Presentation is loading. Please wait.

Presentation is loading. Please wait.

Comprehensive Experimental Analyses of Automotive Attack Surfaces

Published byBrenda Holmes Modified over 7 years ago

Similar presentations

Presentation on theme: "Comprehensive Experimental Analyses of Automotive Attack Surfaces"— Presentation transcript:

1 Comprehensive Experimental Analyses of Automotive Attack Surfaces
Security 101: Think Like an Adversary Sanha Park Authers: Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, (UCSD) Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno (UW) \

2 Intro 2015 Summer Jeep Hacking

3 Why can we attack? CAN bus Youtube

4 Cars’ system Ubiquitous computer control (ECUs)
Engine Controller Brake Controller Body Controller Airbag Module Instrument Cluster HVAC Transmission Controller Telematics Radio Keyless Entry Receiver Anti-Theft Module OBD-II Ubiquitous computer control (ECUs) ECU interconnection driven by safety, efficiency, and capability requirements But, also has some fatal shortcomings

5 Oakland 2010, they showed… Safety-critical systems can be compromised
Selectively enable/disable brakes Stop engine Control lights Owning one ECU = total compromise ECUs can be reprogrammed (while driving!) Limit: Need physical access [Oakland’10] koscher et al. Experimental Security Analysis of a Modern Automobile.

6 Outline Intro Synthesize attack surface Experimental attack evaluation
Post-compromise control End-to-end evaluation Reflection and next step

7 Threat model Attacker capabilities
Indirect physical access Short-range wireless signal Long-range wireless signal Attack surface: what might be attacked

8 Indirect physical Extends attack surface to the device Definition:
Attacks over physical interfaces Constrained: Adversary may not directly access the physical interfaces herself Extends attack surface to the device Port Scanner PassThru

9 Indirect physical Extends attack surface to the device Definition:
Attacks over physical interfaces Constrained: Adversary may not directly access the physical interfaces herself Extends attack surface to the device Can check various data of vehicle

10 Indirect physical Extends attack surface to the device Definition:
Attacks over physical interfaces Constrained: Adversary may not directly access the physical interfaces herself Extends attack surface to the device

11 Short-range wireless Definition: Attacks via short-range wireless communication (meters range or less) TPMS Bluetooth Remote key Immobilizer

12 ;Dedicated Short-Range Communication
Short-range wireless Definition: Attacks via short-range wireless communication (meters range or less) DSRC ;Dedicated Short-Range Communication

13 Long-range wireless Definition: Attacks via long-rage wireless communication (miles, global-scale) Satellite Radio, GPS, RDS Satellite Radio

14 Long-range wireless Definition: Attacks via long-rage wireless communication (miles, global-scale) Telematics

15 Outline Intro Synthesize attack surface Experimental attack evaluation
Post-compromise control End-to-end evaluation Reflection and next step

16 Attack surfaces explored in depth
Components we compromised Indirect physical: Media player, OBDII Short-range wireless: Bluetooth Long-rage wireless: Cellular Every attack vector leads to complete car compromise

17 Premise No direct physical access
Already know how to deal with CAN signal Recent made sedan, 2 same model

18 Overall methodology Extract device’s firmware
Read memory out over the CAN bus (CarShark) Desolder flash memory chips in ECUs Reverse engineering firmware IDA Pro Custom tools Identify and test vulnerable code paths

19 Indirect physical: Media player attack
Code for ISO-9660 leads to Vulnerable 1: latent update capability causing reflash Vulnerable 2: WMA parsing bug; buffer overflow Using our own on-radio debugger Insert CD containing malicious WMA file Completely compromise car

20 Short-range wireless: OBDII
PassThru device has no authentication method Connect to same WiFi with device to get to CAN bus Implant malicious code inside the device - input validation bug  attacker runs arbitrary command via shell injection - using worm fully automated spread is possible

21 Short-range wireless: Bluetooth attack
Custom-built code contains vulnerability Strcpy() bug  execute arbitrary code Using owner’s smartphone as stepping-stone Trojan Horse application Check whether other party is telematics unit  if so it sends our attack payload Can directly pair with Bluetooth undetectably USRP software radio MAC address ; 2ways to get Brute force PIN ;10hrs per car

22 Long-range wireless: Cellular attack
Coverage Cellular > 3G

23 Long-range wireless: Cellular attack
Reverse engineering of aqLink (analog↔digital) Single cellular channel controls both voice & data  uses tone-based protocol to switch the mode  Figure out protocol specification with raw audio samples

24 Long-range wireless: Cellular attack
aqLink Modem Command Program 1. Lowest level of protocol stack overflow Use 1024bytes packet size Maximum 100bytes packet We need 14s to cause overflow but after 12s connection terminated

