Linux-Stack Based V2X Framework: SocketV2V All You Need to ... CON 25/DEF CON 25 presentations/DEF...
Transcript of Linux-Stack Based V2X Framework: SocketV2V All You Need to ... CON 25/DEF CON 25 presentations/DEF...
Linux-Stack Based V2X Framework: SocketV2VAll You Need to Hack Connected Vehicles
Duncan Woodbury, Nicholas Haltmeyer{[email protected], [email protected]}
DEFCON 25: July 29, 2017
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 1 / 48
State of the World: (Semi)Autonomous DrivingTechnologies
Vehicular automation widespread in global industry
Automated driving technologies becoming accessible to general public
Comms protocols used today in vehicular networks heavily flawed
New automated technologies still using CANBUS and derivatives
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 2 / 48
Stages of Autonomy
Today: Stage 2 Autonomy - Combined Function Automation
V2X: Stage 3 Autonomy - Limited Self-Driving Automation
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 3 / 48
Barriers to Stage 3+ Autonomy
Ownership of ethical responsibilities - reacting to safety-critical events
Technological infrastructureInstalling roadside units, data centers, etc.
Adaptive and intuitive machine-learning technology
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 4 / 48
V2X Concept
Vehicles and Infrastructure useWAVE over 5.8-5.9GHz adhocmesh network to exchange stateinformation
Link WAVE/DSRC radios tovehicle BUS to enableautomated hazard awarenessand avoidance
Technological bridge to fullyautonomous vehicles
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 5 / 48
Critical Aspects of V2V
High throughput vehicular ad hoc mesh network (VANET)
Provide safety features beyond capability of onboard sensors
Geared for homogeneous adoption in consumer automotive systems
Easy integration with existing transportation infrastructure
First application of stage 3 automation in consumer marketplace
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 6 / 48
Impact of V2X Technologies
Transportation network impacts all aspects of society
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 7 / 48
Impact of V2X Technologies: on Consumers
Safety benefits:Prevent 25,000 to592,000 crashesannuallyAvoid 11,000 to270,000 injuriesPrevent 31,000 to728,000 propertydamaging crashes
Tra�c flow optimization:27% reduction for freight23% reduction for emergency vehicles42% reduction on freeway (with cooperative adaptive cruise control &speed harmonization)
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 8 / 48
Impact of V2X Technologies: Global Industry
Scalable across industrialplatforms
Optimize swarm functionsImprove exchange of sensordata
Enhance/improve worker safetyVehicle-to-pedestrianConstruction, agriculture,maintenance
Improve logistical operations managementThink: air tra�c control for trucks
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 9 / 48
Impact of V2X Technologies: Critical Infrastructure
Provide interface for infrastructure to leverage VANET as carrier
Increase awareness of tra�c patterns in specific regionsAnalysis of network tra�c facilitates improvements in civil engineeringprocesses
Fast widespread distribution of emergency alerts
Reduce cost of public transit systems
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 10 / 48
Impact of V2X Technologies: Automotive Security
Wide open wireless attack vector into transportation network
Injections easily propagate across entire VANET
Wireless reverse engineering using 1609 and J2735
Easy to massively distribute information (malware)
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 11 / 48
Technologies Using V2X
Collision avoidance (Forward Collision Warning) systems
Advanced Driver Assistance Systems (ADAS)
Cooperative adaptive cruise control
Automated ticketing and tolling
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 12 / 48
Vision of SocketV2V
Security throughobscurity leads toinevitable pwning
Security communitymust be involved indevelopment ofpublic safety systems
Catalyze development of secure functional connected systems
Provide interface to VANET with standard COTS hardware
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 13 / 48
Background on SocketV2V
Linux V2V development begins November 2015
Large body of existing work found to be incompleteNo open-source implementation existsAttempts at integration in linux-wireless since 2004
Abandon e↵orts to patch previous attempts mid-2016
Two years of kernel debugging later, V2V is real
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 14 / 48
Motivation for V2X Development
Current standards for onboard vehicle communications not designedto handle VANET
Increase in automation ) increase in attack surface
Auto industry calling for proprietary solutionsLeads to a monopolization of technologyStandards still incomplete and bound for change, proprietary solutionsbecome obsoleteMultiple alternative standards being developed independently acrossborders
Imminent deployment requires immediate attention
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 15 / 48
Lessons Learned from Previous Epic Failure
1 You keep calling yourselfa kernel dev, I do notthink it means what youthink it means
2 Sharing is caring: closed-source development leads to failure
3 Standards committees need serious help addressing unprecedentedlevels of complexity in new and future systems
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 16 / 48
V2X Stack Overview
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 17 / 48
V2X Stack Overview: 802.11p
Wireless Access in Vehicular Environments
Amendment to IEEE 802.11-2012 to support WAVE/DSRC
PHY layer of V2X stack
No association, no authentication, no encryption
Multicast addressing with wildcard BSSID = {↵:↵:↵:↵:↵:↵}5.8-5.9GHz OFDM with 5/10MHz subcarriers
