Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Don't be a Dummy! A Crash Course in Automotive Security" - Ekoparty 2016

"Don't be a Dummy! A Crash Course in Automotive Security" - Ekoparty 2016

Ekoparty 2016: Buenos Aires, Argentina
Co-Presented with Daniel Mayer (https://speakerdeck.com/dmayer)

Drew Suarez (utkanos)

October 28, 2016
Tweet

More Decks by Drew Suarez (utkanos)

Other Decks in Technology

Transcript

  1. Don’t be a Dummy!
    A Crash Course in Automotive Security
    Daniel A. Mayer
    @DanlAMayer
    Drew Suarez
    @utkan0s
    October 28, 2016

    View Slide

  2. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    The Dream …
    2

    View Slide

  3. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    The Dream …
    3

    View Slide

  4. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    The Dream …
    4

    View Slide

  5. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Well, we have this … :-)
    5

    View Slide

  6. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    And one day…?
    6
    “BMW promises autonomous,
    electric flagship for 2021 called iNext"

    View Slide

  7. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Who we are
    Drew Suarez
    Principal Security Consultant, Research Director with NCC Group
    Mobile / Android, IVI, firmware/system updates
    Daniel Mayer
    Regional Director with NCC Group
    Mobile / iOS, Auto threat modeling, IVI and CAN
    NCC Group
    UK Headquarters, Worldwide Offices
    Security Consulting, Software Escrow, Domain Services
    7

    View Slide

  8. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Outline
    1. Introduction to the Automotive Security Space
    2. Automotive Topology and Threat Model
    3. Detailed Attack Surface Analysis
    4.Jumpstart Your Research
    5. Conclusions
    8

    View Slide

  9. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Introduction to the
    Automotive Space
    9

    View Slide

  10. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Automotive Security: Why Now?
    Traditionally
    Safety
    Physical security / theft
    Modern cars are more connected
    Push towards self-driving cars
    Allows ECUs to partially control car
    Potential for harm of people
    New Technologies bring new attack surfaces
    10

    View Slide

  11. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Unique Challenges
    Supply Chains
    Complex arrangements leave little control for OEMs
    Influence on Tier 1 suppliers is limited
    Long Development Times
    Outdated software and technology
    No security standards
    Vulnerabilities often unpatched
    Code/configurations often reused across different brands
    Embedded system developer mind-set
    11

    View Slide

  12. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Unique Challenges cont.
    Usability and Passenger Safety
    These requirements usually trump security concerns
    Industry now beginning to realize security bugs can impact safety
    No consistent threat model
    Different OEM designs mean different risks
    Varied components and availability
    12

    View Slide

  13. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Drowning in Standards
    Proprietary Standards
    Most not freely available
    13
    SAE J1698
    ISO 15765-2
    ISO-TP SAE J1850
    ISO 9141-2
    KWP2000
    IEEE 802.1AS
    ISO 14230-3
    ISO 15764
    ISO 14229
    NTCIP 1202
    ISO 15765-3
    SAE J1939-71
    SAE J1939-73
    NTCIP 1202
    CCP

    View Slide

  14. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Prior Research
    Keyless Entry
    RollJam
    Megamos (VW, etc)
    Remote Unlock, OnStar et al
    OwnStar
    Remote Control
    Valasek/Miller Jeep
    Academic Researchers
    Karl Koscher, Stephen Checkoway et al.
    14
    Samy Kamkar's "RollJam" device

    View Slide

  15. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Automotive Topology
    and Threat Model
    15
    http://www.intechopen.com/books/vehicular-technologies-deployment-and-applications/smart-vehicles-technologies-and-main-applications-in-vehicular-ad-hoc-networks

    View Slide

  16. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    The Modern Automobile
    16
    Sensors
    Infotainment
    Adaptive Cruise
    Control
    Tire Pressure Monitoring
    Exposed Wiring
    (Remote) Diagnostics
    Rear-Seat Infotainment
    (Remote) Keyless Entry
    Telematics Control Units

    View Slide

  17. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Modern Components
    Electronic Control Units
    Many, distributed throughout the car.
    Different sub-systems have their own ECU (drive train, cruise control, brakes, etc.).
    In-Vehicle Infotainment (IVI)
    Most powerful ECU of the vehicle
    Exposes a huge attack surface
    Sensors
    Lidar
    Parking Sensors
    Rear-View Camera
    17

    View Slide

  18. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Well Connected? - Buses
    Vehicular Buses
    Connecting different ECUs of the vehicle
    Different speeds and technologies
    Common Types
    Control Area Network (CAN)
    Local Interconnect Network (LIN)
    Media Oriented System Transport (MOST)
    FlexRay
    Ethernet
    18

