Automotive Electronics - Internals and Security Implications

2,243 views
2,032 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,243
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Automotive Electronics - Internals and Security Implications

  1. 1. Automotive ElectronicsInternals and Security Implications Aanjhan Ranganathan
  2. 2. Some Facts● Radio was the first electronic system● Today, ~40 computers power your car.● ~20 million lines of code.● About 10 Km of wiring exists in a modern auto- mobile● And weighs ~100 Kg 2
  3. 3. Drive-by Code Car multimedia Dynamic stability controlAuto-transmission control Instrument cluster Airbag controlEngine management Anti-lock breaking system Tyre pressure monitor Diagnostics Body sensors/electronics 3
  4. 4. ECU Module 4
  5. 5. Network Bus Protocols● Controller Area Network (CAN)● Local Interconnect Network (LIN)● FlexRay● Media Oriented Systems Transport (MOST) 5
  6. 6. Networking in an Auto ABS CM DIAEM Dash BoardDS IC BE Air 6
  7. 7. Networking in an Auto EM ABS CM DIA DashHigh Speed Network Low Speed Network BoardDS Air IC BE 7
  8. 8. Car ECUs going wireless? EM ABS CM DIA Dash BoardDS Air IC BE 8
  9. 9. * Tyre Pressure Monitoring System 315 or 433 MHz ASK or FSK Dash Board* Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study, Rouf et al. Usenix Security 2010. 9
  10. 10. * Security Analysis of TPMS ● Difficulty of reverse engineering – Using GNU Radio, Matlab, USRP – Few days (experienced engineer) to few weeks (newbie) ● Sniffing feasibility – 40 m range – 110 sniffers if the car is travelling at 60 Kmph – Easier to trigger at 125 Khz ● Spoofing feasibility – Ability to trigger the TPMS monitor light – No packet authentication ● Security measures – Reliable software design – Encrypting the whole packet* Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study, Rouf et al. Usenix Security 2010. 10
  11. 11. Controller Area Network● Developed by Bosch● 2-wire serial bus● No limitations on the #nodes● Message oriented protocol, no node addressing● Broadcast and multicast support● Physical and data link layer● Speed upto 1 Mbps 11
  12. 12. CAN Bus Characteristics● Wired-AND – “0” is dominant bit – “1” is recessive bit● All nodes read-back the data on the bus once they have transmitted a bit. Specifically during the arbitration phase. 12
  13. 13. CAN – CSMA with CD/CR Arb DataXA 1 0 0 ...B 1 1 1 1 ...C 1 0 1 1 0 ... time 13
  14. 14. CAN – Error Handling● Error Handling● Fault confinement● High speed and low speed nodes 14
  15. 15. FlexRay● Time based scheduling (TDMA)● Deterministic behaviour● 2 channels● 10 Mbps on each channel => 20 Mbps● Complex protocol stack● Supports multiple network topology● Not YET in use widely 15
  16. 16. Local Interconnect Network (LIN)● Slow (<20 Kbps) and used for less critical ECUs● UART/SCI based● Master – slave● Less expensive than CAN controllers● 1-wire, reduced harness complexity 16
  17. 17. Media Oriented System Transport (MOST)● Physical layer – Mostly optical fibres● Upto 24 Mbps● Ring, star, daisy chain topologies possible● Audio, video streaming applications 17
  18. 18. Car Multimedia● No longer just radio● Navigation, phone handling, video, audio, interactive vehicle status updates and a lot more 18
  19. 19. Car Multimedia (contd..) 19
  20. 20. In Summary 20
  21. 21. Diagnostics● Identifying faults● OBD II (On-Board Diagnostics v2.0 is the current standard)● Over CAN● Simple OBD-II scanners to high-end OBD-II diagnostic tools 21
  22. 22. OBD II Systems 22
  23. 23. Other Interfaces to OBDII 23
  24. 24. Mobile ApplicationsDevToaster Torque 24
  25. 25. 1 Security Challenges in CAN ● No security i.e. encryption/decryption defined ● Broadcast nature ● No node authentication ● Limited defense to denial of service attacks ● Re-programing and reset (C/R based auth) ● Open diagnostic control[1] Experimental Security Analysis of a Modern Automobile, Koscher et al. IEEE Security and Privacy 10 25
  26. 26. 1 Security Analysis Setup CarShark[1] Experimental Security Analysis of a Modern Automobile, Koscher et al. IEEE Security and Privacy 10 26
  27. 27. 1 Security Analysis ● Deviations from standards – Network segregation, command filtering, firmware updates ● Radio, cluster, body electronics control ● Engine and brake control ● Code injection[1] Experimental Security Analysis of a Modern Automobile, Koscher et al. IEEE Security and Privacy 10 27
  28. 28. 1 Security Analysis[1] Experimental Security Analysis of a Modern Automobile, Koscher et al. IEEE Security and Privacy 10 28
  29. 29. 1 Security Analysis[1] Experimental Security Analysis of a Modern Automobile, Koscher et al. IEEE Security and Privacy 10 29
  30. 30. Manufacturers Point of View“While we sincerely respect the opinions of the researchers, we alsostrongly believe their study makes conclusions which are based onlimited knowledge, and in some cases, are incorrect.” Schader Electronics "The car described in the US paper certainly was not one of ours. We definitely use better than 16 bit encryption schemes." BMW"This gives any attacker an advantage and raises the need for asolution which can uphold its level of security for such a long periodwhile new attacks are being developed" Secunet AG "This problem lies within the responsibility of the OEMs" Autosar 30
  31. 31. Conclusion● Moores law shall be applicable to automobiles.● Not many care for privacy/vehicle tracking. Not necessary to be so sophisticated for this.● Security is a concern. Especially when it comes to losing your car/wallet.● Considerable change in infrastructure required.● Security issues bound to increase with increasing electronics and code. 31
  32. 32. Thank You 32

×