SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
2.
Bogdan-Ioan Şuta
• System manager at AtoS IT Solutions and
Services
• Former Embedded C developer at Hella
Romania
• Graduated Master in Automotive Embedded
Software from "Politehnica" University of
Timisoara
• Interested in computers, cars and anything in
between
4.
In vehicle networks
• Used for information sharing between ECUs
(Electronic Control Unit)
• Reduce the number of wires needed inside a
vehicle between ECUs
• Come in many forms:
– By medium: two-wire, one-wire, optical, wireless
– By protocol: Ethernet, CAN, LIN, FlexRay, MOST, K
Line etc.
7.
Controller Area Network
•
•
•
•
•
Developed by Robert Bosch GmbH in 1983
Designed for electrically noisy environments
Baud rates of up to 1Mb/s
Broadcast type network
Frames composed of (minimalistic):
– ID field – used for arbitration – either 11 or 24 bits
long
– Data Field – actual transported data - up to 8 bytes
– CRC Field – for error correction – 15 bits
9.
Hacking vehicle networks
• MIT did it:
– Comprehensive Experimental
Analyses of Automotive Attack
Surfaces http://youtu.be/bHfOziIwXic
• Blogs made tutorials for it:
– Hack a day http://hackaday.com/2013/10/21/can
-hacking-introductions/
• Individuals also tried their luck:
– http://secuduino.blogspot.ro/2011/04
/grupo-volkswagen-can-confort.html
10.
Hacking vehicle networks
• Various hardware is available to do it:
– The OpenXC Platform http://openxcplatform.com/
– Arduino shields are available http://www.skpang.co.uk/catalog/arduinocanbus-shield-with-usd-card-holder-p-706.html
– Custom – any microcontroller with a CAN
controller with an CAN transceiver will work
12.
Proposition
• Connect to the CAN bus
• Identify messages being transmitted on the
bus
• Perform spoofing and flood attacks
• Do not get into diagnostic based attacks
(change odometer, disable immobilizer)
13.
Setup
•
•
•
•
•
VW Passat 2001
Breadboard
mBed LPC 1768 development board
2x Microchip MCP 2551 CAN tranceivers
PC with TerraTerm used for communicating with
the mBed
• mBed programmed for CAN monitoring, flooding
and spoofing
• First connection attempt:
– Male OBD-II connector connected to the
diagnostic port of the CAR
• Second attempt:
– Twisted pair of conductors from a CAT-5 cable
connected at the back of the VW Climatronic
19.
Second attempt: SUCCESS
• A few tries and some info from:
http://secuduino.blogspot.ro/2011/04/grupovolkswagen-can-confort.html
• Connected to Convenience CAN
• Baud rate of 100kb/s
• Communication established
20.
A bit of sniffing…
• Found CAN messages from
– Door locks
– Electric windows
• Position of window
• Status of button (pressed, not pressed)
– Instruments backlighting value
– Lots of other data that I couldn’t find a correlation
21.
Some spoofing…
• Sending commands that would originate from
the Body Control Module
25.
Security issues
• No authentication of nodes
• Messages are not scrambled
• Security by obscurity
26.
Counter measures
• Researched and developed by many universities and
companies:
– Efficient Protocols For Secure Broadcast In Controller Area
Networks - http://www.aut.upt.ro/~bgroza/Papers/CANSec.pdf
– LiBrA-CAN: Lightweight Broadcast Authentication for
Controller Area Networks http://www.aut.upt.ro/~bgroza/Papers/LIBRA.pdf
– Broadcast Authentication in a Low Speed Controller Area
Network http://www.aut.upt.ro/~bgroza/Papers/CANAut.pdf
– Low cost multicast network authentication for embedded
control systems http://128.2.129.29/research/publications/2012/CMUECE-2012-011.pdf
– Many more
28.
Conclusions
• Hacking vehicle networks is EASY
• Through trial and error much information can
be obtained -> security by obscurity is not
sufficient
• With great power comes great responsibility
– Getting information from the vehicle bus can
enhance use of the vehicle
– People with bad intentions can cause damages
and injuries
29.
Contributors
•
•
•
•
•
Ioan Dubar
Alexandru Leipnik
Bogdan Groza
Alexandru George Andrei
My parents