Gentlemen,Start your engines   Mattias Jidhage
Omegapoint                                               - Founded in 2001                                               -...
Agenda
Telematics                               “integrated use of telecommunications and informatics”ECU	  =	  Electronic	  CBCM...
TelematicsPotentially less than great security?
Eh, Whats up Doc?•    The Car•    Transport•    Server•    Client
The Car - Research•  Experimental Security Analysis of a   Modern Automobile  –  OBD-II•  Comprehensive Experimental Analy...
The Car – Reality•  War Texting: Identifying and Interacting   with Devices on the Telephone Network  –  Method for attack...
The Car – Reality•  Put it to the test   –  Zoombak Tracking Device      •  Zoombak Scanner      •  Ask nicely via SMS   –...
Transport - GSM•  A5/1•  SRLabs  –  CCC 2009, BlackHat 2010  –  Rainbow tables (100.000 years to 1 month)  –  Decode voice...
Transport – GPRS/EDGE                    No encryption•    GEA/0•    GEA/1•    GEA/2•    GEA/3•    GEA/4            No use...
Transport – cell        USRP H          W
Server•  Car interface  –  Proprietary protocol     •  ASN.1 – Touring complete     •  GPRS, EDGE, SMS and data over voice...
Client - browser•  Web application  –  no news  –  move on  –  there is nothing to see  –  DriveBy Trojan Download & Insta...
Client – smart phone•  Few real vulnerability tests performed•  iOS  –  Continous Jailbreak  –  iOS 5.0.1 - iPhone 4GS and...
Conclusion•    All components are possible targets•    Very few has the complete picture•    Activity in the security aren...
What’s to come?•  “Internet of Things”
The Future
The Future•  Telematics – M2M  –  “integrated use of telecommunications and     informatics”   Insulin pump               ...
The Future ABB IRB 6640Industrial robot
The Future          Three GorgesInfrastructure - SCADA – Stuxnet
The FutureHome Metering Unit - SmartGrid  270 000 HMU using ZigBee
“Everything is a computer”@mjidhagemattias.jidhage@omegapoint.seThank You!
References•  http://www.autosec.org/publications.html•  http://www.isecpartners.com/storage/docs/presentations/   isec_bh2...
Upcoming SlideShare
Loading in …5
×

Gentlemen, Start Your Engines 20120419

514 views

Published on

Short overview of the current security status on the automotive telematics security arena. Presented at the ISACA Scandinavian Conference April 23-24th 2012

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
514
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Gentlemen, Start Your Engines 20120419

  1. 1. Gentlemen,Start your engines Mattias Jidhage
  2. 2. Omegapoint - Founded in 2001 - 170 consultants - e-Business & Security Falun New York Stockholm Göteborg Kalmar Helsingborg Malmö
  3. 3. Agenda
  4. 4. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  5. 5. TelematicsPotentially less than great security?
  6. 6. Eh, Whats up Doc?•  The Car•  Transport•  Server•  Client
  7. 7. The Car - Research•  Experimental Security Analysis of a Modern Automobile –  OBD-II•  Comprehensive Experimental Analyses of Automotive Attack Surfaces –  CD –  OBD-II (PassThru) –  Bluetooth –  GSM
  8. 8. The Car – Reality•  War Texting: Identifying and Interacting with Devices on the Telephone Network –  Method for attacking telematics •  In general: GSM Baseband + uC Chip •  UART -> RE -> Firmware -> Vulnerability –  How2 find targets? •  FindMe •  WhoIs
  9. 9. The Car – Reality•  Put it to the test –  Zoombak Tracking Device •  Zoombak Scanner •  Ask nicely via SMS –  Subaru Outback 1998 •  after market telematics unit •  unlock and start engine •  http://youtu.be/bNDv00SGb6w
  10. 10. Transport - GSM•  A5/1•  SRLabs –  CCC 2009, BlackHat 2010 –  Rainbow tables (100.000 years to 1 month) –  Decode voice •  100-300m upstream •  5-35km downstream
  11. 11. Transport – GPRS/EDGE No encryption•  GEA/0•  GEA/1•  GEA/2•  GEA/3•  GEA/4 No users•  SRLabs –  CCC 2011, Crypto analysis (weak crypto) –  Decode GPRS -> Wireshark
  12. 12. Transport – cell USRP H W
  13. 13. Server•  Car interface –  Proprietary protocol •  ASN.1 – Touring complete •  GPRS, EDGE, SMS and data over voice –  “We use a Private APN” •  Generic Routing Encapsulation •  Node to Node communication•  Operator web application•  Smartphone interface: REST/JSON
  14. 14. Client - browser•  Web application –  no news –  move on –  there is nothing to see –  DriveBy Trojan Download & Install •  Starring Windows •  Guest appearance by Mac OSX
  15. 15. Client – smart phone•  Few real vulnerability tests performed•  iOS –  Continous Jailbreak –  iOS 5.0.1 - iPhone 4GS and iPad2 –  iOS 5.1 – iPad3•  Android –  Rouge apps –  Android Market - ‘Bouncer’
  16. 16. Conclusion•  All components are possible targets•  Very few has the complete picture•  Activity in the security arena•  This is going to get worse before it gets better –  2012 models CAN bus is unprotected –  New tools arriving every day –  Larger attack surface than ever•  Use fast shoes
  17. 17. What’s to come?•  “Internet of Things”
  18. 18. The Future
  19. 19. The Future•  Telematics – M2M –  “integrated use of telecommunications and informatics” Insulin pump Prescription medication
  20. 20. The Future ABB IRB 6640Industrial robot
  21. 21. The Future Three GorgesInfrastructure - SCADA – Stuxnet
  22. 22. The FutureHome Metering Unit - SmartGrid 270 000 HMU using ZigBee
  23. 23. “Everything is a computer”@mjidhagemattias.jidhage@omegapoint.seThank You!
  24. 24. References•  http://www.autosec.org/publications.html•  http://www.isecpartners.com/storage/docs/presentations/ isec_bh2011_war_texting.pdf•  http://events.ccc.de/congress/2009/Fahrplan/ attachments/1519_26C3.Karsten.Nohl.GSM.pdf•  https://srlabs.de/blog/wp-content/uploads/ 2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf•  http://events.ccc.de/camp/2011/Fahrplan/attachments/ 1868_110810.SRLabs-Camp-GRPS_Intercept.pdf

×