Automotive Security Who we are Drew Suarez Principal Security Consultant, Research Director with NCC Group Mobile / Android, IVI, firmware/system updates Daniel Mayer Regional Director with NCC Group Mobile / iOS, Auto threat modeling, IVI and CAN NCC Group UK Headquarters, Worldwide Offices Security Consulting, Software Escrow, Domain Services 7
Automotive Security Outline 1. Introduction to the Automotive Security Space 2. Automotive Topology and Threat Model 3. Detailed Attack Surface Analysis 4.Jumpstart Your Research 5. Conclusions 8
Automotive Security Automotive Security: Why Now? Traditionally Safety Physical security / theft Modern cars are more connected Push towards self-driving cars Allows ECUs to partially control car Potential for harm of people New Technologies bring new attack surfaces 10
Automotive Security Unique Challenges Supply Chains Complex arrangements leave little control for OEMs Influence on Tier 1 suppliers is limited Long Development Times Outdated software and technology No security standards Vulnerabilities often unpatched Code/configurations often reused across different brands Embedded system developer mind-set 11
Automotive Security Unique Challenges cont. Usability and Passenger Safety These requirements usually trump security concerns Industry now beginning to realize security bugs can impact safety No consistent threat model Different OEM designs mean different risks Varied components and availability 12
Automotive Security Drowning in Standards Proprietary Standards Most not freely available 13 SAE J1698 ISO 15765-2 ISO-TP SAE J1850 ISO 9141-2 KWP2000 IEEE 802.1AS ISO 14230-3 ISO 15764 ISO 14229 NTCIP 1202 ISO 15765-3 SAE J1939-71 SAE J1939-73 NTCIP 1202 CCP
Automotive Security Prior Research Keyless Entry RollJam Megamos (VW, etc) Remote Unlock, OnStar et al OwnStar Remote Control Valasek/Miller Jeep Academic Researchers Karl Koscher, Stephen Checkoway et al. 14 Samy Kamkar's "RollJam" device
Automotive Security Automotive Topology and Threat Model 15 http://www.intechopen.com/books/vehicular-technologies-deployment-and-applications/smart-vehicles-technologies-and-main-applications-in-vehicular-ad-hoc-networks
Automotive Security Modern Components Electronic Control Units Many, distributed throughout the car. Different sub-systems have their own ECU (drive train, cruise control, brakes, etc.). In-Vehicle Infotainment (IVI) Most powerful ECU of the vehicle Exposes a huge attack surface Sensors Lidar Parking Sensors Rear-View Camera 17
Automotive Security Well Connected? - Buses Vehicular Buses Connecting different ECUs of the vehicle Different speeds and technologies Common Types Control Area Network (CAN) Local Interconnect Network (LIN) Media Oriented System Transport (MOST) FlexRay Ethernet 18
Automotive Security CAN Bus Basics Broadcast System No authentication Addressing Arbitration ID: 11-bit (or 29-bit) Lower ID has higher priority Speed High-Speed: 500Kbps Data Format More complex protocols built on top 19 11-bit ID 8 bytes data CRC ACK EOF IFS Data Length
Automotive Security CAN Bus Continued ISO-TP (ISO 15765-2) Chains CAN messages Send up to 4096 bytes Unified Diagnostic System Standardized system to access vehicle information Including Diagnostic Trouble Codes Proprietary codes per manufacturer Uses ISO-TP Response to request has ECU arbitration ID + 8 Basic security for sensitive functions Seed algorithm, sometimes static response 20
Automotive Security CAN Bus 21 CAN Infotainment Parking Aid Body Control Unit Instruments HVAC Airbag Power Train 0x100 0x110 0x120 0x130 0x140 0x150 0x160
Automotive Security Multiple CAN Buses 22 Infotainment Parking Aid Body Control Unit Instruments HVAC Airbag Power Train 0x100 0x110 0x120 0x130 0x140 0x150 0x160 CAN 2 CAN 1 CAN Gateway Essentially a basic firewall filtering by ID.
