Episode I: Hacker Menace - sans.org · CAN details • 1986 – First CAN protocol release by Bosch...
Transcript of Episode I: Hacker Menace - sans.org · CAN details • 1986 – First CAN protocol release by Bosch...
Episode I: Hacker Menace
Brief History
• 1913 – Ford’s first Assembly Line – What wires there were, were direct feed
• 1968 – VW puts first on-board computer • 1975 – Datsun 280Z – real-time fuel injection • 1980 – First Remote Keyless Entry (RKE) systems in Fords • 1991 – OBD-I and California Air Resources Board • 1993 – Smart Key (Passive Key) in Chevy Corvette • 1996 – OBD-II mandatory for all cars sold in US • Late 1990’s – Firestone recall (100+ deaths) • 2001 – EOBD mandatory for petrol vehicles sold in EU • 2007 – TPMS mandated in all cars in US (ref Firestone) • 2008 – ISO 15765-4 (CAN) required for all cars sold in US
Automobiles are made of many parts
Overview of Automotive Communication
• Digital communication • Shared medium
– Reduce Heavy Wiring Harnesses!
• CAN Bus – ISO 11898 • LIN – Broadcast Serial • K-LINE, L-LINE – ISO 9141 (OBD) • J1850 and the last generation • Others
• Warning: MANY AND VARIED STANDARDS AHEAD
– ISO and SAE
CAN details
• 1986 – First CAN protocol release by Bosch (CAN 2.0 in 1991) • 1993 – ISO 11898, SAE J1939 • 8-byte messages
– Combined to form larger messages
• Arbitration ID (11-bit / 29-bit) – Source? – Dest? – Type of message? – Anything
• ISO 15765-2 – ISO/TP (up to 4k messages) • Used for more than just Cars!
Firmware Reflashing
• SAE J2534 • Intended to allow mechanics to update (“flash”)
ECM’s without removing/touching them • “Adding Functionality”
– Reflashing to remove hurdles
• CAN as a Post-Exploitation Playground – Once you’ve connected to the CAN bus, game over.
It’s all just details from there.
Voltage doesn’t kill people Current does.
V2V Communication
• (from Wikipedia) • Safety • Traffic management • Driver assistance systems • Policing and enforcement • Pricing and payments • Direction and route optimization • Advertising, Travel-related information • General information services • Automated highways
V2V
• 802.11ish Wireless Communications(5.9GHz)
– Between Vehicles on the road – “…considerable research…ranging from safety to navigation and
law enforcement.”
• PKI and Rolling Certificates – Providing “Secure” communications – Updated monthly in-transit
• Multiple technologies have been suggested
• My car becomes an attack tool – Or grab a recent addition at the junk yard!
• And isn’t this technology supposed to control the steering, brakes, and accelerator!?
Privacy and TPMS
• TPMS sensors represent ISM-band wireless attack vectors directly against the Body Control Module (BCM) – But wait! There’s more!
• TPMS Sensors have a pseudo-unique identifier – And they broadcast plaintext messages – Every 30 seconds or so – IMME, RfCat, HackRF or other radio receiver
• Track specific vehicles
The Online Automobile
• Connectedness and it's inherent concerns – Wifi – Bluetooth – Internet Uplink – “Third-Party Assistance” – TPMS Sensors and Receivers – Infotainment Systems: the Automotive Tonsils
• Chris and Charlie: Friend or Foe? • Done. Now what?
Paths forward
• Segmentation and Intrusion Detection/Prevention
• What is being done? – Patching Security flaws
• Updates via recall
• Cell
• On-street ISM Wireless
In your playtime…
• CANCAT - Hacker tool for controlling/reversing CAN bus messages
• SocketCan - Linux NIC for CAN
• OpenGarages.org (Craig Smith)
– Car Hackers Handbook
• CanBusHack.com (Robert Leale)
• iamthecavalry.org/automotive (Josh Corman)
Where have we been
• UW/UCSD research – Attack Surface and Attacks on Automotive
Components
• Charlie and Chris – First showing how to manipulate CAN bus – Latest showing One remote exploitation path
• Corey Thuen – Progressive Insurance Dongle
• IamTheCavalry – Calling Industry to Standards and Ratings
What to expect in the future
• Connectedness is everywhere
What to expect in the future
• Connectedness is everywhere
What to expect in the future
• Regulation: – Will Markey/Blumenthal bill be the end? – NERC CIP for Automotive?
• Automotive OEMs and Tier 1 companies – Compliance: Likely – Actively pursuing Security: Probably – Defensible Automotive Design – Proactive Product Evaluation/Hacking
• Tier 2+: – Tier 1’s and OEM’s pressure, and help to “CTJ”
• Researchers: – Diversify, gaining steam (blood in water) – Deeper Hacks, more plentiful bounty – Closer relationships between researchers and OEM/Tier1’s
What to expect in the future
• Big Business: – Capitalizing on your data for $$$ and $$$ – Insurance companies figuring out to use tech to reduce their risk – In-Car Targeted Advertising
• Sith: – Stealing data (you sync your contacts with your car?!?) – Auto-worms (Automorphic) – Automotive Extortion – Exploiting Manufacturers’ Back End systems through Cars – “Enemy of the State” style assassination by vehicle.
• As passengers • As targets of compromised vehicles • If do right, no can forensicate!
Resources
• SocketCAN - ~$110-150 (depends on hardware) – http://elinux.org/CAN_Bus – https://canusb-shop.com/
• Komodo CanSolo- $350 – http://www.totalphase.com/products/komodo-cansolo/
• CanCat - $50 – https://github.com/atlas0fd00m/CanCat
• RfCat - $100 – https://rfcat.com
• HackRf - $300 – https://greatscottgadgets.com/hackrf/
Resources
• Wikipedia gets this right: – https://en.wikipedia.org/wiki/CAN_bus
• Look for “Standards” and “Higher Layer” sections • ISO 11898 • ISO 15765-2/4 • SAE J1939-15
• J1939 Document from Vector: – http://vector.com/portal/medien/cmc/application_notes/AN-ION-1-
3100_Introduction_to_J1939.pdf
• UCSD research: – http://www.autosec.org/pubs/woot-foster.pdf – http://www.autosec.org/pubs/cars-usenixsec2011.pdf
• UW/UCSD research: – http://www.autosec.org/pubs/cars-oakland2010.pdf
• Legislation:
– http://www.markey.senate.gov/news/press-releases/markey-report-reveals-automobile-security-and-privacy-vulnerabilities
– http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-hackers/
Resources
• Open Garages – Car Hackers Handbook – http://opengarages.org/handbook/
• Chris and Charlie – http://www.countermeasure2013.com/documents/presentations/Mill
er_and_Valasek_Adventures_in_Automotive_Network_and_Control_Units.pdf
– http://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf – http://illmatics.com/Remote%20Car%20Hacking.pdf