Don’t be a Dummy! A Crash Course in Automotive Security Daniel A. Mayer @DanlAMayer Drew Suarez @utkan0s October 28, 2016

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Dream … 2

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Dream … 3

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Dream … 4

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Well, we have this … :-) 5

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security And one day…? 6 “BMW promises autonomous, electric flagship for 2021 called iNext"

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Who we are Drew Suarez Principal Security Consultant, Research Director with NCC Group Mobile / Android, IVI, firmware/system updates Daniel Mayer Regional Director with NCC Group Mobile / iOS, Auto threat modeling, IVI and CAN NCC Group UK Headquarters, Worldwide Offices Security Consulting, Software Escrow, Domain Services 7

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Outline 1. Introduction to the Automotive Security Space 2. Automotive Topology and Threat Model 3. Detailed Attack Surface Analysis 4.Jumpstart Your Research 5. Conclusions 8

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Introduction to the Automotive Space 9

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Automotive Security: Why Now? Traditionally Safety Physical security / theft Modern cars are more connected Push towards self-driving cars Allows ECUs to partially control car Potential for harm of people New Technologies bring new attack surfaces 10

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Unique Challenges Supply Chains Complex arrangements leave little control for OEMs Influence on Tier 1 suppliers is limited Long Development Times Outdated software and technology No security standards Vulnerabilities often unpatched Code/configurations often reused across different brands Embedded system developer mind-set 11

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Unique Challenges cont. Usability and Passenger Safety These requirements usually trump security concerns Industry now beginning to realize security bugs can impact safety No consistent threat model Different OEM designs mean different risks Varied components and availability 12

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Drowning in Standards Proprietary Standards Most not freely available 13 SAE J1698 ISO 15765-2 ISO-TP SAE J1850 ISO 9141-2 KWP2000 IEEE 802.1AS ISO 14230-3 ISO 15764 ISO 14229 NTCIP 1202 ISO 15765-3 SAE J1939-71 SAE J1939-73 NTCIP 1202 CCP

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Prior Research Keyless Entry RollJam Megamos (VW, etc) Remote Unlock, OnStar et al OwnStar Remote Control Valasek/Miller Jeep Academic Researchers Karl Koscher, Stephen Checkoway et al. 14 Samy Kamkar's "RollJam" device

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Automotive Topology and Threat Model 15 http://www.intechopen.com/books/vehicular-technologies-deployment-and-applications/smart-vehicles-technologies-and-main-applications-in-vehicular-ad-hoc-networks

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Modern Automobile 16 Sensors Infotainment Adaptive Cruise Control Tire Pressure Monitoring Exposed Wiring (Remote) Diagnostics Rear-Seat Infotainment (Remote) Keyless Entry Telematics Control Units

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Modern Components Electronic Control Units Many, distributed throughout the car. Different sub-systems have their own ECU (drive train, cruise control, brakes, etc.). In-Vehicle Infotainment (IVI) Most powerful ECU of the vehicle Exposes a huge attack surface Sensors Lidar Parking Sensors Rear-View Camera 17

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Well Connected? - Buses Vehicular Buses Connecting different ECUs of the vehicle Different speeds and technologies Common Types Control Area Network (CAN) Local Interconnect Network (LIN) Media Oriented System Transport (MOST) FlexRay Ethernet 18

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security CAN Bus Basics Broadcast System No authentication Addressing Arbitration ID: 11-bit (or 29-bit) Lower ID has higher priority Speed High-Speed: 500Kbps Data Format More complex protocols built on top 19 11-bit ID 8 bytes data CRC ACK EOF IFS Data Length

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security CAN Bus Continued ISO-TP (ISO 15765-2) Chains CAN messages Send up to 4096 bytes Unified Diagnostic System Standardized system to access vehicle information Including Diagnostic Trouble Codes Proprietary codes per manufacturer Uses ISO-TP Response to request has ECU arbitration ID + 8 Basic security for sensitive functions Seed algorithm, sometimes static response 20

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security CAN Bus 21 CAN Infotainment Parking Aid Body Control Unit Instruments HVAC Airbag Power Train 0x100 0x110 0x120 0x130 0x140 0x150 0x160

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Multiple CAN Buses 22 Infotainment Parking Aid Body Control Unit Instruments HVAC Airbag Power Train 0x100 0x110 0x120 0x130 0x140 0x150 0x160 CAN 2 CAN 1 CAN Gateway Essentially a basic firewall filtering by ID.

