Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
In vehicle CAN network security An overview
Bogdan-Ioan Şuta • System manager at AtoS IT Solutions and Services • Former Embedded C developer at Hella Romania • Gradu...
Overview IN VEHICLE NETWORKS
In vehicle networks • Used for information sharing between ECUs (Electronic Control Unit) • Reduce the number of wires nee...
In vehicle networks
Overview CONTROLLER AREA NETWORK
Controller Area Network • • • • • Developed by Robert Bosch GmbH in 1983 Designed for electrically noisy environments Bau...
HACKING VEHICLE NETWORKS
Hacking vehicle networks • MIT did it: – Comprehensive Experimental Analyses of Automotive Attack Surfaces http://youtu.be...
Hacking vehicle networks • Various hardware is available to do it: – The OpenXC Platform http://openxcplatform.com/ – Ardu...
At hacking the CAN bus MY ATTEMPTS
Proposition • Connect to the CAN bus • Identify messages being transmitted on the bus • Perform spoofing and flood attacks...
Setup • • • • • VW Passat 2001 Breadboard mBed LPC 1768 development board 2x Microchip MCP 2551 CAN tranceivers PC with T...
FIRST ATTEMPT Using OBD connector
OBD Cable
First attempt: FAILED • Communication was not possible • Subject car does not have CAN on the OBD-II Connector • Only K li...
SECOND ATTEMPT Direct connection
Connection to car
Second attempt: SUCCESS • A few tries and some info from: http://secuduino.blogspot.ro/2011/04/grupovolkswagen-can-confort...
A bit of sniffing… • Found CAN messages from – Door locks – Electric windows • Position of window • Status of button (pres...
Some spoofing… • Sending commands that would originate from the Body Control Module
Power windows VIDEO
And some flooding • Sending a very high priority CAN message on the network continuously • Using hardware interrupts so no...
Car door locks VIDEO
Security issues • No authentication of nodes • Messages are not scrambled • Security by obscurity
Counter measures • Researched and developed by many universities and companies: – Efficient Protocols For Secure Broadcast ...
CONCLUSIONS
Conclusions • Hacking vehicle networks is EASY • Through trial and error much information can be obtained -> security by o...
Contributors • • • • • Ioan Dubar Alexandru Leipnik Bogdan Groza Alexandru George Andrei My parents
Thank you.
DefCamp 2013 - In vehicle CAN network security
Upcoming SlideShare
Loading in …5
×

DefCamp 2013 - In vehicle CAN network security

1,468 views

Published on

Published in: Technology, Business
no profile picture user

  • Be the first to comment

DefCamp 2013 - In vehicle CAN network security

  1. 1. In vehicle CAN network security An overview
  2. 2. Bogdan-Ioan Şuta • System manager at AtoS IT Solutions and Services • Former Embedded C developer at Hella Romania • Graduated Master in Automotive Embedded Software from "Politehnica" University of Timisoara • Interested in computers, cars and anything in between
  3. 3. Overview IN VEHICLE NETWORKS
  4. 4. In vehicle networks • Used for information sharing between ECUs (Electronic Control Unit) • Reduce the number of wires needed inside a vehicle between ECUs • Come in many forms: – By medium: two-wire, one-wire, optical, wireless – By protocol: Ethernet, CAN, LIN, FlexRay, MOST, K Line etc.
  5. 5. In vehicle networks
  6. 6. Overview CONTROLLER AREA NETWORK
  7. 7. Controller Area Network • • • • • Developed by Robert Bosch GmbH in 1983 Designed for electrically noisy environments Baud rates of up to 1Mb/s Broadcast type network Frames composed of (minimalistic): – ID field – used for arbitration – either 11 or 24 bits long – Data Field – actual transported data - up to 8 bytes – CRC Field – for error correction – 15 bits
  8. 8. HACKING VEHICLE NETWORKS
  9. 9. Hacking vehicle networks • MIT did it: – Comprehensive Experimental Analyses of Automotive Attack Surfaces http://youtu.be/bHfOziIwXic • Blogs made tutorials for it: – Hack a day http://hackaday.com/2013/10/21/can -hacking-introductions/ • Individuals also tried their luck: – http://secuduino.blogspot.ro/2011/04 /grupo-volkswagen-can-confort.html
  10. 10. Hacking vehicle networks • Various hardware is available to do it: – The OpenXC Platform http://openxcplatform.com/ – Arduino shields are available http://www.skpang.co.uk/catalog/arduinocanbus-shield-with-usd-card-holder-p-706.html – Custom – any microcontroller with a CAN controller with an CAN transceiver will work
  11. 11. At hacking the CAN bus MY ATTEMPTS
  12. 12. Proposition • Connect to the CAN bus • Identify messages being transmitted on the bus • Perform spoofing and flood attacks • Do not get into diagnostic based attacks (change odometer, disable immobilizer)
  13. 13. Setup • • • • • VW Passat 2001 Breadboard mBed LPC 1768 development board 2x Microchip MCP 2551 CAN tranceivers PC with TerraTerm used for communicating with the mBed • mBed programmed for CAN monitoring, flooding and spoofing • First connection attempt: – Male OBD-II connector connected to the diagnostic port of the CAR • Second attempt: – Twisted pair of conductors from a CAT-5 cable connected at the back of the VW Climatronic
  14. 14. FIRST ATTEMPT Using OBD connector
  15. 15. OBD Cable
  16. 16. First attempt: FAILED • Communication was not possible • Subject car does not have CAN on the OBD-II Connector • Only K line was present
  17. 17. SECOND ATTEMPT Direct connection
  18. 18. Connection to car
  19. 19. Second attempt: SUCCESS • A few tries and some info from: http://secuduino.blogspot.ro/2011/04/grupovolkswagen-can-confort.html • Connected to Convenience CAN • Baud rate of 100kb/s • Communication established 
  20. 20. A bit of sniffing… • Found CAN messages from – Door locks – Electric windows • Position of window • Status of button (pressed, not pressed) – Instruments backlighting value – Lots of other data that I couldn’t find a correlation
  21. 21. Some spoofing… • Sending commands that would originate from the Body Control Module
  22. 22. Power windows VIDEO
  23. 23. And some flooding • Sending a very high priority CAN message on the network continuously • Using hardware interrupts so no delays occur
  24. 24. Car door locks VIDEO
  25. 25. Security issues • No authentication of nodes • Messages are not scrambled • Security by obscurity
  26. 26. Counter measures • Researched and developed by many universities and companies: – Efficient Protocols For Secure Broadcast In Controller Area Networks - http://www.aut.upt.ro/~bgroza/Papers/CANSec.pdf – LiBrA-CAN: Lightweight Broadcast Authentication for Controller Area Networks http://www.aut.upt.ro/~bgroza/Papers/LIBRA.pdf – Broadcast Authentication in a Low Speed Controller Area Network http://www.aut.upt.ro/~bgroza/Papers/CANAut.pdf – Low cost multicast network authentication for embedded control systems http://128.2.129.29/research/publications/2012/CMUECE-2012-011.pdf – Many more
  27. 27. CONCLUSIONS
  28. 28. Conclusions • Hacking vehicle networks is EASY • Through trial and error much information can be obtained -> security by obscurity is not sufficient • With great power comes great responsibility – Getting information from the vehicle bus can enhance use of the vehicle – People with bad intentions can cause damages and injuries
  29. 29. Contributors • • • • • Ioan Dubar Alexandru Leipnik Bogdan Groza Alexandru George Andrei My parents
  30. 30. Thank you.

×