SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle...
Transcript of SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle...
![Page 1: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/1.jpg)
SECURITY OF VEHICLE TELEMATICS SYSTEMS
Daniel Xiapu Luo
Department of Computing
The Hong Kong Polytechnic University
1
![Page 2: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/2.jpg)
2
![Page 3: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/3.jpg)
3
![Page 4: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/4.jpg)
TELEMATICS
4
![Page 5: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/5.jpg)
TELEMATICS
5
![Page 6: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/6.jpg)
OBD-II
On-Board DiagnosticPerform emissions related diagnostics;
Collect information from electronic control units (ECU);
Set ECU parameters;
Monitor engine and vehicle and even driver behaviors;
…
It can be exploited to attack the vehicle if a malicious dongle is plugged into it.
6
![Page 7: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/7.jpg)
CAN BUS
Controller Area Network
Data exchange among ECUs
More than one CAN bus in a vehicle
Eg: Infotainment CAN bus, Comfort CAN bus, Diagnostic CAN bus
Each CAN bus has multiple ECUs
Messages in different CAN buses are exchanged via gateway.
OBD-II port is directly connected to gateway.
External devices plugged into OBD-II port can access ECUs through gateway.
7
![Page 8: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/8.jpg)
CONTENT
Attack Surface of Telematics Systems
A Vulnerable Telematics System
Remote Attacks
How to Fix the Vulnerability?
Summary
8
![Page 9: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/9.jpg)
9
9
![Page 10: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/10.jpg)
APP – OWASP MOBILE TOP 10
10
M1 - Improper Platform Usage
M2 - Insecure Data Storage
M3 - Insecure Communication
M4 - Insecure Authentication
M5 -Insufficient
Cryptography
M6 - Insecure Authorization
M7 - Client Code Quality
M8 - Code Tampering
M9 – Reverse Engineering
M10 –Extraneous
Functionality
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
![Page 11: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/11.jpg)
WEB SERVICES – OWASP WEB TOP 10
11
A1 - Injection
A2 – Broken Authentication and Session
Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery
(CSRF)
A9 – Using Components with
Known Vulnerabilities
A10 –UnvalidatedRedirects and
Forwards
https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
![Page 12: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/12.jpg)
DEVICES
Insufficient Authentication/Authorization
Lack of Transport Encryption
Insecure Mobile Interface
Insufficient Security Configurability
Insecure Software/Firmware
Poor Physical Security
…
12
https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf
![Page 13: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/13.jpg)
CONTENT
Attack Surface of Telematics Systems
A Vulnerable Telematics System
Remote Attacks
How to Fix the Vulnerability?
Summary
13
![Page 14: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/14.jpg)
DISCLAIMER
For this vulnerable telematics device, we have informed the corresponding company about the vulnerabilities and how to patch them with the help of HKCERT.
14
![Page 15: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/15.jpg)
DEVICE
Microprocessor + Bluetooth + CAN
No W/R protection
Communicate with its app through Bluetooth
15
Top Board: Bluetooth
Bottom Board: MCU + CAN
![Page 16: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/16.jpg)
DEVICE
Extract the original firmware!
16
JTAG Connection
Readout via J-Flash
Success!
![Page 17: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/17.jpg)
FIRMWARE
Analyse Firmware
17
Rea
dout B
in
Bluetooth Communication Data
APP Logs: Control Data
Commands
![Page 18: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/18.jpg)
APP
18
![Page 19: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/19.jpg)
APP
Code Snippet
No obfuscation and hardening ! ! !
![Page 20: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/20.jpg)
COMMUNICATION BETWEEN APP AND DEVICE
BluetoothSocket
Scan
Connect
Write
Read
Close20
![Page 21: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/21.jpg)
COMMUNICATION PROTOCOLATLOCK0
Split the bin file
into fragments Send the 1st fragment
ACK: 0x06 0x44 0x0D
Send the 2nd fragment
ACK: 0x06 0x44 0x0DSend the last fragment
ACK: 0x06 0x44 0x0D
Send “0x04”
ACK: 0x06 0x44 0x0DInstall the new Firmware !
Reverse-engineering the
firmware update protocol
ACK: >OK
ATBOOT
ACK: ELM 327 V1.5
ACK: XXXXXX 627 V1.6.1035ATBOOT
ACK: >ATBOOTATBOOT
ACK: 0x15 0x42ATBOOT
21
![Page 22: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/22.jpg)
REPLACE THE FIRMWARE
Prepare the POC malicious firmware
Re-Implement
some original
functions
Hardware
Automated attacks
that will be executed if
conditions are
satisfied.
Customized attacks
triggered by
commands sent
through Bluetooth
22
Attack
Functions
Power CAN Bluetooth
Drivers
Attack Methods
![Page 23: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/23.jpg)
CONTENT
Attack Surface of Telematics Systems
A Vulnerable Telematics System
Remote Attacks
How to Fix the Vulnerability?
Summary
23
![Page 24: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/24.jpg)
EXPLOIT
24
Send command
Receive response
OutputStream.write(byte[])
OutputStream.flush()
InputStream.read()
Replace the original firmware with a
malicious firmware !
![Page 25: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/25.jpg)
ATTACKS
Attack the vehicle directly
Inform the victim fake information
25
![Page 26: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/26.jpg)
ATTACKS
Send fake data to the back-end service
Attack the back-end service
26
![Page 27: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/27.jpg)
DEMO SETTINGS
Volkswagen Magotan 1.8T 2015
The vulnerable telematics device
Android smartphone with a PoC attack app
27
![Page 28: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/28.jpg)
28
Deploy malicious firmware
Open/Close Windows Unlock/Lock DoorsFold/Unfold MirrorsPOC Attack
![Page 29: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/29.jpg)
29
![Page 30: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/30.jpg)
CONTENT
Attack Surface of Telematics Systems
A Vulnerable Telematics System
Remote Attacks
How to Fix the Vulnerability?
Summary
30
![Page 31: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/31.jpg)
APP SECURITY
Secure data storage
Secure communication
Authentication
Verify the update/firmware downloaded from the backend service
Obfuscation and hardening
…
31
![Page 32: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/32.jpg)
DEVICE SECURITY
Verify the firmware before installing it
Protect the existing firmware
Avoid weak/default passwords
Encrypt the traffic
Mutual authentication
…
32
![Page 33: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/33.jpg)
WEB SERVICE SECURITY
33https://www.owasp.org/images/1/19/OTGv4.pdf
https://www.owasp.org/images/9/9a/OWASP_Cheatsheets_Book.pdf
![Page 34: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/34.jpg)
SUMMARY
Attack surface of vehicle telematics systems
Device, Communication, App, Backend service
Securing vehicle telematics systems
Security, safety, reliability, resilience, privacy
Monitoring, analysis, and management
Thanks my group members for contributing to this research: Dawei Lyu, Lei Xue, Le Yu, Shengtuo Hu
We have been conducting research on mobile security, network and system security, IoT security, etc.
https://www4.comp.polyu.edu.hk/~csxluo/
34
![Page 35: SECURITY OF VEHICLE TELEMATICS SYSTEMS › docs › 20170421_04.pdf · Attack surface of vehicle telematics systems Device, Communication, App, Backend service Securing vehicle telematics](https://reader034.fdocuments.us/reader034/viewer/2022052611/5f03c6137e708231d40ab393/html5/thumbnails/35.jpg)
35