Slide 1

Slide 1 text

Don’t be a Dummy! A Crash Course in Automotive Security Daniel A. Mayer @DanlAMayer Drew Suarez @utkan0s October 28, 2016

Slide 2

Slide 2 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Dream … 2

Slide 3

Slide 3 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Dream … 3

Slide 4

Slide 4 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Dream … 4

Slide 5

Slide 5 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Well, we have this … :-) 5

Slide 6

Slide 6 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security And one day…? 6 “BMW promises autonomous, electric flagship for 2021 called iNext"

Slide 7

Slide 7 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Who we are Drew Suarez Principal Security Consultant, Research Director with NCC Group Mobile / Android, IVI, firmware/system updates Daniel Mayer Regional Director with NCC Group Mobile / iOS, Auto threat modeling, IVI and CAN NCC Group UK Headquarters, Worldwide Offices Security Consulting, Software Escrow, Domain Services 7

Slide 8

Slide 8 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Outline 1. Introduction to the Automotive Security Space 2. Automotive Topology and Threat Model 3. Detailed Attack Surface Analysis 4.Jumpstart Your Research 5. Conclusions 8

Slide 9

Slide 9 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Introduction to the Automotive Space 9

Slide 10

Slide 10 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Automotive Security: Why Now? Traditionally Safety Physical security / theft Modern cars are more connected Push towards self-driving cars Allows ECUs to partially control car Potential for harm of people New Technologies bring new attack surfaces 10

Slide 11

Slide 11 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Unique Challenges Supply Chains Complex arrangements leave little control for OEMs Influence on Tier 1 suppliers is limited Long Development Times Outdated software and technology No security standards Vulnerabilities often unpatched Code/configurations often reused across different brands Embedded system developer mind-set 11

Slide 12

Slide 12 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Unique Challenges cont. Usability and Passenger Safety These requirements usually trump security concerns Industry now beginning to realize security bugs can impact safety No consistent threat model Different OEM designs mean different risks Varied components and availability 12

Slide 13

Slide 13 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Drowning in Standards Proprietary Standards Most not freely available 13 SAE J1698 ISO 15765-2 ISO-TP SAE J1850 ISO 9141-2 KWP2000 IEEE 802.1AS ISO 14230-3 ISO 15764 ISO 14229 NTCIP 1202 ISO 15765-3 SAE J1939-71 SAE J1939-73 NTCIP 1202 CCP

Slide 14

Slide 14 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Prior Research Keyless Entry RollJam Megamos (VW, etc) Remote Unlock, OnStar et al OwnStar Remote Control Valasek/Miller Jeep Academic Researchers Karl Koscher, Stephen Checkoway et al. 14 Samy Kamkar's "RollJam" device

Slide 15

Slide 15 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Automotive Topology and Threat Model 15 http://www.intechopen.com/books/vehicular-technologies-deployment-and-applications/smart-vehicles-technologies-and-main-applications-in-vehicular-ad-hoc-networks

Slide 16

Slide 16 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Modern Automobile 16 Sensors Infotainment Adaptive Cruise Control Tire Pressure Monitoring Exposed Wiring (Remote) Diagnostics Rear-Seat Infotainment (Remote) Keyless Entry Telematics Control Units

Slide 17

Slide 17 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Modern Components Electronic Control Units Many, distributed throughout the car. Different sub-systems have their own ECU (drive train, cruise control, brakes, etc.). In-Vehicle Infotainment (IVI) Most powerful ECU of the vehicle Exposes a huge attack surface Sensors Lidar Parking Sensors Rear-View Camera 17

Slide 18

Slide 18 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Well Connected? - Buses Vehicular Buses Connecting different ECUs of the vehicle Different speeds and technologies Common Types Control Area Network (CAN) Local Interconnect Network (LIN) Media Oriented System Transport (MOST) FlexRay Ethernet 18

