Presentation is loading. Please wait.

Presentation is loading. Please wait.

Comprehensive Experimental Analyses of Automotive Attack Surfaces Authors: Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham,

Published byBarry Lang Modified over 9 years ago

Similar presentations

Presentation on theme: "Comprehensive Experimental Analyses of Automotive Attack Surfaces Authors: Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham,"— Presentation transcript:

1 Comprehensive Experimental Analyses of Automotive Attack Surfaces Authors: Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno Presentation by Evan Frenn

2  Introduction  Threat Model  Vehicle Attack Surface  Vulnerability Analysis  Indirect Physical Exploits  Short-range Wireless Exploits  Long-range Wireless Exploits  Threat Motivation  Fixes and Conclusion Overview

3 Shift of modern cars towards control by distributed computing systems o Systems controlled by tens of Electronic Control Units (ECUs) o Entire system consists of millions of lines of code o Multiple separate communication buses  Security driven? o Last holdouts include parking brake and steering shaft (Parallel parking) Are these systems secure? o Previous work focused vulnerabilities requiring prior physical access  Negative response of realism of threat model o Focus: Analysis of external attack vectors o Published in USENIX Security 2011 Introduction

4 Technical Capabilities  Adversary capabilities in analyzing the system and developing exploits o Strong focus on making technical capabilities realistic Operational Capabilities  Analysis of attack surface of vehicles and how malicious payload can be delivered o Indirect physical access, short-range wireless access, and long-range wireless access Threat Model

5 Indirect physical access: o OBD-II (PassThru)* o Audio system* Short-range wireless access: o Bluetooth* o Remote Keyless Entery o Tire Pressure (TPMS)? o Wifi Long-range wireless access: o GPS o Satellite Radio o Digital Radio o Remote Telematics Systems* Vehicle Attack Surface

6 “ Moderately priced late model sedan with the standard options and components” o Car includes < 30 ECUs controlling o Issue with anecdotal analysis? o Purchased multiple replacement ECUs and a PassThru device Every vulnerability demonstrated allowed complete control of vehicle’s system o General Procedure: o Identify microprocessor (PowerPC, ARM, Super-H, etc) o Extract firmware and reverse engineer using debugging devices/software where possible o Exploit vulnerability or simply reprogram ECU Vulnerability Analysis Intro

7 Exploitation Summary

8 Media Player  found two exploits 1)Latent update capability of player manufacturer o Updates when user does nothing?! 2)WMA parser vulnerability o Audio file parse correctly on a PC - In vehicle send arbitrary CAN packets Indirect Physical Exploits

9 OBD-II: o Looked at PassThru device from manufacturer (used on all their production vehicles) o Found no authentication for PC’s on same WIFI network o Found exploit allowing reprogramming of PassThru  Allows for PassThru worm  Allows for control of vehicle reprogramming  Includes unsecured and unused Linux programs Indirect Physical Exploits Ctd.

10 Bluetooth: o Found popular Bluetooth protocol stack with custom manufacture code on top  Custom code contained 20 unsafe calls to strcpy() o Indirect attack  assumes attacker has paired device  Implemented Trojan on Android device to compromise machine o Direct attack  exploits with a paired device  Requires brute force of PIN to pair device (10 hours)  Limited by response of vehicle’s Bluetooth Short-Range Wireless Exploitation

11 Telematics Connectivity: o Similar to Bluetooth  3 rd party device with manufacturer code on top  Again found exploit in transition from 3 rd party to manufacturer “Command” program for data transfer  Lucky for manufacturer  bandwidth did not allow exploit transfer within timeout Exploit required of authentication code 1)Random nonce not so random 2)Bug that allows authentication without correct response Long-range Wireless Exploitation

12 Theft: o Scary version  mass attack cellular network creating vehicle botnet o Able to have cars report VIN and GPS o Can unlock doors, start engine and fully startup car o Cannot disable steering column lock Surveillance: o Allows audio recording from in-cabin microphone Threat Motivation

13 Looked at easily available fixes to exploits: o Standard security engineering best-practices e.g. don’t use unsafe strcpy  instead strncpy o Removing debugging and error symbols o Use stack cookies and ASLR o Remove unused services e.g. telnet and ftp o Code guards? o Authentication before reflashing? Security Fixes

14 Vulnerability causes: o Lack of adversarial pressure o Conflicting interests of ECU software manufacturers and car manufacturers Ex: Telematics, Bluetooth & Media Player Penetration testing? Will it evolve like PC security? Conclusion

15 Thank You!

Download ppt "Comprehensive Experimental Analyses of Automotive Attack Surfaces Authors: Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham,"

Similar presentations

Experimental Security Analysis of a Modern Automobile

Experimental Security Analysis of a Modern Automobile
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Are You Smarter Than a 5 th Grader? 1,000,000 5th Grade BonusGrade 5th Grade BonusGrade 4th Grade 4th Grade Fill-in-the-Blank 4th Grade 4th Grade Fill-in-the-Blank.

Are You Smarter Than a 5 th Grader? 1,000,000 5th Grade BonusGrade 5th Grade BonusGrade 4th Grade 4th Grade Fill-in-the-Blank 4th Grade 4th Grade Fill-in-the-Blank.
Car Hacking Patrick, James, Penny.

Car Hacking Patrick, James, Penny.
Transmission technology William Kemp. Infrared Infrared data travels in shorter (near infrared waves). These waves enable data to be sent and receive.

Transmission technology William Kemp. Infrared Infrared data travels in shorter (near infrared waves). These waves enable data to be sent and receive.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
Car Operating Systems Ryan Benesky. The Beginning of Car Computers 1970s Was the beginning of the EPA and regulations to clean up the environment. In.

Car Operating Systems Ryan Benesky. The Beginning of Car Computers 1970s Was the beginning of the EPA and regulations to clean up the environment. In.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
05-05-2005Sujeeth Narayan1 Smartphones Security CS 691 Sujeeth Narayan.

Sujeeth Narayan1 Smartphones Security CS 691 Sujeeth Narayan.
Presented by, Sai Charan Obuladinne MYSEA Technology Demonstration.

Presented by, Sai Charan Obuladinne MYSEA Technology Demonstration.
Comprehensive Experimental Analyses of Automotive Attack Surfaces

Comprehensive Experimental Analyses of Automotive Attack Surfaces
ETHICS IN COMPUTER SCIENCE Hacking and identity theft.

ETHICS IN COMPUTER SCIENCE Hacking and identity theft.
Smartphones. Lesson Objectives To understand and demonstrate an understanding of Smartphones.

Smartphones. Lesson Objectives To understand and demonstrate an understanding of Smartphones.
Internet Security In the 21st Century Presented by Daniel Mills.

Internet Security In the 21st Century Presented by Daniel Mills.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Trusted Computing Technologies for Embedded Systems and Sensor Networks Adrian Perrig Carnegie Mellon University.

Trusted Computing Technologies for Embedded Systems and Sensor Networks Adrian Perrig Carnegie Mellon University.
AS ICT.  A portable communication device is a pocket sized device that is carried around by an individual  They typically have a display screen with.

AS ICT.  A portable communication device is a pocket sized device that is carried around by an individual  They typically have a display screen with.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Similar presentations

Ads by Google