Tesla Hacking - ECV International · kickstarting Tesla’s move to push out its code signing...
Transcript of Tesla Hacking - ECV International · kickstarting Tesla’s move to push out its code signing...
Tesla Hacking: Cyber-Security Learnings and Insights of Connected Cars
Samuel Lv | Keen Security Lab, Tencent
Keen Lab: It is all about SECURITY!
5 11
PC/Mobile Operating Systems
PC/Mobile Applications
Cloud Computing/Virtualization/Web
Connected Car/IOT Devices
Tesla deserves full of respect for responding the hacking case in an efficient approach
Learnings from Tesla Hacking Case
1. Respond BIG Security Issue at CXO Level
JB Straubel (Telsa CTO) credits Keen Lab’s researchers for
kickstarting Tesla’s move to push out its code signing
upgrade.
“They did good work. They helped us find something that’s a
problem we needed to fix. And that’s what we did.”
Tesla Product Team
IssueReproduced
Update Developed
Update Tested
DevelopmentPractices Updated
1.5 Hours
10 Days
90% Updated in 3 days, New code Signing Mechanism
2. Exhausted Efforts on Quick Fixing
3. Appreciation, Recognition and Rewards
Grant the highest reward to Keen Lab in Tesla history
Cyber-Security Insights of Connected Cars
2015.7 FCA JEEP was hacked remotely by hackers. The hackers demonstrated unauthorized remote controls to JEEP. Security vulnerabilities of different modules, including TSP, Telecom Network, Head Unit etc. were reported to Chrysler. Impact: FCA recalled 1.4 million of JEEP sold in North America.
2015.7 Hackers hijacked OnStar mobile APP and demonstrated unauthorized remote controls such as unlocking door, starting engine, tooting horn etc. The issue was related to the security vulnerability in OnStar mobile APP and TSP modules.Impact: OnStar released an urgent security fix.
2016.2 Nissan LEAF EV car mobile APP was hijacked. The hacker realized unauthorized remote controls to switch on the air-condition, flash lights etc. Security vulnerabilities in LEAF mobile APP and TSP modules caused the issue. Impact: Nissan temporarily shut down the remote control services from TSP.
2016.9 Keen Lab first time worldwide built the full attack chain to prove that Tesla could be hacked remotely and realized unauthorized remote controls in both parking mode and driving mode. The full attack chain successfully exploited the security vulnerabilities in in-vehicle browser, head unit OS, CAN gateway, CAN protocols and critical ECU modules. Impact: After getting Keen Lab’s detailed disclosure, Tesla issued a bunch of urgent patches within 10 days and pushed the patches to variant models of Tesla cars worldwide.
1. Cyber-Security, a Big Challenge to Connected Car OEMs
2. Easy to Attack, Hard to Hold!
CAN BUS & ECUs
Infotainment OS
IV APPs
OBDII
WiFi Hotspot
BlueTooth
USB
T-Box
Gateway
BT Key
OEM TSP
3rd party CP Services
OEM backend Services
Internet Services/Content
Mobile APP User Portal
Charging Station
ADAS
V2X
N Attack Surfaces
1
2
3
4
5
6
7
8
10
11
12
13
14
15
16
9
Security Needs Holistic View!
3. Product Security and Security Protections/Policies are Both Important
TESLA: All about VUL/EXP
Cellular/Wifi
Multiple vulnerabilities with exploits to get code execution ability
Vulnerability with exploit to escalate system privilege and disable AppArmor to get Linux ROOT permission
Bypass code integrity check and patch gateway firmware
Send malicious CAN messages on arbitrary CAN channels
Cellular: Phishing with malicious URLsWifi: Malicious hotspotBrowser auto connect behavior
CellularNo segmentation of cellular network and automotive network
No access control implemented for D-Bus service access, and no restrictions of D-Bus arbitrary command execution
Browser
LinuxKernel
Gateway
CAN
D-Bus Service
QNXKernel
Gateway
CAN
Vulnerability with exploit to escalate system privilege to get QNX ROOT permission
Patch gateway firmware by redirecting update source from USB to a malicious location
Send malicious CAN messages on arbitrary CAN channels
FCA JEEP: Security Policy Issue & VUL/EXP
4. OTA is Essential to Connected Cars,And Security of OTA is Also Critical
Provider’s Modules
Is a BLACKBOX to OEM!
5. Tie-1/2 Providers Play Key Roles of Cyber Security
从这里出发:关注好安全建设的四要素
Knowledge & Expertise
Engineering Mechanism
MitigationTechnologies
Policies & Processes
Right people do right things
Prevention has lower cost
Raise the cost of attacks
Be quicker than attackers
6. Security Will Become Fundamental Capability to OEMs and Providers
Cyber-SecurityManagement
Concept Phase
Product Development
Production Operation
SupportingProcess
• Creating Cyber-security culture
• Establish Cyber-security engineering process
• Develop security training
• Expand field monitoring process
• Identify the important assets and risks
• Threat Modeling• OCTAVE• STRIDE• DREAD• ATA
• Create Cyber-security Plan
• Beginning preliminary Cyber-security assessment
• System Level, Hardware Level and Software level
• Engineering teams identify detailed Cyber-security requirements
• Apply Cyber-security assessment
• Red Team Versus Blue Team
• Penetration test• Check list
• Applying a CybersecurityProcess together with a Safety Process
• Monitor field for Cyber-security issues
• Include Security Update process and tools through maintenance and care
• Follow an incident response plan for Cyber-security issues
• Supplier is capable of producing Cyber-security-critical features
• Agree to the Cyber-security work products
• Gate review at key milestones
• Report to each other for Cyber-security issues
• Responsible to fix the issues
Systematic Thinking of Cyber-Security Management
Design Phase Develop Phase Test Phase Release
Security Infr and Threat modeling• IV Connectivity Modules• TSP Modules• Communication Mechanisms • Encryptions & Decryptions• Secure OTA Architecture• Etc.
Security service to Tier 1:
• IV Connectivity Modules• TSP Modules• Mobile APP Modules• Encryptions & Decryptions• Etc.
Assist to achieve Security Best Practice according to SDL• Secure Coding Best Practices• Security Requirements /
Standards to Tie-1 Providers
Security Capacity transfer:
• Attacks & Defenses 101 Trainings to IT engineers & Developers
Security Capacity transfer:
• SDL Management Framework Trainings
• SAE J3061 Practices Trainings
Security Code Review:
• Native code review• Web code review
Security Pen Test:
• IV Connectivity Modules• TSP Modules• Mobile APP & User Portal
Modules• Communication Mechanisms • Encryptions & Decryptions• Hardware gateway/firewall
Modules• System Upgrade Security
Incident Response:
• Technical Analysis on security incidents
• Technical Advisory on mitigations and protections
Product Security Services: Security in Full Product Lifecycle
Not Only Product Security, But Protections...
乐固乐固 大禹产品 主机防护 天御产品
移动安全培训 云端渗透
测试
Web安全攻防培训 汽车信息
设备渗透
APP渗透测试
手机渗透测试
汽车信息安全培训
汽车信息安全咨询
跨站,注入等 云接口测试 传输通道安全
OWASP 实际案例展示
4 CCommunication - 沟通Cross-Domain - 跨界Collaboration - 合作Convergence - 融合
Tencent Automotive Industry Business Solutions & Eco-System
Cloud Computing & Big Data & AI
Carlink & Self-Driving
SSO User Account Platform
LBS, Map & Navi
Social & Online Marketing
Connected Car Security
Investment on Smart Transportation
Voice, Image & Facial Recognition