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Different Threats 23 * http://illmatics.com/remote%20attack%20surfaces.pdf

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Detailed Attack Surface Analysis 24

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Local vs Remote Local attacks USB OBD Port access Direct CAN bus access Physical disassembly Remote attacks Bluetooth Wi-Fi NFC Cellular 25 Car Hacker’s Handbook Craig Smith

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security How exploitable? Mass compromise Locally or remotely exploitable with widespread impact Thousands(+) affected across multiple models Targeted One specific type of model, OEM or individual target Specific target in mind 26

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Overall Vehicle Telematics Send, receive data via telecommunication devices Require access to data from various ECUs IEEE 802.11p GSM/GPRS Modems NGTP 27

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Overall Vehicle cont. Remote keyless entry (RKE) Many use poor cryptographic implementations Poorly made smart app components Can also provide remote keyless ignition (RKI) Rear-view Cameras Externally accessible Video stream is processed by native code Tire Pressure Monitor Unencrypted RF communications Connected to ECU(s) 28

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Are you not infotained? In-Vehicle Infotainment (IVI) AKA Head Unit ECU with most attack surface in modern vehicles Run a variety of different OS Various configurations and capabilities 29

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Are you not infotained? 30 Video Decoder SPI Temperature Gyroscope Accelerometer CAN IOC Debugging SOC Infotainment Systems Car Systems

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Are you not infotained? Local IVI attack surface USB Hardware debugging Built-in applications Other serial interfaces Other local attack surface CAN UDS Change VIN Read sensitive data from ECU OBD-II 31

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Are you not infotained? Wireless/Remote attack vectors Bluetooth Wi-Fi NFC DAB / Satellite radio GPS Telematics 32

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security IVI Operating Systems (ARM) Android Almost always out of date and unpatched Trivial to gain root access QNX Frustrating to work with! Need to build useful tools from source Non-trivial to get cross-compile environment going Well documented but sparse on useful details Linux Easiest to instrument and test Relatively up to date 33

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Software Updates Install types Via USB stick Over-the-air Typical Security issues Lack of or weak signing Lack of or no integrity checking Executes as root Updates critical firmware Persistence 34

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Vendor “smart” app control Control vehicle functions Unlock doors Remote start Track location Poor quality software Hardcoded secrets Interceptable communications Exposed backend APIs 35

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Smartphone Integration Compromised device Allows potential control over IVI -> vehicle OEM-Specific Integrations SmartDeviceLink by Toyota SYNC AppLink by Ford AHA by Harman Proprietary protocols between phone and vehicle May tunnel IP over serial over USB / Bluetooth 36

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Generic Smartphone Integration CarPlay Connect via USB or Bluetooth (still rare) Uses TCP/IP(v6) IPv6 often forgotten in IVI hardening Streams screen contents, similar to AirPlay Reverse channel for user input Android Auto Connect via USB and pair over Bluetooth (no wireless only option) Requires Android 5.x or higher Access to many of the car’s sensors and inputs We’re still researching this heavily :) 37

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Jumpstart Your Research 38

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Get started Steep cost? It can be costly… but doesn't have to be Depends on what you want to research 39

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Get started - A lot to explore! Use existing knowledge to attack the IVI Bluetooth Wifi System Security Network / Services Explore Vehicle Networks and Segregation Understand vehicle protocol 40

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Bench Testing Depending on model, $500 USD+ 41

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Helpful links for Argentina dealextreme.com aliexpress.com taobao.com 42

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security CAN Bus Hardware USB2CAN $65 USD http://shop.8devices.com/ Software SocketCAN Linux Kernel Support for CAN 43 $ ./candump vcan0 vcan0 123 [2] 11 22

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Car Connection On-Board Diagnostic Interface Connect via OBD-II port Limited CAN bus access $10 - $20 USD 44

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Car Connection Back Probes Tap into plugs in vehicle $10 - $30 USD (eBay, Amazon) 45

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security IVI - Hardware Analyis JTAGulator http://www.grandideastudio.com/portfolio/jtagulator/ $169 USD On-Chip Debugging via JTAG 24 channels Determine JTAG pin-outs 46

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security IVI - Hardware Analysis BusPirate http://dangerousprototypes.com/docs/ Bus_Pirate_v4_design_overview ~$40 USD SPI, I2C, UART, JTAG Shikra http://int3.cc/products/the-shikra $45 USD JTAG, SPI, I2C, UART 47

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Commercial Software Vector CANalyzer Bus Analysis $1,800 USD (Fundamental) - $4,500 USD (Professional) Vector CANoe CANalyzer++ Simulations, Diagnostics, Development, Analysis $12,000 USD Require Custom Hardware $800 - $1,000 USD Only Allow In-Spec Testing 48

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Learn More Car Hacker’s Handbook Craig Smith, No Starch Press, ISBN: 978-1-59327-703-1 Papers Charlie Miller and Chris Valasek Adventures in Automotive Networks and Control Units, 2014 Remote Exploitation of an Unaltered Passenger Vehicle, 2015 Checkoway et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX 2011 Koscher et al. Experimental Security Analysis of a Modern Automobile, IEEE SSP 2010 Foster et al. Fast and Vulnerable: A Story of Telematics Failures, WOOT '15 Trainings For example, Craig Smith and CanBusHack (Robert Leale) 49

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Conclusions 1. Cars present a unique attack surface and a complex problem to solve for security people. 2.Cars continue to get more advanced and thus expose more interesting attack vectors over time as they become more connected. 3. Car security research does not have to be costly depending on the intended goal. 50

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Thank you! Questions? NCC Group’s automotive cyber security practice Website: www.nccgroup.trust/automotive Contact: [email protected] 51 Daniel A. Mayer @DanlAMayer Drew Suarez @utkan0s