Telematics “integrated use of telecommunications and informatics”ECU = Electronic CBCM=Brake ECU=Engine ontrol CCU=Convenience ontrol ACU=Airbag CC ontrol odule CTM=Central Ciming Module GEM=General Electronic MSCM=Suspension ontrol U odule TCM=Transmission M Module BCM=Body CCTontrol ontrol odule ECM=Engine ontrol CUodule MPCM=Powertrain CC Mnit MUnit CCM=Central ontrol ontrol nit odule ~100 Bosch, Siemens, Delphi..
TelematicsPotentially less than great security?
Eh, Whats up Doc?• The Car• Transport• Server• Client
The Car - Research• Experimental Security Analysis of a Modern Automobile – OBD-II• Comprehensive Experimental Analyses of Automotive Attack Surfaces – CD – OBD-II (PassThru) – Bluetooth – GSM
The Car – Reality• War Texting: Identifying and Interacting with Devices on the Telephone Network – Method for attacking telematics • In general: GSM Baseband + uC Chip • UART -> RE -> Firmware -> Vulnerability – How2 find targets? • FindMe • WhoIs
The Car – Reality• Put it to the test – Zoombak Tracking Device • Zoombak Scanner • Ask nicely via SMS – Subaru Outback 1998 • after market telematics unit • unlock and start engine • http://youtu.be/bNDv00SGb6w
Transport - GSM• A5/1• SRLabs – CCC 2009, BlackHat 2010 – Rainbow tables (100.000 years to 1 month) – Decode voice • 100-300m upstream • 5-35km downstream
Transport – GPRS/EDGE No encryption• GEA/0• GEA/1• GEA/2• GEA/3• GEA/4 No users• SRLabs – CCC 2011, Crypto analysis (weak crypto) – Decode GPRS -> Wireshark
Conclusion• All components are possible targets• Very few has the complete picture• Activity in the security arena• This is going to get worse before it gets better – 2012 models CAN bus is unprotected – New tools arriving every day – Larger attack surface than ever• Use fast shoes