Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aniket Shah & Alexander Witt

Published byFelix Carr Modified over 6 years ago

Similar presentations

Presentation on theme: "Aniket Shah & Alexander Witt"— Presentation transcript:

1 Aniket Shah & Alexander Witt
Internet of Things – Fall Case Study on Intrusion of Sensor Networks Aniket Shah & Alexander Witt Worcester Polytechnic Institute

2 Introduction Vehicular Ad-Hoc Networks (VANETs) are one of the technological emerging areas in the world of Internet of Things (IoT) It is a subset of Mobile Ad-Hoc Networks (MANETs), which deals with Vehicle to Vehicle (V2V) communication and forms a part of the Intelligent Transport System One of the focus areas within VANET research deals with security of the nodes (vehicles) and the communication Here, we discuss the compromising of VANET nodes, the actions and mannerisms to do so and the possible solutions to counter the same Worcester Polytechnic Institute

3 Introduction Automobiles today, contain a number of different electronic components networked together that are responsible for monitoring and controlling the state of the vehicle Modern automobiles contain upto 50 Electronic Control Units (ECUs) networked together with the overall safety of the vehicle depending on near real time communication between these various ECUs When electronic networked components are added to any device, questions of the robustness and reliability of the code running on those devices can be raised; especially for vehicular networks Worcester Polytechnic Institute

4 Introduction In this study, we talk about bringing accessibility to automotive systems to security researchers in an open and transparent way The fact that a risk of attack exists but there is not a way for researchers to monitor or interact with the system is distressing Provide a framework that will allow the construction of such tools for automotive systems Allow researchers to demonstrate the threat to automotive systems in a concrete way as well as write monitoring and control applications to help alleviate this threat Worcester Polytechnic Institute

5 Electronic Control Units (ECUs)
ECUs are special embedded devices with specific purposes to sense the environment around them and take action to help the automobile ECUs communicate with one another by sending Controller Area Network (CAN) packets Packets are broadcast to all components on the bus; components decide whether packets intended for them There is no source identifier or authentication built into CAN packets, making it is easy for components to sniff the CAN network, masquerade as other ECUs and send CAN packets Worcester Polytechnic Institute

6 Electronic Control Units (ECUs)
Makes reverse engineering traffic more difficult Reason: It is impossible to know which ECU is sending or receiving a particular packet By examining the CAN in which the ECUs communicate, it is possible to send proprietary messages to the ECUs, take some action or even completely reprogram the ECUs All relevant ECUs are on CAN-H and CAN-L buses Worcester Polytechnic Institute

7 Types of ECUs Engine Control Module (ECM)
Power Management Control Module Transmission Control ECU Main Body ECU Power Steering ECU Certification ECU (i.e. Smart Key ECU) Skid Control ECU (i.e ABS System) Airbag ECU Combination Meter Assembly Driving Support ECU Parking Assist ECU Seat belt Control ECU Worcester Polytechnic Institute

8 Controller Area Network (CAN)
CAN bus is used for communication between the different ECUs CAN packets are split into two sections: Normal CAN packets Diagnostic CAN packets There are components such as a length field and checksums at a lower level in the protocol stack The identifier is used as a priority field, the lower the value, the higher the priority Helps ECUs determine whether they should process CAN packet or not; necessary since CAN traffic is broadcast in nature Worcester Polytechnic Institute

9 Normal CAN Normal packets are sent from ECUs and can be seen on the network at any given time Either broadcast message or specific ECU commands CAN packets do have a CAN ID associated with them but for normal CAN packets, each ECU independently determines whether they are interested in a message based on the ID One complication arises when trying to simulate the traffic on CAN is that the CAN network is broadcast in nature, one cannot tell the source or intended destination of any of the messages Worcester Polytechnic Institute

10 Diagnostic CAN The other type of CAN packets seen in automotive systems are diagnostic packets These packets are sent by diagnostic tools ,used to communicate with and interrogate an ECU; typically not be seen during normal operation of the vehicle In the case of diagnostic packets, each ECU has a particular ID assigned to it, unlike normal packets, and are totally proprietary Diagnostic packet formats typically follow pretty strict standards but unsure whether ECUs will actually respect them Worcester Polytechnic Institute

11 CAN Communication EcomCat - C software to read/write data into CAN bus
Mostly single commands sent but there is the option of continuous data transfer With the scene of compromising VANET nodes, we look at injecting CAN packets into the bus to disrupt regular (expected) communication Many problems associated in trying to make the vehicle perform actions by injecting packets into the CAN bus Worcester Polytechnic Institute

