Gentlemen, Start Your Engines 20120514
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Gentlemen, Start Your Engines 20120514

on

  • 1,046 views

Short overview of the current security status on the automotive telematics security arena. Presented at OWASP Sweden meeting May 14th 2012

Short overview of the current security status on the automotive telematics security arena. Presented at OWASP Sweden meeting May 14th 2012

Statistics

Views

Total Views
1,046
Views on SlideShare
1,046
Embed Views
0

Actions

Likes
1
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Gentlemen, Start Your Engines 20120514 Presentation Transcript

  • 1. OWASP Sweden 20120514 Gentlemen, Start your engines Mattias Jidhage
  • 2. Omegapoint - Founded in 2001 - 170 consultants - e-Business & Security Falun New York Stockholm Göteborg Kalmar Helsingborg Malmö
  • 3. Agenda
  • 4. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  • 5. Infotainment•  Tech fragmentation •  Full featured browser –  Cost –  Torch –  Long dev cycle –  Netfront•  Apps for the car •  OS –  HTML5 –  Blackberry –  JavaScript –  Windows•  App stores –  Android –  Blackberry App World •  Smartphones on –  Android Market wheels? –  Mbrace?
  • 6. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  • 7. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  • 8. TelematicsPotentially less than great security?
  • 9. Eh, Whats up Doc?•  The Car•  Transport•  Server•  Client
  • 10. The Car - Research•  Experimental Security Analysis of a Modern Automobile –  OBD-II•  Comprehensive Experimental Analyses of Automotive Attack Surfaces –  CD –  OBD-II (PassThru) –  Bluetooth –  GSM
  • 11. The Car – Reality•  War Texting: Identifying and Interacting with Devices on the Telephone Network –  Method for attacking telematics •  In general: GSM Baseband + uC Chip •  UART -> RE -> Firmware -> Vulnerability –  How2 find targets? •  FindMe •  WhoIs
  • 12. The Car – Reality•  Put it to the test –  Zoombak Tracking Device •  Zoombak Scanner •  Ask nicely via SMS –  Subaru Outback 1998 •  after market telematics unit •  unlock and start engine •  http://youtu.be/bNDv00SGb6w
  • 13. Transport - GSM•  A5/1•  SRLabs –  CCC 2009, BlackHat 2010 –  Rainbow tables (100.000 years to 1 month) –  Decode voice •  100-300m upstream •  5-35km downstream
  • 14. Transport – GPRS/EDGE No encryption•  GEA/0•  GEA/1•  GEA/2•  GEA/3•  GEA/4 No users•  SRLabs –  CCC 2011, Crypto analysis (weak crypto) –  Decode GPRS -> Wireshark
  • 15. Transport – cell USRP H W
  • 16. Server•  Car interface –  Proprietary protocol •  ASN.1 – Touring complete •  GPRS, EDGE, SMS and data over voice –  “We use a Private APN” •  Generic Routing Encapsulation •  Node to Node communication•  Operator web application•  Smartphone interface: REST/JSON
  • 17. Client - browser•  Web application –  no news –  move on –  there is nothing to see –  DriveBy Trojan Download & Install •  Starring Windows •  Guest appearance by Mac OSX
  • 18. Client – smart phone•  Few real vulnerability tests performed•  iOS –  Continous Jailbreak –  iOS 5.0.1 - iPhone 4GS and iPad2 –  iOS 5.1.x – iPad3 – no public (i0n1c, pod2g)•  Android –  Rouge apps –  Android Market - ‘Bouncer’
  • 19. Conclusion•  All components are possible targets•  Very few has the complete picture•  Activity in the security arena•  This is going to get worse before it gets better –  2012 models CAN bus is unprotected –  New tools arriving every day –  Larger attack surface than ever•  Use fast shoes
  • 20. What’s to come? “Internet of Things” TLA = IoT
  • 21. The Future
  • 22. The Future•  Telematics – M2M –  “integrated use of telecommunications and informatics” Insulin pump Prescription medication
  • 23. The Future ABB IRB 6640Industrial robot
  • 24. The Future Three GorgesInfrastructure - SCADA – Stuxnet
  • 25. The FutureHome Metering Unit - SmartGrid 270 000 HMU using ZigBee
  • 26. everything is a computerThank You!@mjidhagemattias.jidhage@owasp.org
  • 27. References•  http://www.autosec.org/publications.html•  http://www.isecpartners.com/storage/docs/presentations/ isec_bh2011_war_texting.pdf•  http://events.ccc.de/congress/2009/Fahrplan/ attachments/1519_26C3.Karsten.Nohl.GSM.pdf•  https://srlabs.de/blog/wp-content/uploads/ 2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf•  http://events.ccc.de/camp/2011/Fahrplan/attachments/ 1868_110810.SRLabs-Camp-GRPS_Intercept.pdf