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 18 / 48
IEEE 1609
WAVE Short Message Protocol (WSMP)
1609.2 Security ServicesPKI, cert revocation, misbehavior reporting
1609.3 Networking ServicesAdvertisements, message fields
1609.4 Multi-Channel OperationChannel sync, MLMEX
1609.12 Identifier AllocationsProvider service IDs
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 19 / 48
IEEE 1609: WAVE Short Message
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 20 / 48
V2X Stack Overview: SAE J2735
Message dictionary specifying message formats, data elementsBasic safety message, collision avoidance, emergency vehicle alert, etc.ASN1 UPER specificationAlso supports XML encoding
Data element of Wave Short Message
Application-layer component of V2X stack
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 21 / 48
State of V2X Standards: Evolution
WAVE drafted in 2005, J2735 in 2006
WAVE revisions not backwards compatible
IEEE 1609.2 incomplete
J2735 revisions not backwards compatibleEncoding errors in J2735 ASN1 specification
3 active pilot studies by USDOT
Experimental V2X deployment in EU
Developmental status still in flux
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 22 / 48
Major Changes to the Standards
Refactoring of security services to change certificate structure
Refactoring of management plane to add services (P2PCD)
Refactoring of application layer message encoding formatMultiple times: BER ) DER ) UPER
Refactoring of application layer ASN1 configuration
Revision of trust management system - still incomplete
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 23 / 48
(Possibly Unintentional) Obfuscation of the Standards
No specification of handling for service management and RFoptimization
Minimal justification given for design choices
Introduction of additional ambiguity in message parsing (WRA IEXblock)
Redlining of CRC data element in J2735 messages
Refactoring of J2735 ASN1 to a non standard format
Proposed channel sharing scheme with telecom
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 24 / 48
Subtleties in WAVE/J2735
Ordering of certain fields not guaranteed in 1609
Type incongruities in 1609
Wave Information Element contains nested structures
Channel synchronization mechanism based on proximal VANET tra�c
Channel switching necessary with one-antenna systems
Implementation-specific vulnerabilities can e↵ect entire network
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 25 / 48
V2X Attack Surfaces
VANET accessible from a single endpointAttacks propagate easily across network
Entry point to all systems connected to V2X infrastructureManipulation of tra�c control systems: lights, bridgesPublic transportationTolling and financial systems
DSRC interface acts as entry point to onboard systemsWireless access to vehicle control BUSTransport malware across tra�cked borders
Privilege escalation in PKIHijacking emergency vehicle authorityCertificate revocation via RSU
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 26 / 48
Understanding the Adversary: Passive
Determine trajectory of cars within some radiusFew stations required to monitor a typical highway
Enumerate services provided by peers
Characterize network tra�c patterns within regions
Uniquely fingerprint network participants independent of PKIRF signatureProbe responsesBehavior patterns
Perform arbitrage on economic markets
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 27 / 48
Understanding the Adversary: ActiveDenial of service, MITM
Impersonate infrastructure pointManipulate misbehavior reports
Disrupt vehicle tra�cTarget specific platforms and individualsEconomic warfare: manipulation of supply/distribution networksBehavior modeling and manipulation
Privilege escalation in VANETParade as an emergency vehicle or moving toll station
Ad hoc PKI for application-layer services
Assume vehicle control via platooning service
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 28 / 48
V2X Threat Model: Applied
Network tra�c can be corrupted over-the-air
Ad hoc PKI can allow certificate hijacking
Diagnostic services in DSRC implementation expose vehicle controlnetwork
Valid DSRC messages can pass malicious instructions to infotainmentBUS
Fingerprinting possible regardless of PKI pseudonym scheme
Trust management services vulnerable to manipulationMisbehavior reportingCertificate revocationDenial of P2P certificate distribution
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 29 / 48
Our Solution: Just Use Linux
Platform-independent* V2X stack integrated in mainline Linux kernelNo proprietary DSRC hardware/software required - uses COTS hwExtensible in generic Linux environment*Currently supports ath9k
Implements 802.11p, IEEE 1609.{3,4} in Linux networking subsystemmac80211, cfg80211, nl802111609 module to route WSMP frames
Underlying 802.11 architecture compatible with Linux networkingsubsystem
Mainline kernel integration leads to immediate global deploymentThis enables rapid driver integration
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 30 / 48
SocketV2V: Implementing 802.11p in Linux Kernel
Add driver support forITS 5.825-5.925GHzband
Define ITS 5.8-5.9GHzchannels
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 31 / 48
SocketV2V: Implementing 802.11p in Linux Kernel
Modify kerneland userspacelocal regulatorydomain
Force use ofuser-specified regulatorydomain
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 32 / 48
SocketV2V: Implementing 802.11p in Linux Kernel
Enable filteringfor 802.11pframes
Require use ofwildcard BSSID
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 33 / 48
SocketV2V: Userspace Utility Modifications for 802.11p
Add iw commandfor joining 5GHzITS channelsusing OCB
Add iwdefinitions for5/10MHz-widthchannels in OCB
Use iw to joinITS spectrumwith COTS WiFihardware!