    View Slide

  19. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    CAN Bus Basics
    Broadcast System
    No authentication
    Addressing
    Arbitration ID: 11-bit (or 29-bit)
    Lower ID has higher priority
    Speed
    High-Speed: 500Kbps
    Data Format
    More complex protocols built on top
    19
    11-bit
    ID
    8 bytes
    data
    CRC ACK EOF IFS
    Data
    Length

    View Slide

  20. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    CAN Bus Continued
    ISO-TP (ISO 15765-2)
    Chains CAN messages
    Send up to 4096 bytes
    Unified Diagnostic System
    Standardized system to access vehicle information
    Including Diagnostic Trouble Codes
    Proprietary codes per manufacturer
    Uses ISO-TP
    Response to request has ECU arbitration ID + 8
    Basic security for sensitive functions
    Seed algorithm, sometimes static response
    20

    View Slide

  21. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    CAN Bus
    21
    CAN
    Infotainment
    Parking Aid
    Body
    Control Unit
    Instruments
    HVAC
    Airbag
    Power Train
    0x100
    0x110
    0x120
    0x130 0x140
    0x150 0x160

    View Slide

  22. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Multiple CAN Buses
    22
    Infotainment
    Parking Aid
    Body
    Control Unit
    Instruments
    HVAC
    Airbag
    Power Train
    0x100
    0x110
    0x120
    0x130 0x140
    0x150 0x160
    CAN 2
    CAN 1
    CAN
    Gateway
    Essentially a basic
    firewall filtering by ID.

    View Slide

  23. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Different Threats
    23
    * http://illmatics.com/remote%20attack%20surfaces.pdf

    View Slide

  24. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Detailed Attack Surface
    Analysis
    24

    View Slide

  25. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Local vs Remote
    Local attacks
    USB
    OBD Port access
    Direct CAN bus access
    Physical disassembly
    Remote attacks
    Bluetooth
    Wi-Fi
    NFC
    Cellular
    25
    Car Hacker’s Handbook
    Craig Smith

    View Slide

  26. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    How exploitable?
    Mass compromise
    Locally or remotely exploitable with widespread impact
    Thousands(+) affected across multiple models
    Targeted
    One specific type of model, OEM or individual target
    Specific target in mind
    26

    View Slide

  27. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    The Overall Vehicle
    Telematics
    Send, receive data via telecommunication devices
    Require access to data from various ECUs
    IEEE 802.11p
    GSM/GPRS Modems
    NGTP
    27

    View Slide

  28. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    The Overall Vehicle cont.
    Remote keyless entry (RKE)
    Many use poor cryptographic implementations
    Poorly made smart app components
    Can also provide remote keyless ignition (RKI)
    Rear-view Cameras
    Externally accessible
    Video stream is processed by native code
    Tire Pressure Monitor
    Unencrypted RF communications
    Connected to ECU(s)
    28

    View Slide

  29. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Are you not infotained?
    In-Vehicle Infotainment (IVI) AKA Head Unit
    ECU with most attack surface in modern vehicles
    Run a variety of different OS
    Various configurations and capabilities
    29

    View Slide

  30. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Are you not infotained?
    30
    Video Decoder
    SPI
    Temperature
    Gyroscope
    Accelerometer
    CAN
    IOC
    Debugging
    SOC
    Infotainment Systems
    Car Systems

    View Slide

  31. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Are you not infotained?
    Local IVI attack surface
    USB
    Hardware debugging
    Built-in applications
    Other serial interfaces
    Other local attack surface
    CAN
    UDS
    Change VIN
    Read sensitive data from ECU
    OBD-II
    31

    View Slide

  32. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Are you not infotained?
    Wireless/Remote attack vectors
    Bluetooth
    Wi-Fi
    NFC
    DAB / Satellite radio
    GPS
    Telematics
    32

    View Slide

  33. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    IVI Operating Systems (ARM)
    Android
    Almost always out of date and unpatched
    Trivial to gain root access
    QNX
    Frustrating to work with!
    Need to build useful tools from source
    Non-trivial to get cross-compile environment going
    Well documented but sparse on useful details
    Linux
    Easiest to instrument and test
    Relatively up to date
    33

    View Slide

  34. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Software Updates
    Install types
    Via USB stick
    Over-the-air
    Typical Security issues
    Lack of or weak signing
    Lack of or no integrity checking
    Executes as root
    Updates critical firmware
    Persistence
    34

