Gentlemen, Start Your Engines 20120419

527 views

Published on

Short overview of the current security status on the automotive telematics security arena. Presented at the ISACA Scandinavian Conference April 23-24th 2012

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
527
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Gentlemen, Start Your Engines 20120419

  1. 1. Gentlemen,Start your engines Mattias Jidhage
  2. 2. Omegapoint - Founded in 2001 - 170 consultants - e-Business & Security Falun New York Stockholm Göteborg Kalmar Helsingborg Malmö
  3. 3. Agenda
  4. 4. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  5. 5. TelematicsPotentially less than great security?
  6. 6. Eh, Whats up Doc?•  The Car•  Transport•  Server•  Client
  7. 7. The Car - Research•  Experimental Security Analysis of a Modern Automobile –  OBD-II•  Comprehensive Experimental Analyses of Automotive Attack Surfaces –  CD –  OBD-II (PassThru) –  Bluetooth –  GSM
  8. 8. The Car – Reality•  War Texting: Identifying and Interacting with Devices on the Telephone Network –  Method for attacking telematics •  In general: GSM Baseband + uC Chip •  UART -> RE -> Firmware -> Vulnerability –  How2 find targets? •  FindMe •  WhoIs
  9. 9. The Car – Reality•  Put it to the test –  Zoombak Tracking Device •  Zoombak Scanner •  Ask nicely via SMS –  Subaru Outback 1998 •  after market telematics unit •  unlock and start engine •  http://youtu.be/bNDv00SGb6w
  10. 10. Transport - GSM•  A5/1•  SRLabs –  CCC 2009, BlackHat 2010 –  Rainbow tables (100.000 years to 1 month) –  Decode voice •  100-300m upstream •  5-35km downstream
  11. 11. Transport – GPRS/EDGE No encryption•  GEA/0•  GEA/1•  GEA/2•  GEA/3•  GEA/4 No users•  SRLabs –  CCC 2011, Crypto analysis (weak crypto) –  Decode GPRS -> Wireshark
  12. 12. Transport – cell USRP H W
  13. 13. Server•  Car interface –  Proprietary protocol •  ASN.1 – Touring complete •  GPRS, EDGE, SMS and data over voice –  “We use a Private APN” •  Generic Routing Encapsulation •  Node to Node communication•  Operator web application•  Smartphone interface: REST/JSON
  14. 14. Client - browser•  Web application –  no news –  move on –  there is nothing to see –  DriveBy Trojan Download & Install •  Starring Windows •  Guest appearance by Mac OSX
  15. 15. Client – smart phone•  Few real vulnerability tests performed•  iOS –  Continous Jailbreak –  iOS 5.0.1 - iPhone 4GS and iPad2 –  iOS 5.1 – iPad3•  Android –  Rouge apps –  Android Market - ‘Bouncer’
  16. 16. Conclusion•  All components are possible targets•  Very few has the complete picture•  Activity in the security arena•  This is going to get worse before it gets better –  2012 models CAN bus is unprotected –  New tools arriving every day –  Larger attack surface than ever•  Use fast shoes
  17. 17. What’s to come?•  “Internet of Things”
  18. 18. The Future
  19. 19. The Future•  Telematics – M2M –  “integrated use of telecommunications and informatics” Insulin pump Prescription medication
  20. 20. The Future ABB IRB 6640Industrial robot
  21. 21. The Future Three GorgesInfrastructure - SCADA – Stuxnet
  22. 22. The FutureHome Metering Unit - SmartGrid 270 000 HMU using ZigBee
  23. 23. “Everything is a computer”@mjidhagemattias.jidhage@omegapoint.seThank You!
  24. 24. References•  http://www.autosec.org/publications.html•  http://www.isecpartners.com/storage/docs/presentations/ isec_bh2011_war_texting.pdf•  http://events.ccc.de/congress/2009/Fahrplan/ attachments/1519_26C3.Karsten.Nohl.GSM.pdf•  https://srlabs.de/blog/wp-content/uploads/ 2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf•  http://events.ccc.de/camp/2011/Fahrplan/attachments/ 1868_110810.SRLabs-Camp-GRPS_Intercept.pdf

×