Post on 12-Sep-2014
description
In vehicle CAN network security
An overview
Bogdan-Ioan Şuta
• System manager at AtoS IT Solutions and Services
• Former Embedded C developer at Hella Romania
• Graduated Master in Automotive Embedded Software from "Politehnica" University of Timisoara
• Interested in computers, cars and anything in between
IN VEHICLE NETWORKSOverview
In vehicle networks
• Used for information sharing between ECUs (Electronic Control Unit)
• Reduce the number of wires needed inside a vehicle between ECUs
• Come in many forms:– By medium: two-wire, one-wire, optical, wireless– By protocol: Ethernet, CAN, LIN, FlexRay, MOST, K
Line etc.
In vehicle networks
CONTROLLER AREA NETWORKOverview
Controller Area Network
• Developed by Robert Bosch GmbH in 1983• Designed for electrically noisy environments• Baud rates of up to 1Mb/s• Broadcast type network• Frames composed of (minimalistic):– ID field – used for arbitration – either 11 or 24 bits
long– Data Field – actual transported data - up to 8 bytes – CRC Field – for error correction – 15 bits
HACKING VEHICLE NETWORKS
Hacking vehicle networks• MIT did it:– Comprehensive Experimental Analyses
of Automotive Attack Surfaces - http://youtu.be/bHfOziIwXic
• Blogs made tutorials for it:– Hack a day -
http://hackaday.com/2013/10/21/can-hacking-introductions/
• Individuals also tried their luck:– http://
secuduino.blogspot.ro/2011/04/grupo-volkswagen-can-confort.html
Hacking vehicle networks
• Various hardware is available to do it:– The OpenXC Platform -
http://openxcplatform.com/– Arduino shields are available -
http://www.skpang.co.uk/catalog/arduino-canbus-shield-with-usd-card-holder-p-706.html
– Custom – any microcontroller with a CAN controller with an CAN transceiver will work
MY ATTEMPTSAt hacking the CAN bus
Proposition
• Connect to the CAN bus• Identify messages being transmitted on the
bus• Perform spoofing and flood attacks• Do not get into diagnostic based attacks
(change odometer, disable immobilizer)
Setup• VW Passat 2001• Breadboard• mBed LPC 1768 development board• 2x Microchip MCP 2551 CAN tranceivers• PC with TerraTerm used for communicating with
the mBed• mBed programmed for CAN monitoring,
flooding and spoofing• First connection attempt:
– Male OBD-II connector connected to the diagnostic port of the CAR
• Second attempt:– Twisted pair of conductors from a CAT-5 cable
connected at the back of the VW Climatronic
FIRST ATTEMPTUsing OBD connector
OBD Cable
First attempt: FAILED
• Communication was not possible• Subject car does not have CAN on the OBD-II
Connector• Only K line was present
SECOND ATTEMPTDirect connection
Connection to car
Second attempt: SUCCESS
• A few tries and some info from: http://secuduino.blogspot.ro/2011/04/grupo-volkswagen-can-confort.html
• Connected to Convenience CAN• Baud rate of 100kb/s• Communication established
A bit of sniffing…
• Found CAN messages from– Door locks– Electric windows• Position of window• Status of button (pressed, not pressed)
– Instruments backlighting value– Lots of other data that I couldn’t find a correlation
Some spoofing…
• Sending commands that would originate from the Body Control Module
VIDEO Power windows
And some flooding
• Sending a very high priority CAN message on the network continuously
• Using hardware interrupts so no delays occur
VIDEOCar door locks
Security issues
• No authentication of nodes• Messages are not scrambled• Security by obscurity
Counter measures• Researched and developed by many universities and
companies:– Efficient Protocols For Secure Broadcast In Controller Area
Networks - http://www.aut.upt.ro/~bgroza/Papers/CAN-Sec.pdf
– LiBrA-CAN: Lightweight Broadcast Authentication for Controller Area Networks - http://www.aut.upt.ro/~bgroza/Papers/LIBRA.pdf
– Broadcast Authentication in a Low Speed Controller Area Network - http://www.aut.upt.ro/~bgroza/Papers/CANAut.pdf
– Low cost multicast network authentication for embedded control systems - http://128.2.129.29/research/publications/2012/CMU-ECE-2012-011.pdf
– Many more
CONCLUSIONS
Conclusions
• Hacking vehicle networks is EASY• Through trial and error much information can
be obtained -> security by obscurity is not sufficient
• With great power comes great responsibility– Getting information from the vehicle bus can
enhance use of the vehicle– People with bad intentions can cause damages
and injuries
Contributors
• Ioan Dubar• Alexandru Leipnik• Bogdan Groza• Alexandru George Andrei• My parents
Thank you.