Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Don't be a Dummy! A Crash Course in Automotive Security" - Ekoparty 2016

"Don't be a Dummy! A Crash Course in Automotive Security" - Ekoparty 2016

Ekoparty 2016: Buenos Aires, Argentina
Co-Presented with Daniel Mayer (https://speakerdeck.com/dmayer)

Drew Suarez (utkanos)

October 28, 2016
Tweet

More Decks by Drew Suarez (utkanos)

Other Decks in Technology

Transcript

  1. Don’t be a Dummy! A Crash Course in Automotive Security

    Daniel A. Mayer @DanlAMayer Drew Suarez @utkan0s October 28, 2016
  2. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security The Dream … 2
  3. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security The Dream … 3
  4. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security The Dream … 4
  5. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Well, we have this … :-) 5
  6. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security And one day…? 6 “BMW promises autonomous, electric flagship for 2021 called iNext"
  7. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Who we are Drew Suarez Principal Security Consultant, Research Director with NCC Group Mobile / Android, IVI, firmware/system updates Daniel Mayer Regional Director with NCC Group Mobile / iOS, Auto threat modeling, IVI and CAN NCC Group UK Headquarters, Worldwide Offices Security Consulting, Software Escrow, Domain Services 7
  8. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Outline 1. Introduction to the Automotive Security Space 2. Automotive Topology and Threat Model 3. Detailed Attack Surface Analysis 4.Jumpstart Your Research 5. Conclusions 8
  9. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Introduction to the Automotive Space 9
  10. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Automotive Security: Why Now? Traditionally Safety Physical security / theft Modern cars are more connected Push towards self-driving cars Allows ECUs to partially control car Potential for harm of people New Technologies bring new attack surfaces 10
  11. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Unique Challenges Supply Chains Complex arrangements leave little control for OEMs Influence on Tier 1 suppliers is limited Long Development Times Outdated software and technology No security standards Vulnerabilities often unpatched Code/configurations often reused across different brands Embedded system developer mind-set 11
  12. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Unique Challenges cont. Usability and Passenger Safety These requirements usually trump security concerns Industry now beginning to realize security bugs can impact safety No consistent threat model Different OEM designs mean different risks Varied components and availability 12
  13. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Drowning in Standards Proprietary Standards Most not freely available 13 SAE J1698 ISO 15765-2 ISO-TP SAE J1850 ISO 9141-2 KWP2000 IEEE 802.1AS ISO 14230-3 ISO 15764 ISO 14229 NTCIP 1202 ISO 15765-3 SAE J1939-71 SAE J1939-73 NTCIP 1202 CCP
  14. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Prior Research Keyless Entry RollJam Megamos (VW, etc) Remote Unlock, OnStar et al OwnStar Remote Control Valasek/Miller Jeep Academic Researchers Karl Koscher, Stephen Checkoway et al. 14 Samy Kamkar's "RollJam" device
  15. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Automotive Topology and Threat Model 15 http://www.intechopen.com/books/vehicular-technologies-deployment-and-applications/smart-vehicles-technologies-and-main-applications-in-vehicular-ad-hoc-networks
  16. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security The Modern Automobile 16 Sensors Infotainment Adaptive Cruise Control Tire Pressure Monitoring Exposed Wiring (Remote) Diagnostics Rear-Seat Infotainment (Remote) Keyless Entry Telematics Control Units
  17. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Modern Components Electronic Control Units Many, distributed throughout the car. Different sub-systems have their own ECU (drive train, cruise control, brakes, etc.). In-Vehicle Infotainment (IVI) Most powerful ECU of the vehicle Exposes a huge attack surface Sensors Lidar Parking Sensors Rear-View Camera 17
  18. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Well Connected? - Buses Vehicular Buses Connecting different ECUs of the vehicle Different speeds and technologies Common Types Control Area Network (CAN) Local Interconnect Network (LIN) Media Oriented System Transport (MOST) FlexRay Ethernet 18
  19. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security CAN Bus Basics Broadcast System No authentication Addressing Arbitration ID: 11-bit (or 29-bit) Lower ID has higher priority Speed High-Speed: 500Kbps Data Format More complex protocols built on top 19 11-bit ID 8 bytes data CRC ACK EOF IFS Data Length
  20. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security CAN Bus Continued ISO-TP (ISO 15765-2) Chains CAN messages Send up to 4096 bytes Unified Diagnostic System Standardized system to access vehicle information Including Diagnostic Trouble Codes Proprietary codes per manufacturer Uses ISO-TP Response to request has ECU arbitration ID + 8 Basic security for sensitive functions Seed algorithm, sometimes static response 20
  21. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security CAN Bus 21 CAN Infotainment Parking Aid Body Control Unit Instruments HVAC Airbag Power Train 0x100 0x110 0x120 0x130 0x140 0x150 0x160
  22. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Multiple CAN Buses 22 Infotainment Parking Aid Body Control Unit Instruments HVAC Airbag Power Train 0x100 0x110 0x120 0x130 0x140 0x150 0x160 CAN 2 CAN 1 CAN Gateway Essentially a basic firewall filtering by ID.
  23. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Different Threats 23 * http://illmatics.com/remote%20attack%20surfaces.pdf
  24. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Detailed Attack Surface Analysis 24
  25. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Local vs Remote Local attacks USB OBD Port access Direct CAN bus access Physical disassembly Remote attacks Bluetooth Wi-Fi NFC Cellular 25 Car Hacker’s Handbook Craig Smith
  26. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security How exploitable? Mass compromise Locally or remotely exploitable with widespread impact Thousands(+) affected across multiple models Targeted One specific type of model, OEM or individual target Specific target in mind 26