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 34 / 48
SocketV2V: Implementing WAVE in Linux
Functions to pack, parse, and broadcast messages
Relevant data structuresWSM, WSA, WRA, SII, CII, IEX
Full control of fieldssubtype, TPID, PSID, chan, tx power, data rate, location, etc.Operating modes for setting degree of compliance to standard (strict,lax, loose)
Channel switching, dispatch
Netlink socket interface to userspace
Userspace link to the 802.11p kernel routines
Manage channel switching using iw
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 35 / 48
WAVE Usage
Message fields set in struct wsmp wsm
WSMs encoded to bitstream through wsmp wsm encode
WSM bitstream decoded through wsmp wsm decode
Functions for generating random WSMP frames to specifiedcompliance
Opens socket to 802.11p wireless interface
Inject WSMs with prefix EtherType 0x86DC
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 36 / 48
WAVE Structs: WSM
WAVE ShortMessage:messageencapsulationand forwardingparameters(N-hop, flooding)
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 37 / 48
WAVE Structs: IEX
InformationElementExtension:optional fields forRF, routing, andservices
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 38 / 48
(More) WAVE Structs
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 39 / 48
SocketV2V: Implementing J2735
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 40 / 48
SocketV2V: Implementing J2735
Generate WSM
Pack J2735 msg inWSM data element
Serialize WSM
Tx usingpcap inject!
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 41 / 48
SocketV2V: Implementing J2735
Wireshark WSMP plugin incomplete per current 1609 encoding
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 42 / 48
SocketV2V: Implementing J2735
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 43 / 48
Future Pwning of ITS: You Wanna be a Master?
Level 1: Denial of ServiceSingle-antenna DSRC systems susceptible to collision attack
Level 2: DSRC spectrum sweep, enumerate proprietary (custom)services available per participant
Level 3: Impersonate an emergency vehicle
Level 4: Become mobile tollbooth
Level 1337: Remotely execute platooning serviceAssume direct control
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 44 / 48
Additional Forms of Pwning
Pandora’s box:Mass dissemination of malware
Passive surveillance withminimal e↵ort
Extract RF parameters forimaging
Reverse engineer systemarchitectures given enough data
Epidemic propagation model
Built in protocol switchingExfiltration over commbridges!
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 45 / 48
Developing Connected Vehicle Technologies
Widespread access enables engagement of security (1337) communityin standards development
Interact with existing V2X infrastructurePressure manufacturers and OEMs to implement functional V2V
Deploy ahead of market - experimental platformsUAS, maritime, orbital, heavy vehicles
Opportunity for empirical research: See what you can breakStraightforward to wardriveHook DIY radio (Pi Zero with 5GHz USB adapter) into CANBUS (forscience ONLY)
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 46 / 48
Acknowledgments
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 47 / 48
References
Check me out on GitHub: https://github.com/p3n3troot0r/socketV2V
Estimated Benefits of Connected Vehicle Applications – Dynamic MobilityApplications, AERIS, V2I Safety, and Road Weather Management Applications –U.S. Department of Transportation, 2015
Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application– U.S. Department of Transportation, National Highway Tra�c SafetyAdministration, 2014
William Whyte, Jonathan Petit, Virendra Kumar, John Moring and Richard Roy,”Threat and Countermeasures Analysis for WAVE Service Advertisement,” IEEE18th International Conference on Intelligent Transportation Systems, 2015
E. Donato, E. Madeira and L. Villas, ”Impact of desynchronization problem in1609.4/WAVE multi-channel operation,” 2015 7th International Conference onNew Technologies, Mobility and Security (NTMS), Paris, 2015, pp. 1-5.
Papernot, Nicolas, et al. ”Practical black-box attacks against deep learning systemsusing adversarial examples.”
p3n3troot0r, ginsback DEFCON: V2X DEFCON 25: July 29, 2017 48 / 48