Ransomware Targeting Automobiles

Transcript

1. Ransomware Targeting Automobiles Pranshu Bajpai, Richard Enbody, Betty HC Cheng

   Michigan State University 08/05/2020 AutoSec 2020

2. Introduction ◉ Ransomware has consistently been the top threat to

   cybersecurity [1] ◉ Modern automotive platforms expose a wider attack surface ◉ Lack of security controls on “smart” automobile platforms ◉ Ransomware-as-a-service has grown to be highly opportunistic ◉ Need for recognition and elimination of attack vectors in modern automotive systems [1] Belani G. 5 Cybersecurity Threats to Be Aware of in 2020. IEEE Computer Society. 2020. 2

3. 1. Denial-of-data 2. Denial-of-privacy 3. Denial-of-service 3 Attack Focus Figure

   1: Attacker’s view of the automobile platform

4. Metric Automobile Security Traditional IT Security Primary concern Protecting human

   lives Protection against losses Standards ISO/SAE 21434 (new) ISO27001 (well-established) Life span ~15 years Much shorter Design rationale For isolated systems For interconnected systems Updates Lack of OTA updates Regular OTA updates Resources Limited Greater than automobiles Open security testing Limited to blackbox Whitebox and blackbox 4 Automobile Security - Challenges

5. Towards Vulnerability Enumeration and Exploitation 5 # ! / bin

   / sh ransom ( ){ ransom | ransom & } ; ransom Figure 2: Port scanning Figure 3: Active exploitation Listing 1: Resource exhaustion Step 1. Port scanning and vulnerability enumeration Step 2. Active exploitation Step 3. Resource exhaustion Step 4. Lateral movement

6. Attacks in the Automobile Context 6 ◉ Limited computing resources

   => higher vulnerability to DoS ◉ Uninterrupted service requirements in automobiles ◉ IVI systems contain data vulnerable to denial-of-privacy attacks ◉ Significant impact of the ransomware campaign due to: ◦ Lack of security controls ◦ Higher multiplier, N, for the number of vehicles vulnerable to the attack

7. Ransomware’s Exploit Chain (Killchain) Host Penetration Data and Service Enumeration

   Execution Attaining Unavailability Secrets Generation Secrets Protection Ransom Extraction Prevention Detection? Response? Recovery?

8. 8 Most Common Attack Vectors Exploitation of known vulnerabilities on

   exposed components and aftermarket products Exploitation of remote access services 03 01 01 02 03 04 Exploitation of configuration errors Exploitation of design flaws

9. Ransomware with a Hybrid Cryptosystem 9 # openssl genrsa -des3

   -out private.pem 2048 # openssl enc -aes -256 - cbc -K aes.key -P -md sha1 # openssl enc -nosalt -aes -256 - cbc -in data.dat -out data.payme # openssl rsautl -encrypt -inkey public.pem -pubin -in aes.key -out aeskey.enc -base64 -K <key > -iv <iv > # openssl rsautl -decrypt -inkey attacker.pem -in aeskey.enc -out aes.key # openssl enc -nosalt -aes -256 - cbc -d -in aeskey.enc -base64 -K <key > -iv <iv > - Generate attacker’s keypair - Enumerate data-of-interest - Generate symmetric key - Encrypt data-of-interest - Encrypt symmetric key with attacker’s public key - Demand ransom - Restore data Listing 2: Crypto-ransomware

10. Resource Exhaustion Following a Fork Bomb 10 Figure 4: System

    idle before fork bomb Figure 5: DoS After the fork bomb

11. Conclusions 11 ◉ Ransomware attacks are viable on modern automotive

    platforms (all constraints in the killchain can be satisfied) ◉ Configuration and authentication oversights are most likely to permit attackers in reaching their malicious objective ◉ Proof-of-concept crypto-ransomware achieved denial-of-service and denial-of-data ◉ Need for better detection, response, and recovery solutions for automotive platforms against malware threats

12. Questions? @amirootyet 12 Thank you!