  27. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security The Overall Vehicle Telematics Send, receive data via telecommunication devices Require access to data from various ECUs IEEE 802.11p GSM/GPRS Modems NGTP 27
  28. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security The Overall Vehicle cont. Remote keyless entry (RKE) Many use poor cryptographic implementations Poorly made smart app components Can also provide remote keyless ignition (RKI) Rear-view Cameras Externally accessible Video stream is processed by native code Tire Pressure Monitor Unencrypted RF communications Connected to ECU(s) 28
  29. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Are you not infotained? In-Vehicle Infotainment (IVI) AKA Head Unit ECU with most attack surface in modern vehicles Run a variety of different OS Various configurations and capabilities 29
  30. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Are you not infotained? 30 Video Decoder SPI Temperature Gyroscope Accelerometer CAN IOC Debugging SOC Infotainment Systems Car Systems
  31. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Are you not infotained? Local IVI attack surface USB Hardware debugging Built-in applications Other serial interfaces Other local attack surface CAN UDS Change VIN Read sensitive data from ECU OBD-II 31
  32. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Are you not infotained? Wireless/Remote attack vectors Bluetooth Wi-Fi NFC DAB / Satellite radio GPS Telematics 32
  33. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security IVI Operating Systems (ARM) Android Almost always out of date and unpatched Trivial to gain root access QNX Frustrating to work with! Need to build useful tools from source Non-trivial to get cross-compile environment going Well documented but sparse on useful details Linux Easiest to instrument and test Relatively up to date 33
  34. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Software Updates Install types Via USB stick Over-the-air Typical Security issues Lack of or weak signing Lack of or no integrity checking Executes as root Updates critical firmware Persistence 34
  35. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Vendor “smart” app control Control vehicle functions Unlock doors Remote start Track location Poor quality software Hardcoded secrets Interceptable communications Exposed backend APIs 35
  36. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Smartphone Integration Compromised device Allows potential control over IVI -> vehicle OEM-Specific Integrations SmartDeviceLink by Toyota SYNC AppLink by Ford AHA by Harman Proprietary protocols between phone and vehicle May tunnel IP over serial over USB / Bluetooth 36
  37. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Generic Smartphone Integration CarPlay Connect via USB or Bluetooth (still rare) Uses TCP/IP(v6) IPv6 often forgotten in IVI hardening Streams screen contents, similar to AirPlay Reverse channel for user input Android Auto Connect via USB and pair over Bluetooth (no wireless only option) Requires Android 5.x or higher Access to many of the car’s sensors and inputs We’re still researching this heavily :) 37
  38. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Jumpstart Your Research 38
  39. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Get started Steep cost? It can be costly… but doesn't have to be Depends on what you want to research 39
  40. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Get started - A lot to explore! Use existing knowledge to attack the IVI Bluetooth Wifi System Security Network / Services Explore Vehicle Networks and Segregation Understand vehicle protocol 40
  41. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Bench Testing Depending on model, $500 USD+ 41
  42. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Helpful links for Argentina dealextreme.com aliexpress.com taobao.com 42
  43. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security CAN Bus Hardware USB2CAN $65 USD http://shop.8devices.com/ Software SocketCAN Linux Kernel Support for CAN 43 $ ./candump vcan0 vcan0 123 [2] 11 22
  44. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Car Connection On-Board Diagnostic Interface Connect via OBD-II port Limited CAN bus access $10 - $20 USD 44
  45. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Car Connection Back Probes Tap into plugs in vehicle $10 - $30 USD (eBay, Amazon) 45
  46. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security IVI - Hardware Analyis JTAGulator http://www.grandideastudio.com/portfolio/jtagulator/ $169 USD On-Chip Debugging via JTAG 24 channels Determine JTAG pin-outs 46
  47. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security IVI - Hardware Analysis BusPirate http://dangerousprototypes.com/docs/ Bus_Pirate_v4_design_overview ~$40 USD SPI, I2C, UART, JTAG Shikra http://int3.cc/products/the-shikra $45 USD JTAG, SPI, I2C, UART 47
  48. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Commercial Software Vector CANalyzer Bus Analysis $1,800 USD (Fundamental) - $4,500 USD (Professional) Vector CANoe CANalyzer++ Simulations, Diagnostics, Development, Analysis $12,000 USD Require Custom Hardware $800 - $1,000 USD Only Allow In-Spec Testing 48
  49. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Learn More Car Hacker’s Handbook Craig Smith, No Starch Press, ISBN: 978-1-59327-703-1 Papers Charlie Miller and Chris Valasek Adventures in Automotive Networks and Control Units, 2014 Remote Exploitation of an Unaltered Passenger Vehicle, 2015 Checkoway et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX 2011 Koscher et al. Experimental Security Analysis of a Modern Automobile, IEEE SSP 2010 Foster et al. Fast and Vulnerable: A Story of Telematics Failures, WOOT '15 Trainings For example, Craig Smith and CanBusHack (Robert Leale) 49
  50. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Conclusions 1. Cars present a unique attack surface and a complex problem to solve for security people. 2.Cars continue to get more advanced and thus expose more interesting attack vectors over time as they become more connected. 3. Car security research does not have to be costly depending on the intended goal. 50
  51. Daniel A. Mayer, Drew Suarez - A Crash Course in

    Automotive Security Thank you! Questions? NCC Group’s automotive cyber security practice Website: www.nccgroup.trust/automotive Contact: [email protected] 51 Daniel A. Mayer @DanlAMayer Drew Suarez @utkan0s