Automotive Security Local vs Remote Local attacks USB OBD Port access Direct CAN bus access Physical disassembly Remote attacks Bluetooth Wi-Fi NFC Cellular 25 Car Hacker’s Handbook Craig Smith
Automotive Security How exploitable? Mass compromise Locally or remotely exploitable with widespread impact Thousands(+) affected across multiple models Targeted One specific type of model, OEM or individual target Specific target in mind 26
Automotive Security The Overall Vehicle Telematics Send, receive data via telecommunication devices Require access to data from various ECUs IEEE 802.11p GSM/GPRS Modems NGTP 27
Automotive Security The Overall Vehicle cont. Remote keyless entry (RKE) Many use poor cryptographic implementations Poorly made smart app components Can also provide remote keyless ignition (RKI) Rear-view Cameras Externally accessible Video stream is processed by native code Tire Pressure Monitor Unencrypted RF communications Connected to ECU(s) 28
Automotive Security Are you not infotained? In-Vehicle Infotainment (IVI) AKA Head Unit ECU with most attack surface in modern vehicles Run a variety of different OS Various configurations and capabilities 29
Automotive Security Are you not infotained? 30 Video Decoder SPI Temperature Gyroscope Accelerometer CAN IOC Debugging SOC Infotainment Systems Car Systems
Automotive Security Are you not infotained? Local IVI attack surface USB Hardware debugging Built-in applications Other serial interfaces Other local attack surface CAN UDS Change VIN Read sensitive data from ECU OBD-II 31
Automotive Security IVI Operating Systems (ARM) Android Almost always out of date and unpatched Trivial to gain root access QNX Frustrating to work with! Need to build useful tools from source Non-trivial to get cross-compile environment going Well documented but sparse on useful details Linux Easiest to instrument and test Relatively up to date 33
Automotive Security Software Updates Install types Via USB stick Over-the-air Typical Security issues Lack of or weak signing Lack of or no integrity checking Executes as root Updates critical firmware Persistence 34
Automotive Security Smartphone Integration Compromised device Allows potential control over IVI -> vehicle OEM-Specific Integrations SmartDeviceLink by Toyota SYNC AppLink by Ford AHA by Harman Proprietary protocols between phone and vehicle May tunnel IP over serial over USB / Bluetooth 36
Automotive Security Generic Smartphone Integration CarPlay Connect via USB or Bluetooth (still rare) Uses TCP/IP(v6) IPv6 often forgotten in IVI hardening Streams screen contents, similar to AirPlay Reverse channel for user input Android Auto Connect via USB and pair over Bluetooth (no wireless only option) Requires Android 5.x or higher Access to many of the car’s sensors and inputs We’re still researching this heavily :) 37
Automotive Security Get started - A lot to explore! Use existing knowledge to attack the IVI Bluetooth Wifi System Security Network / Services Explore Vehicle Networks and Segregation Understand vehicle protocol 40
Automotive Security CAN Bus Hardware USB2CAN $65 USD http://shop.8devices.com/ Software SocketCAN Linux Kernel Support for CAN 43 $ ./candump vcan0 vcan0 123 [2] 11 22
Automotive Security Learn More Car Hacker’s Handbook Craig Smith, No Starch Press, ISBN: 978-1-59327-703-1 Papers Charlie Miller and Chris Valasek Adventures in Automotive Networks and Control Units, 2014 Remote Exploitation of an Unaltered Passenger Vehicle, 2015 Checkoway et al. Comprehensive Experimental Analyses of Automotive Attack Surfaces, USENIX 2011 Koscher et al. Experimental Security Analysis of a Modern Automobile, IEEE SSP 2010 Foster et al. Fast and Vulnerable: A Story of Telematics Failures, WOOT '15 Trainings For example, Craig Smith and CanBusHack (Robert Leale) 49
Automotive Security Conclusions 1. Cars present a unique attack surface and a complex problem to solve for security people. 2.Cars continue to get more advanced and thus expose more interesting attack vectors over time as they become more connected. 3. Car security research does not have to be costly depending on the intended goal. 50
utkanos
blueb
cyberagentdevelopers
sadnessojisan
shumei_ito
10xinc
salaboy
kakehashi
rrreeeyyy
tenshoku_draft
oracle4engineer
reverentgeek
addyosmani
tanoku
danielanewman
thoeni
philhawksworth
deanohume
pauljervisheath
jmmastey
chriscoyier
jakevdp
geeforr