12 Problems in CAN Communication
Everything cannot be controlled via the CAN bus directly Takes a lot of reverse engineering to locate specific packets that are requests from one ECU for another ECU Even once CAN IDs are identified, there are two problems that may occur: You can send fake packets, which may confuse the recipient ECU with conflicting data. The receiving ECU may have safety features built into it that makes it ignore the packets you are sending. Worcester Polytechnic Institute

13 Problems in CAN Communication
There can be a lack of response or complete disregard for packets sent if there is contention on the bus The ECU, for which packets are forged, continues sending traffic on the bus, unless it is completely removed from the network As a result, ECUs consuming the data being sent may receive conflicting data Worcester Polytechnic Institute

14 Attacks on ECUs Safety critical attacks against modern automobiles generally require three stages:- Stage 1: Consists of an attacker remotely gaining access to an internal automotive network Stage 2: Involves injecting messages onto the network in an attempt to communicate with safety critical ECUs Stage 3: Involves reverse engineering the messages on the network to perform some physical action; make the target ECU behave in a way that compromises vehicle safety Worcester Polytechnic Institute

15 Different Remote Attack Surfaces
Passive Anti‐Theft System (PATS) Tire Pressure Monitoring System (TPMS) Remote Keyless Entry / Start (RKE) Bluetooth Radio Data System Telematics / Cellular / Wi‐Fi Internet / Apps Worcester Polytechnic Institute

16 Attacks via CAN packets
Once the attacker has completed stage 2 and injected messages into the network, he can overwrite commands using code and corrupt data sent to the ECUs via the CAN bus The attacks via the CAN bus can be done using either Normal packets or the Diagnostic packets Attacks via the Normal CAN packets affect mainly the smaller or the less important ECUs while the attacks via the Diagnostic CAN packets have serious effects on vehicular safety Worcester Polytechnic Institute

17 Attacks - Normal CAN packets
Speedometer Odometer On-board Navigation Limited Steering Steering Braking Acceleration Worcester Polytechnic Institute

18 Attacks - Diagnostic CAN packets
Security Access Brake engaging Lights Engine Kill Horn Door Lock Fuel Gauge Worcester Polytechnic Institute

19 Defending against Attacks
CAN messages provide a way to put the ECUs in various states All of the messages can be issued on a periodic basis while the car is in any state Additionally, the frequency of normal CAN packets is very predictable Different ways to counter remote attacks: Secure Remote Endpoints CAN Injection Mitigations Message Cryptography Network Architecture Attack Detection Worcester Polytechnic Institute

20 Defending against Attacks
Secure Remote Endpoints - Minimize the attack surface and lock down remote services; complete security is not achievable CAN Injection Mitigations - Use of good OS to block mitigations Message Cryptography - Cryptographically verify CAN messages to make injection difficult Network Architecture -Isolate those ECUs with remote functionality from those that control safety critical features Attack Detection - Add attack detection and prevention technology into critical CAN networks Worcester Polytechnic Institute

21 Case Study Target Vehicle: Jeep Cherokee 2014
Aim: Expose vulnerabilities within the security of the vehicle and provide way for more secure connected cars Reasons for choosing vehicle: large attack surface simple architecture many advanced physical features that would make it an ideal candidate to try to continue further research Worcester Polytechnic Institute

22 Network Architecture Radio connected to both CAN buses
Access to CAN-IHS & CAN-C networks Minimal architectural restrictions Worcester Polytechnic Institute

23 Remote Attack Surfaces
Potential entry points and their communication channels Worcester Polytechnic Institute

24 Uconnect System Radio system manufactured by Harman Kardon as the sole source of infotainment, navigation, Wi-Fi, apps, Cellular connectivity Contains a microcontroller and software that allows it to communicate with other electronic modules in the vehicle over the CAN-IHS Runs the QNX operating system on a 32-bit ARM processor Contains the following file systems: Initial Program Loader (IPL) IFS Embedded Transaction File System (ETFS) Multimedia Card (MMC) Worcester Polytechnic Institute

25 Compromising the Jeep Charlie Miller and Chris Valasek; authors of the papers on the hack on the Jeep, provide various methods to do so Jailbreak of the Uconnect System Exploiting the D-Bus service Cellular Exploitation Scanning more vulnerable vehicles using the Jeep cellular access Worcester Polytechnic Institute