    View Slide

  35. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Vendor “smart” app control
    Control vehicle functions
    Unlock doors
    Remote start
    Track location
    Poor quality software
    Hardcoded secrets
    Interceptable communications
    Exposed backend APIs
    35

    View Slide

  36. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Smartphone Integration
    Compromised device
    Allows potential control over IVI -> vehicle
    OEM-Specific Integrations
    SmartDeviceLink by Toyota
    SYNC AppLink by Ford
    AHA by Harman
    Proprietary protocols between phone and vehicle
    May tunnel IP over serial over USB / Bluetooth
    36

    View Slide

  37. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Generic Smartphone Integration
    CarPlay
    Connect via USB or Bluetooth (still rare)
    Uses TCP/IP(v6)
    IPv6 often forgotten in IVI hardening
    Streams screen contents, similar to AirPlay
    Reverse channel for user input
    Android Auto
    Connect via USB and pair over Bluetooth (no wireless only option)
    Requires Android 5.x or higher
    Access to many of the car’s sensors and inputs
    We’re still researching this heavily :)
    37

    View Slide

  38. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Jumpstart
    Your Research
    38

    View Slide

  39. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Get started
    Steep cost?
    It can be costly… but doesn't have to be
    Depends on what you want to research
    39

    View Slide

  40. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Get started - A lot to explore!
    Use existing knowledge to attack the IVI
    Bluetooth
    Wifi
    System Security
    Network / Services
    Explore Vehicle Networks and Segregation
    Understand vehicle protocol
    40

    View Slide

  41. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Bench Testing
    Depending on model, $500 USD+
    41

    View Slide

  42. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Helpful links for Argentina
    dealextreme.com
    aliexpress.com
    taobao.com
    42

    View Slide

  43. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    CAN Bus
    Hardware
    USB2CAN
    $65 USD
    http://shop.8devices.com/
    Software
    SocketCAN
    Linux Kernel Support for CAN
    43
    $ ./candump vcan0
    vcan0 123 [2] 11 22

    View Slide

  44. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Car Connection
    On-Board Diagnostic Interface
    Connect via OBD-II port
    Limited CAN bus access
    $10 - $20 USD
    44

    View Slide

  45. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Car Connection
    Back Probes
    Tap into plugs in vehicle
    $10 - $30 USD
    (eBay, Amazon)
    45

    View Slide

  46. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    IVI - Hardware Analyis
    JTAGulator
    http://www.grandideastudio.com/portfolio/jtagulator/
    $169 USD
    On-Chip Debugging via JTAG
    24 channels
    Determine JTAG pin-outs
    46

    View Slide

  47. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    IVI - Hardware Analysis
    BusPirate
    http://dangerousprototypes.com/docs/
    Bus_Pirate_v4_design_overview
    ~$40 USD
    SPI, I2C, UART, JTAG
    Shikra
    http://int3.cc/products/the-shikra
    $45 USD
    JTAG, SPI, I2C, UART
    47

    View Slide

  48. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Commercial Software
    Vector CANalyzer
    Bus Analysis
    $1,800 USD (Fundamental) - $4,500 USD (Professional)
    Vector CANoe
    CANalyzer++
    Simulations, Diagnostics, Development, Analysis
    $12,000 USD
    Require Custom Hardware
    $800 - $1,000 USD
    Only Allow In-Spec Testing
    48

    View Slide

  49. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Learn More
    Car Hacker’s Handbook
    Craig Smith, No Starch Press, ISBN: 978-1-59327-703-1
    Papers
    Charlie Miller and Chris Valasek
    Adventures in Automotive Networks and Control Units, 2014
    Remote Exploitation of an Unaltered Passenger Vehicle, 2015
    Checkoway et al.
    Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX 2011
    Koscher et al.
    Experimental Security Analysis of a Modern Automobile, IEEE SSP 2010
    Foster et al.
    Fast and Vulnerable: A Story of Telematics Failures, WOOT '15
    Trainings
    For example, Craig Smith and CanBusHack (Robert Leale)
    49

    View Slide

  50. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Conclusions
    1. Cars present a unique attack surface and a complex problem to
    solve for security people.
    2.Cars continue to get more advanced and thus expose more
    interesting attack vectors over time as they become more
    connected.
    3. Car security research does not have to be costly depending on
    the intended goal.
    50

    View Slide

  51. Daniel A. Mayer, Drew Suarez - A Crash Course in Automotive Security
    Thank you!
    Questions?
    NCC Group’s automotive cyber security practice
    Website: www.nccgroup.trust/automotive
    Contact: [email protected]
    51
    Daniel A. Mayer
    @DanlAMayer
    Drew Suarez
    @utkan0s

    View Slide