Slide 19

Slide 19 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security CAN Bus Basics Broadcast System No authentication Addressing Arbitration ID: 11-bit (or 29-bit) Lower ID has higher priority Speed High-Speed: 500Kbps Data Format More complex protocols built on top 19 11-bit ID 8 bytes data CRC ACK EOF IFS Data Length

Slide 20

Slide 20 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security CAN Bus Continued ISO-TP (ISO 15765-2) Chains CAN messages Send up to 4096 bytes Unified Diagnostic System Standardized system to access vehicle information Including Diagnostic Trouble Codes Proprietary codes per manufacturer Uses ISO-TP Response to request has ECU arbitration ID + 8 Basic security for sensitive functions Seed algorithm, sometimes static response 20

Slide 21

Slide 21 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security CAN Bus 21 CAN Infotainment Parking Aid Body Control Unit Instruments HVAC Airbag Power Train 0x100 0x110 0x120 0x130 0x140 0x150 0x160

Slide 22

Slide 22 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Multiple CAN Buses 22 Infotainment Parking Aid Body Control Unit Instruments HVAC Airbag Power Train 0x100 0x110 0x120 0x130 0x140 0x150 0x160 CAN 2 CAN 1 CAN Gateway Essentially a basic firewall filtering by ID.

Slide 23

Slide 23 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Different Threats 23 * http://illmatics.com/remote%20attack%20surfaces.pdf

Slide 24

Slide 24 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Detailed Attack Surface Analysis 24

Slide 25

Slide 25 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Local vs Remote Local attacks USB OBD Port access Direct CAN bus access Physical disassembly Remote attacks Bluetooth Wi-Fi NFC Cellular 25 Car Hacker’s Handbook Craig Smith

Slide 26

Slide 26 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security How exploitable? Mass compromise Locally or remotely exploitable with widespread impact Thousands(+) affected across multiple models Targeted One specific type of model, OEM or individual target Specific target in mind 26

Slide 27

Slide 27 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Overall Vehicle Telematics Send, receive data via telecommunication devices Require access to data from various ECUs IEEE 802.11p GSM/GPRS Modems NGTP 27

Slide 28

Slide 28 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security The Overall Vehicle cont. Remote keyless entry (RKE) Many use poor cryptographic implementations Poorly made smart app components Can also provide remote keyless ignition (RKI) Rear-view Cameras Externally accessible Video stream is processed by native code Tire Pressure Monitor Unencrypted RF communications Connected to ECU(s) 28

Slide 29

Slide 29 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Are you not infotained? In-Vehicle Infotainment (IVI) AKA Head Unit ECU with most attack surface in modern vehicles Run a variety of different OS Various configurations and capabilities 29

Slide 30

Slide 30 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Are you not infotained? 30 Video Decoder SPI Temperature Gyroscope Accelerometer CAN IOC Debugging SOC Infotainment Systems Car Systems

Slide 31

Slide 31 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Are you not infotained? Local IVI attack surface USB Hardware debugging Built-in applications Other serial interfaces Other local attack surface CAN UDS Change VIN Read sensitive data from ECU OBD-II 31

Slide 32

Slide 32 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Are you not infotained? Wireless/Remote attack vectors Bluetooth Wi-Fi NFC DAB / Satellite radio GPS Telematics 32

Slide 33

Slide 33 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security IVI Operating Systems (ARM) Android Almost always out of date and unpatched Trivial to gain root access QNX Frustrating to work with! Need to build useful tools from source Non-trivial to get cross-compile environment going Well documented but sparse on useful details Linux Easiest to instrument and test Relatively up to date 33

Slide 34

Slide 34 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Software Updates Install types Via USB stick Over-the-air Typical Security issues Lack of or weak signing Lack of or no integrity checking Executes as root Updates critical firmware Persistence 34

Slide 35

Slide 35 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Vendor “smart” app control Control vehicle functions Unlock doors Remote start Track location Poor quality software Hardcoded secrets Interceptable communications Exposed backend APIs 35