25 Long-range wireless: Cellular attack
2. Authentication level Car requires random auth key when call placed - However not really random - Catch response code by sniffing cellular link - even well formatted code is valid 1 of 256 times After authentication, Just call to car and play malicious song then can compromise the vehicle

26 Outline Intro Synthesize attack surface Experimental attack evaluation
Post-compromise control End-to-end evaluation Reflection and next step

27 Post-compromise control
Wireless channels can change situation upside down Remotely trigger code from prior compromise Tire Pressure Monitoring System: proximity trigger FM Radio Data System: broadcast trigger Bluetooth: short-range targeted trigger Cellular: global targeted trigger We implemented all of these

28 Example : IRC over cellular
Install IRC Client on telematics unit Targeted/broadcast commands Download additional functionality

29 Outline Intro Synthesize attack surface Experimental attack evaluation
Post-compromise control End-to-end evaluation Reflection and next step

30 Car theft 1. Compromise car 2. Get Car’s INFO (GPS…) 3. Unlock doors 4. Start engine 5. Bypass anti-theft

31 Surveillance Compromised car Continuously report GPS coordinates
Stream audio recorded from the in-cabin mic Detect voice (VAD) Compress audio Stream to remote computer E.g.) google executive

32 Outline Intro Synthesize attack surface Experimental attack evaluation
Post-compromise control End-to-end evaluation Reflection and future work

33 Stepping back: Why? Outsourcing Lack of adversarial pressure to date
Code rife with “old” vulnerabilities, e.g., strcpy() Heterogeneous, distributed, multi-vendor system Software code does not offer to automobile corp. Various software interface along suppliers Almost all bugs found at component boundaries Outsourcing

34 Where to go from here? Stakeholders responding today:
SAE, USCAR, US DOT Recommendation : lessons from the PC world Periodical software update ASLR (Address Space Layout Randomization) Stack cookies Limited inbound calls Remove unnecessary binaries e.g.) ftp/telnet/vi

35 Where to go from here? Future work
Developing new protocol alternative to CAN bus Research how to encryption CAN message CAN monitoring system to catch external attack

36 Suggestion Powertrain CAN Infotainment CAN ctrl

37 Summary Current autos have broad (and increasing) external attack surface They demonstrated real attacks that compromised safety-critical systems Industry and government are responsible

Download ppt "Comprehensive Experimental Analyses of Automotive Attack Surfaces"

Similar presentations

Experimental Security Analysis of a Modern Automobile

Experimental Security Analysis of a Modern Automobile
Car Hacking Patrick, James, Penny.

Car Hacking Patrick, James, Penny.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Comprehensive Experimental Analyses of Automotive Attack Surfaces Authors: Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham,

Comprehensive Experimental Analyses of Automotive Attack Surfaces Authors: Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham,
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
Wireless Data Acquisition for SAE Car Project by: J.P. Haberkorn & Jon Trainor Advised by: Mr. Steven Gutschlag.

Wireless Data Acquisition for SAE Car Project by: J.P. Haberkorn & Jon Trainor Advised by: Mr. Steven Gutschlag.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Comprehensive Experimental Analyses of Automotive Attack Surfaces

Comprehensive Experimental Analyses of Automotive Attack Surfaces
ETHICS IN COMPUTER SCIENCE Hacking and identity theft.

ETHICS IN COMPUTER SCIENCE Hacking and identity theft.
Caleb Walter. iPhone style charger Malware channel Exploit Vehicle CAN network Create Covert Channel at Public Charging Stations Custom Arduino CAN EVSE.

Caleb Walter. iPhone style charger Malware channel Exploit Vehicle CAN network Create Covert Channel at Public Charging Stations Custom Arduino CAN EVSE.
Michael Westra, CISSP June 2012 2012 BSides Detroit Security Presentation: Vehicle Hacking “If you think technology can solve your security problems, then.

Michael Westra, CISSP June BSides Detroit Security Presentation: Vehicle Hacking “If you think technology can solve your security problems, then.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
INTRODUCTION Bluetooth technology is code name for Personal Area Network (PAN) technology that makes it extremely easy to connect a mobile, computing device.

INTRODUCTION Bluetooth technology is code name for Personal Area Network (PAN) technology that makes it extremely easy to connect a mobile, computing device.
Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.
Cisco S2 C4 Router Components. Configure a Router You can configure a router from –from the console terminal (a computer connected to the router –through.

Cisco S2 C4 Router Components. Configure a Router You can configure a router from –from the console terminal (a computer connected to the router –through.
Computer Threats Cybercrimes are criminal acts conducted through the use of computers by cybercriminals. © 2009 Prentice-Hall, Inc. 1.

Computer Threats Cybercrimes are criminal acts conducted through the use of computers by cybercriminals. © 2009 Prentice-Hall, Inc. 1.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Car-to-Car Communication for Accident Avoidance

Car-to-Car Communication for Accident Avoidance
Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

Similar presentations

Ads by Google