicates the packet type and the packet is broadcasted to all other nodes which then decide whether to keep the message or not 20 Apr 2017 Presentation 20

CAN protocol https://manual.xanalyser.com/can%20frame%20message%20format.html 20 Apr 2017 Presentation 21

Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 22

CAN Security challenges Broadcast nature CAN packets are physically and logically broadcasted to all nodes Easy to listen to all communication on the bus and send packets to other nodes Fragility to DoS attack CAN protocol is vulnerable to DoS attacks Due to the priority-based arbitration, a node can assert a dominant state in the network indefinitely which prevents all other nodes to send messages 20 Apr 2017 Presentation 23

CAN Security Challenges No Authenticator fields CAN packets do not contain any authenticator fields or any source identifier fields So any compromised component can be used to control other components Weak Access Control CAN uses challenge response sequence to protect ECUs against unauthorized actions One challenge-response pair restricts access to reflashing the CPU and reading out sensitive memory Challenge-response keys are 16 bits and can be cracked in seven and a half days 20 Apr 2017 Presentation 24

CAN Security Challenges ECU firmware updates and diagnostic control Attackers can use ECU firmware updates to inject malicious code Similarly, the diagnostic tool presents opportunities for the attackers as weak access control is used 20 Apr 2017 Presentation 25

Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 26

Experimental Setup 20 Apr 2017 Presentation 27

Experimental Setup The experimental setup had two separate physical layers: High-speed bus used by powertrain systems The low-speed bus served less-demanding components CARSHARK tool was used by researchers to do experimental analysis and packet injection 20 Apr 2017 Presentation 28

Experimental Setup Example bench setup Example Experimental Setup Immobilized vehicle for setting up attacks 20 Apr 2017 Presentation 29

Experimental Setup CarShark tool 20 Apr 2017 Presentation 30

Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 31

Attack Methodology Three main attack methods were used Packet Sniffing and targeted probing Fuzzing Reverse Engineering Packet Sniffing and targeted probing CARSHARK tool was used to study traffic on the CAN bus and observe ECU communication Researches used replay and informed probing to control the radio, instrument panel cluster, and body control module functions Didn t work well on safety critical powertrain components 20 Apr 2017 Presentation 32

Attack Methodology Fuzzing Involves iterative testing of random or partially random packets Used CAN-based service called DeviceControl to override the normal output functionality DeviceControl service used an argument called as Control Packet Identifier (CPID) for specifying controls Sent random data as argument to valid CPIDs and correlated the input behaviour 20 Apr 2017 Presentation 33

Attack Methodology Reverse-Engineering For some ECUs such as telematics unit researchers used third party debugger to understand the operation Used CAN ReadMemory service to find out the code before debugging (record the code in memory) Useful when attacks require additional functionality to be added 20 Apr 2017 Presentation 34

Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 35

Experimentation and Results Radio Complete control of radio and its display was achieved Also able to control the car sounds such as turn signal ticks and seat belt warning sounds Able to disable user control on the radio Instrument Panel Cluster Full control was obtained Able to display arbitrary messages Falsify fuel level, speed reading 20 Apr 2017 Presentation 36

Experimentation and Results 20 Apr 2017 Presentation 37

Experimentation and Results Body Controller Through reverse-engineering control over most of BCMs functions was achieved Lock and unlock doors, open trunk, adjust lighting, wipers, windshield fluid Engine Used fuzzing of DeviceControl requests to achieve control of engine Able to boost engine temporarily, disable engine Disabling can also be done by setting the airbag deployed bit 20 Apr 2017 Presentation 38

Experimentation and Results Brakes and HVAC Control over brakes was achieved using fuzzing Able to override user control over the brakes while the vehicle was moving Control over fans, A/C was established with no manual override Generic Denial of Service Able to disrupt communication between ECUs Disabling ECM while the vehicle was at 40mph caused the reported speed reading to immediately drop to 0 Disabling BCM caused the instrument panel to freeze 20 Apr 2017 Presentation 39

Experimentation and Results Body control module DeviceControl packet analysis 20 Apr 2017 Presentation 40

Engine control module DeviceControl packet analysis 20 Apr 2017 Presentation 41

Experimentation and Results Electronic brake control module DeviceControl packet analysis 20 Apr 2017 Presentation 42

Experimentation and Results Other example packets 20 Apr 2017 Presentation 43

Composite Attacks Lights out Disabling all lights while travelling at 40mph Requires disabling front lights, speedometer lights, auxiliary lights, dome light Very dangerous when driving in the dark Can lead to accidents and may prove fatal Self-Destruct Requires control over BCM components 60 sec countdown showed on user information center After countdown engine stops and doors closed 20 Apr 2017 Presentation 44

Prevention Strategies Restrict access and improving code robustness Creating physically isolated subnetworks Using application-level encryption in PassThru device protocol Secure updates 20 Apr 2017 Presentation 45

Outline Introduction Attack Surfaces CAN protocol CAN Security challenges Experimental Setup Attack Methodology Experimentation and Results Conclusion References 20 Apr 2017 Presentation 46

Conclusion Offered unique perspective to look at the vulnerabilities plaguing modern cars Attacker can get direct access to safety-critical ECU s which can cause accidents Fuzzing is likely to be a universal attack method in the near future Authentication required for some safety-critical ECUs and encryption for PassThru device connectivity 20 Apr 2017 Presentation 47

References [CMK+2011] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno, Comprehensive Experimental Analyses of Automotive Attack Surfaces, in Proceedings of the 20th USENIX Conference on Security, San Francisco, CA, August 2011. [KCR+2010] Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage, Experimental Security Analysis of a Modern Automobile, in Proceedings of the IEEE Symposium on Security and Privacy (SP), Berkeley/Oakland, CA, May 2010, pp. 447 462. https://manual.xanalyser.com/can%20frame%20message%20format.html https://technology.ihs.com/api/binary/527969 20 Apr 2017 Presentation 48

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback