DefCamp 2013 - In vehicle CAN network security

885 views
645 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
885
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DefCamp 2013 - In vehicle CAN network security

  1. 1. In vehicle CAN network security An overview
  2. 2. Bogdan-Ioan Şuta • System manager at AtoS IT Solutions and Services • Former Embedded C developer at Hella Romania • Graduated Master in Automotive Embedded Software from "Politehnica" University of Timisoara • Interested in computers, cars and anything in between
  3. 3. Overview IN VEHICLE NETWORKS
  4. 4. In vehicle networks • Used for information sharing between ECUs (Electronic Control Unit) • Reduce the number of wires needed inside a vehicle between ECUs • Come in many forms: – By medium: two-wire, one-wire, optical, wireless – By protocol: Ethernet, CAN, LIN, FlexRay, MOST, K Line etc.
  5. 5. In vehicle networks
  6. 6. Overview CONTROLLER AREA NETWORK
  7. 7. Controller Area Network • • • • • Developed by Robert Bosch GmbH in 1983 Designed for electrically noisy environments Baud rates of up to 1Mb/s Broadcast type network Frames composed of (minimalistic): – ID field – used for arbitration – either 11 or 24 bits long – Data Field – actual transported data - up to 8 bytes – CRC Field – for error correction – 15 bits
  8. 8. HACKING VEHICLE NETWORKS
  9. 9. Hacking vehicle networks • MIT did it: – Comprehensive Experimental Analyses of Automotive Attack Surfaces http://youtu.be/bHfOziIwXic • Blogs made tutorials for it: – Hack a day http://hackaday.com/2013/10/21/can -hacking-introductions/ • Individuals also tried their luck: – http://secuduino.blogspot.ro/2011/04 /grupo-volkswagen-can-confort.html
  10. 10. Hacking vehicle networks • Various hardware is available to do it: – The OpenXC Platform http://openxcplatform.com/ – Arduino shields are available http://www.skpang.co.uk/catalog/arduinocanbus-shield-with-usd-card-holder-p-706.html – Custom – any microcontroller with a CAN controller with an CAN transceiver will work
  11. 11. At hacking the CAN bus MY ATTEMPTS
  12. 12. Proposition • Connect to the CAN bus • Identify messages being transmitted on the bus • Perform spoofing and flood attacks • Do not get into diagnostic based attacks (change odometer, disable immobilizer)
  13. 13. Setup • • • • • VW Passat 2001 Breadboard mBed LPC 1768 development board 2x Microchip MCP 2551 CAN tranceivers PC with TerraTerm used for communicating with the mBed • mBed programmed for CAN monitoring, flooding and spoofing • First connection attempt: – Male OBD-II connector connected to the diagnostic port of the CAR • Second attempt: – Twisted pair of conductors from a CAT-5 cable connected at the back of the VW Climatronic
  14. 14. FIRST ATTEMPT Using OBD connector
  15. 15. OBD Cable
  16. 16. First attempt: FAILED • Communication was not possible • Subject car does not have CAN on the OBD-II Connector • Only K line was present
  17. 17. SECOND ATTEMPT Direct connection
  18. 18. Connection to car
  19. 19. Second attempt: SUCCESS • A few tries and some info from: http://secuduino.blogspot.ro/2011/04/grupovolkswagen-can-confort.html • Connected to Convenience CAN • Baud rate of 100kb/s • Communication established 
  20. 20. A bit of sniffing… • Found CAN messages from – Door locks – Electric windows • Position of window • Status of button (pressed, not pressed) – Instruments backlighting value – Lots of other data that I couldn’t find a correlation
  21. 21. Some spoofing… • Sending commands that would originate from the Body Control Module
  22. 22. Power windows VIDEO
  23. 23. And some flooding • Sending a very high priority CAN message on the network continuously • Using hardware interrupts so no delays occur
  24. 24. Car door locks VIDEO
  25. 25. Security issues • No authentication of nodes • Messages are not scrambled • Security by obscurity
  26. 26. Counter measures • Researched and developed by many universities and companies: – Efficient Protocols For Secure Broadcast In Controller Area Networks - http://www.aut.upt.ro/~bgroza/Papers/CANSec.pdf – LiBrA-CAN: Lightweight Broadcast Authentication for Controller Area Networks http://www.aut.upt.ro/~bgroza/Papers/LIBRA.pdf – Broadcast Authentication in a Low Speed Controller Area Network http://www.aut.upt.ro/~bgroza/Papers/CANAut.pdf – Low cost multicast network authentication for embedded control systems http://128.2.129.29/research/publications/2012/CMUECE-2012-011.pdf – Many more
  27. 27. CONCLUSIONS
  28. 28. Conclusions • Hacking vehicle networks is EASY • Through trial and error much information can be obtained -> security by obscurity is not sufficient • With great power comes great responsibility – Getting information from the vehicle bus can enhance use of the vehicle – People with bad intentions can cause damages and injuries
  29. 29. Contributors • • • • • Ioan Dubar Alexandru Leipnik Bogdan Groza Alexandru George Andrei My parents
  30. 30. Thank you.

×