Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DefCamp 2013 - In vehicle CAN network security

1,345 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

DefCamp 2013 - In vehicle CAN network security

  1. 1. In vehicle CAN network security An overview
  2. 2. Bogdan-Ioan Şuta • System manager at AtoS IT Solutions and Services • Former Embedded C developer at Hella Romania • Graduated Master in Automotive Embedded Software from "Politehnica" University of Timisoara • Interested in computers, cars and anything in between
  3. 3. Overview IN VEHICLE NETWORKS
  4. 4. In vehicle networks • Used for information sharing between ECUs (Electronic Control Unit) • Reduce the number of wires needed inside a vehicle between ECUs • Come in many forms: – By medium: two-wire, one-wire, optical, wireless – By protocol: Ethernet, CAN, LIN, FlexRay, MOST, K Line etc.
  5. 5. In vehicle networks
  6. 6. Overview CONTROLLER AREA NETWORK
  7. 7. Controller Area Network • • • • • Developed by Robert Bosch GmbH in 1983 Designed for electrically noisy environments Baud rates of up to 1Mb/s Broadcast type network Frames composed of (minimalistic): – ID field – used for arbitration – either 11 or 24 bits long – Data Field – actual transported data - up to 8 bytes – CRC Field – for error correction – 15 bits
  8. 8. HACKING VEHICLE NETWORKS
  9. 9. Hacking vehicle networks • MIT did it: – Comprehensive Experimental Analyses of Automotive Attack Surfaces http://youtu.be/bHfOziIwXic • Blogs made tutorials for it: – Hack a day http://hackaday.com/2013/10/21/can -hacking-introductions/ • Individuals also tried their luck: – http://secuduino.blogspot.ro/2011/04 /grupo-volkswagen-can-confort.html
  10. 10. Hacking vehicle networks • Various hardware is available to do it: – The OpenXC Platform http://openxcplatform.com/ – Arduino shields are available http://www.skpang.co.uk/catalog/arduinocanbus-shield-with-usd-card-holder-p-706.html – Custom – any microcontroller with a CAN controller with an CAN transceiver will work
  11. 11. At hacking the CAN bus MY ATTEMPTS
  12. 12. Proposition • Connect to the CAN bus • Identify messages being transmitted on the bus • Perform spoofing and flood attacks • Do not get into diagnostic based attacks (change odometer, disable immobilizer)
  13. 13. Setup • • • • • VW Passat 2001 Breadboard mBed LPC 1768 development board 2x Microchip MCP 2551 CAN tranceivers PC with TerraTerm used for communicating with the mBed • mBed programmed for CAN monitoring, flooding and spoofing • First connection attempt: – Male OBD-II connector connected to the diagnostic port of the CAR • Second attempt: – Twisted pair of conductors from a CAT-5 cable connected at the back of the VW Climatronic
  14. 14. FIRST ATTEMPT Using OBD connector
  15. 15. OBD Cable
  16. 16. First attempt: FAILED • Communication was not possible • Subject car does not have CAN on the OBD-II Connector • Only K line was present
  17. 17. SECOND ATTEMPT Direct connection
  18. 18. Connection to car
  19. 19. Second attempt: SUCCESS • A few tries and some info from: http://secuduino.blogspot.ro/2011/04/grupovolkswagen-can-confort.html • Connected to Convenience CAN • Baud rate of 100kb/s • Communication established 
  20. 20. A bit of sniffing… • Found CAN messages from – Door locks – Electric windows • Position of window • Status of button (pressed, not pressed) – Instruments backlighting value – Lots of other data that I couldn’t find a correlation
  21. 21. Some spoofing… • Sending commands that would originate from the Body Control Module
  22. 22. Power windows VIDEO
  23. 23. And some flooding • Sending a very high priority CAN message on the network continuously • Using hardware interrupts so no delays occur
  24. 24. Car door locks VIDEO
  25. 25. Security issues • No authentication of nodes • Messages are not scrambled • Security by obscurity
  26. 26. Counter measures • Researched and developed by many universities and companies: – Efficient Protocols For Secure Broadcast In Controller Area Networks - http://www.aut.upt.ro/~bgroza/Papers/CANSec.pdf – LiBrA-CAN: Lightweight Broadcast Authentication for Controller Area Networks http://www.aut.upt.ro/~bgroza/Papers/LIBRA.pdf – Broadcast Authentication in a Low Speed Controller Area Network http://www.aut.upt.ro/~bgroza/Papers/CANAut.pdf – Low cost multicast network authentication for embedded control systems http://128.2.129.29/research/publications/2012/CMUECE-2012-011.pdf – Many more
  27. 27. CONCLUSIONS
  28. 28. Conclusions • Hacking vehicle networks is EASY • Through trial and error much information can be obtained -> security by obscurity is not sufficient • With great power comes great responsibility – Getting information from the vehicle bus can enhance use of the vehicle – People with bad intentions can cause damages and injuries
  29. 29. Contributors • • • • • Ioan Dubar Alexandru Leipnik Bogdan Groza Alexandru George Andrei My parents
  30. 30. Thank you.

×