Your SlideShare is downloading. ×
Gentlemen, Start Your Engines 20120514
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Gentlemen, Start Your Engines 20120514

1,012
views

Published on

Short overview of the current security status on the automotive telematics security arena. Presented at OWASP Sweden meeting May 14th 2012

Short overview of the current security status on the automotive telematics security arena. Presented at OWASP Sweden meeting May 14th 2012

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,012
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OWASP Sweden 20120514 Gentlemen, Start your engines Mattias Jidhage
  • 2. Omegapoint - Founded in 2001 - 170 consultants - e-Business & Security Falun New York Stockholm Göteborg Kalmar Helsingborg Malmö
  • 3. Agenda
  • 4. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  • 5. Infotainment•  Tech fragmentation •  Full featured browser –  Cost –  Torch –  Long dev cycle –  Netfront•  Apps for the car •  OS –  HTML5 –  Blackberry –  JavaScript –  Windows•  App stores –  Android –  Blackberry App World •  Smartphones on –  Android Market wheels? –  Mbrace?
  • 6. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  • 7. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  • 8. TelematicsPotentially less than great security?
  • 9. Eh, Whats up Doc?•  The Car•  Transport•  Server•  Client
  • 10. The Car - Research•  Experimental Security Analysis of a Modern Automobile –  OBD-II•  Comprehensive Experimental Analyses of Automotive Attack Surfaces –  CD –  OBD-II (PassThru) –  Bluetooth –  GSM
  • 11. The Car – Reality•  War Texting: Identifying and Interacting with Devices on the Telephone Network –  Method for attacking telematics •  In general: GSM Baseband + uC Chip •  UART -> RE -> Firmware -> Vulnerability –  How2 find targets? •  FindMe •  WhoIs
  • 12. The Car – Reality•  Put it to the test –  Zoombak Tracking Device •  Zoombak Scanner •  Ask nicely via SMS –  Subaru Outback 1998 •  after market telematics unit •  unlock and start engine •  http://youtu.be/bNDv00SGb6w
  • 13. Transport - GSM•  A5/1•  SRLabs –  CCC 2009, BlackHat 2010 –  Rainbow tables (100.000 years to 1 month) –  Decode voice •  100-300m upstream •  5-35km downstream
  • 14. Transport – GPRS/EDGE No encryption•  GEA/0•  GEA/1•  GEA/2•  GEA/3•  GEA/4 No users•  SRLabs –  CCC 2011, Crypto analysis (weak crypto) –  Decode GPRS -> Wireshark
  • 15. Transport – cell USRP H W
  • 16. Server•  Car interface –  Proprietary protocol •  ASN.1 – Touring complete •  GPRS, EDGE, SMS and data over voice –  “We use a Private APN” •  Generic Routing Encapsulation •  Node to Node communication•  Operator web application•  Smartphone interface: REST/JSON
  • 17. Client - browser•  Web application –  no news –  move on –  there is nothing to see –  DriveBy Trojan Download & Install •  Starring Windows •  Guest appearance by Mac OSX
  • 18. Client – smart phone•  Few real vulnerability tests performed•  iOS –  Continous Jailbreak –  iOS 5.0.1 - iPhone 4GS and iPad2 –  iOS 5.1.x – iPad3 – no public (i0n1c, pod2g)•  Android –  Rouge apps –  Android Market - ‘Bouncer’
  • 19. Conclusion•  All components are possible targets•  Very few has the complete picture•  Activity in the security arena•  This is going to get worse before it gets better –  2012 models CAN bus is unprotected –  New tools arriving every day –  Larger attack surface than ever•  Use fast shoes
  • 20. What’s to come? “Internet of Things” TLA = IoT
  • 21. The Future
  • 22. The Future•  Telematics – M2M –  “integrated use of telecommunications and informatics” Insulin pump Prescription medication
  • 23. The Future ABB IRB 6640Industrial robot
  • 24. The Future Three GorgesInfrastructure - SCADA – Stuxnet
  • 25. The FutureHome Metering Unit - SmartGrid 270 000 HMU using ZigBee
  • 26. everything is a computerThank You!@mjidhagemattias.jidhage@owasp.org
  • 27. References•  http://www.autosec.org/publications.html•  http://www.isecpartners.com/storage/docs/presentations/ isec_bh2011_war_texting.pdf•  http://events.ccc.de/congress/2009/Fahrplan/ attachments/1519_26C3.Karsten.Nohl.GSM.pdf•  https://srlabs.de/blog/wp-content/uploads/ 2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf•  http://events.ccc.de/camp/2011/Fahrplan/attachments/ 1868_110810.SRLabs-Camp-GRPS_Intercept.pdf