Ransomware Targeting Automobiles Pranshu Bajpai, Richard Enbody, Betty HC Cheng Michigan State University 08/05/2020 AutoSec 2020 

Introduction ◉ Ransomware has consistently been the top threat to cybersecurity [1] ◉ Modern automotive platforms expose a wider attack surface ◉ Lack of security controls on “smart” automobile platforms ◉ Ransomware-as-a-service has grown to be highly opportunistic ◉ Need for recognition and elimination of attack vectors in modern automotive systems [1] Belani G. 5 Cybersecurity Threats to Be Aware of in 2020. IEEE Computer Society. 2020. 2 

1. Denial-of-data 2. Denial-of-privacy 3. Denial-of-service 3 Attack Focus Figure 1: Attacker’s view of the automobile platform 

Metric Automobile Security Traditional IT Security Primary concern Protecting human lives Protection against losses Standards ISO/SAE 21434 (new) ISO27001 (well-established) Life span ~15 years Much shorter Design rationale For isolated systems For interconnected systems Updates Lack of OTA updates Regular OTA updates Resources Limited Greater than automobiles Open security testing Limited to blackbox Whitebox and blackbox 4 Automobile Security - Challenges 

Towards Vulnerability Enumeration and Exploitation 5 # ! / bin / sh ransom ( ){ ransom | ransom & } ; ransom Figure 2: Port scanning Figure 3: Active exploitation Listing 1: Resource exhaustion Step 1. Port scanning and vulnerability enumeration Step 2. Active exploitation Step 3. Resource exhaustion Step 4. Lateral movement 

Attacks in the Automobile Context 6 ◉ Limited computing resources => higher vulnerability to DoS ◉ Uninterrupted service requirements in automobiles ◉ IVI systems contain data vulnerable to denial-of-privacy attacks ◉ Significant impact of the ransomware campaign due to: ○ Lack of security controls ○ Higher multiplier, N, for the number of vehicles vulnerable to the attack 

Ransomware’s Exploit Chain (Killchain) Host Penetration Data and Service Enumeration Execution Attaining Unavailability Secrets Generation Secrets Protection Ransom Extraction Prevention Detection? Response? Recovery? 

8 Most Common Attack Vectors Exploitation of known vulnerabilities on exposed components and aftermarket products Exploitation of remote access services 03 01 01 02 03 04 Exploitation of configuration errors Exploitation of design flaws 

Ransomware with a Hybrid Cryptosystem 9 # openssl genrsa -des3 -out private.pem 2048 # openssl enc -aes -256 - cbc -K aes.key -P -md sha1 # openssl enc -nosalt -aes -256 - cbc -in data.dat -out data.payme # openssl rsautl -encrypt -inkey public.pem -pubin -in aes.key -out aeskey.enc -base64 -K -iv # openssl rsautl -decrypt -inkey attacker.pem -in aeskey.enc -out aes.key # openssl enc -nosalt -aes -256 - cbc -d -in aeskey.enc -base64 -K -iv - Generate attacker’s keypair - Enumerate data-of-interest - Generate symmetric key - Encrypt data-of-interest - Encrypt symmetric key with attacker’s public key - Demand ransom - Restore data Listing 2: Crypto-ransomware 

Resource Exhaustion Following a Fork Bomb 10 Figure 4: System idle before fork bomb Figure 5: DoS After the fork bomb 

Conclusions 11 ◉ Ransomware attacks are viable on modern automotive platforms (all constraints in the killchain can be satisfied) ◉ Configuration and authentication oversights are most likely to permit attackers in reaching their malicious objective ◉ Proof-of-concept crypto-ransomware achieved denial-of-service and denial-of-data ◉ Need for better detection, response, and recovery solutions for automotive platforms against malware threats 

Questions? @amirootyet 12 Thank you!