26 List of Vehicles Scanned
List of Vehicles that the authors could connect with without authentication Scanned using the cellular access of Jeep’s Sprint Uconnect system Worcester Polytechnic Institute

27 Attack using CAN messages on Jeep
Normal CAN packets Accessed Turn signals using SPI communication Accessed Locks using CAN-IHS bus Accessed RPMS using CAN-C bus Diagnostic CAN packets Killed engine in session with Mechanical tool Killed brakes in session with ABS ECU Killed Steering in session with PAM and ABS ECUs

28 Case Study Conclusion Demonstrated a remote attack that can be performed against many Fiat-Chrysler vehicles Number of vehicles that were vulnerable were in the hundreds of thousands and it forced a 1.4 million vehicle recall by FCA as well as changes to the Sprint carrier network Remote attack could be performed against vehicles located anywhere in the United States and requires no modifications to the vehicle or physical interaction by the attacker or driver

29 Conclusion Without security, if an attacker (or even a corrupted ECU) can send CAN packets, it will affect the safety of the vehicle Listed out methods for communication within a single node of VANET and problems associated with it Identified the features that the car possesses which may help in taking physical control of the vehicle Discussed Case study regarding the Jeep Cherokee to demonstrate the impact of lack of security in VANET nodes Worcester Polytechnic Institute

Download ppt "Aniket Shah & Alexander Witt"

Similar presentations

Wenmao Liu Harbin Institute of Technology China. Outline ITS & VANETs Security Issues and Solutions An autonomous architecture Conclusion.

Wenmao Liu Harbin Institute of Technology China. Outline ITS & VANETs Security Issues and Solutions An autonomous architecture Conclusion.
The Fully Networked Car Geneva, 3-4 March 2010 1 DEVELOPMENT OF OPEN-CORE FLEXRAY CONTROLLER FOR OEM ULTRA LOW COST AUTOMOTIVE APPLICATIONS PRAMOD.VSUBRAT.

The Fully Networked Car Geneva, 3-4 March DEVELOPMENT OF OPEN-CORE FLEXRAY CONTROLLER FOR OEM ULTRA LOW COST AUTOMOTIVE APPLICATIONS PRAMOD.VSUBRAT.
Car Hacking Patrick, James, Penny.

Car Hacking Patrick, James, Penny.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Research Directions for the Internet of Things Supervised by: Dr. Nouh Sabry Presented by: Ahmed Mohamed Sayed.

Research Directions for the Internet of Things Supervised by: Dr. Nouh Sabry Presented by: Ahmed Mohamed Sayed.
REMOTE CONTROL CARS Jonathan Chandler CSCE 390 001 April 21, 2011.

REMOTE CONTROL CARS Jonathan Chandler CSCE April 21, 2011.
A Vehicular Ad Hoc Networks Intrusion Detection System Based on BUSNet.

A Vehicular Ad Hoc Networks Intrusion Detection System Based on BUSNet.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
KAIS T In-Vehicle Secure Wireless Personal Area Network (SWPAN) Reference: S. M. Mahmud and Shobhit Shanker, “In-Vehicle Secure Wireless Personal Area.

KAIS T In-Vehicle Secure Wireless Personal Area Network (SWPAN) Reference: S. M. Mahmud and Shobhit Shanker, “In-Vehicle Secure Wireless Personal Area.
A Study of Live Video Streaming over Highway Vehicular Ad hoc Networks Meenakshi Mittal ©2010 International Journal of Computer Applications (0975 - 8887)Volume.

A Study of Live Video Streaming over Highway Vehicular Ad hoc Networks Meenakshi Mittal ©2010 International Journal of Computer Applications ( )Volume.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.

1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.
Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Student Name USN NO Guide Name H.O.D Name Name Of The College & Dept.

Student Name USN NO Guide Name H.O.D Name Name Of The College & Dept.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
-Internet On Road. INTRODUCTION Driving means constantly changing location. This, in turn, means a constant demand for information on the current location.

-Internet On Road. INTRODUCTION Driving means constantly changing location. This, in turn, means a constant demand for information on the current location.
AUTOMOBILE CYBER SECURITY David McPeak. EVOLUTION IN DESIGN/TECHNOLOGY.

AUTOMOBILE CYBER SECURITY David McPeak. EVOLUTION IN DESIGN/TECHNOLOGY.
Network security Vlasov Illia

Network security Vlasov Illia

Similar presentations

Ads by Google