Slide 36

Slide 36 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Smartphone Integration Compromised device Allows potential control over IVI -> vehicle OEM-Specific Integrations SmartDeviceLink by Toyota SYNC AppLink by Ford AHA by Harman Proprietary protocols between phone and vehicle May tunnel IP over serial over USB / Bluetooth 36

Slide 37

Slide 37 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Generic Smartphone Integration CarPlay Connect via USB or Bluetooth (still rare) Uses TCP/IP(v6) IPv6 often forgotten in IVI hardening Streams screen contents, similar to AirPlay Reverse channel for user input Android Auto Connect via USB and pair over Bluetooth (no wireless only option) Requires Android 5.x or higher Access to many of the car’s sensors and inputs We’re still researching this heavily :) 37

Slide 38

Slide 38 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Jumpstart Your Research 38

Slide 39

Slide 39 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Get started Steep cost? It can be costly… but doesn't have to be Depends on what you want to research 39

Slide 40

Slide 40 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Get started - A lot to explore! Use existing knowledge to attack the IVI Bluetooth Wifi System Security Network / Services Explore Vehicle Networks and Segregation Understand vehicle protocol 40

Slide 41

Slide 41 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Bench Testing Depending on model, $500 USD+ 41

Slide 42

Slide 42 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Helpful links for Argentina dealextreme.com aliexpress.com taobao.com 42

Slide 43

Slide 43 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security CAN Bus Hardware USB2CAN $65 USD http://shop.8devices.com/ Software SocketCAN Linux Kernel Support for CAN 43 $ ./candump vcan0 vcan0 123 [2] 11 22

Slide 44

Slide 44 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Car Connection On-Board Diagnostic Interface Connect via OBD-II port Limited CAN bus access $10 - $20 USD 44

Slide 45

Slide 45 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Car Connection Back Probes Tap into plugs in vehicle $10 - $30 USD (eBay, Amazon) 45

Slide 46

Slide 46 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security IVI - Hardware Analyis JTAGulator http://www.grandideastudio.com/portfolio/jtagulator/ $169 USD On-Chip Debugging via JTAG 24 channels Determine JTAG pin-outs 46

Slide 47

Slide 47 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security IVI - Hardware Analysis BusPirate http://dangerousprototypes.com/docs/ Bus_Pirate_v4_design_overview ~$40 USD SPI, I2C, UART, JTAG Shikra http://int3.cc/products/the-shikra $45 USD JTAG, SPI, I2C, UART 47

Slide 48

Slide 48 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Commercial Software Vector CANalyzer Bus Analysis $1,800 USD (Fundamental) - $4,500 USD (Professional) Vector CANoe CANalyzer++ Simulations, Diagnostics, Development, Analysis $12,000 USD Require Custom Hardware $800 - $1,000 USD Only Allow In-Spec Testing 48

Slide 49

Slide 49 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Learn More Car Hacker’s Handbook Craig Smith, No Starch Press, ISBN: 978-1-59327-703-1 Papers Charlie Miller and Chris Valasek Adventures in Automotive Networks and Control Units, 2014 Remote Exploitation of an Unaltered Passenger Vehicle, 2015 Checkoway et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX 2011 Koscher et al. Experimental Security Analysis of a Modern Automobile, IEEE SSP 2010 Foster et al. Fast and Vulnerable: A Story of Telematics Failures, WOOT '15 Trainings For example, Craig Smith and CanBusHack (Robert Leale) 49

Slide 50

Slide 50 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Conclusions 1. Cars present a unique attack surface and a complex problem to solve for security people. 2.Cars continue to get more advanced and thus expose more interesting attack vectors over time as they become more connected. 3. Car security research does not have to be costly depending on the intended goal. 50

Slide 51

Slide 51 text

Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security Thank you! Questions? NCC Group’s automotive cyber security practice Website: www.nccgroup.trust/automotive Contact: [email protected] 51 Daniel A. Mayer @DanlAMayer Drew Suarez @utkan0s