Gentlemen, Start Your Engines 20120514

1,293 views

Published on

Short overview of the current security status on the automotive telematics security arena. Presented at OWASP Sweden meeting May 14th 2012

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,293
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Gentlemen, Start Your Engines 20120514

  1. 1. OWASP Sweden 20120514 Gentlemen, Start your engines Mattias Jidhage
  2. 2. Omegapoint - Founded in 2001 - 170 consultants - e-Business & Security Falun New York Stockholm Göteborg Kalmar Helsingborg Malmö
  3. 3. Agenda
  4. 4. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  5. 5. Infotainment•  Tech fragmentation •  Full featured browser –  Cost –  Torch –  Long dev cycle –  Netfront•  Apps for the car •  OS –  HTML5 –  Blackberry –  JavaScript –  Windows•  App stores –  Android –  Blackberry App World •  Smartphones on –  Android Market wheels? –  Mbrace?
  6. 6. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  7. 7. Telematics “integrated use of telecommunications and informatics”ECU  =  Electronic  CBCM=Brake  ECU=Engine   ontrol  CCU=Convenience  ontrol  ACU=Airbag  CC ontrol   odule  CTM=Central   Ciming  Module  GEM=General  Electronic   MSCM=Suspension   ontrol  U odule  TCM=Transmission   M Module  BCM=Body  CCTontrol  ontrol  odule  ECM=Engine  ontrol  CUodule  MPCM=Powertrain  CC Mnit  MUnit  CCM=Central  ontrol  ontrol  nit odule  ~100  Bosch,  Siemens,  Delphi..  
  8. 8. TelematicsPotentially less than great security?
  9. 9. Eh, Whats up Doc?•  The Car•  Transport•  Server•  Client
  10. 10. The Car - Research•  Experimental Security Analysis of a Modern Automobile –  OBD-II•  Comprehensive Experimental Analyses of Automotive Attack Surfaces –  CD –  OBD-II (PassThru) –  Bluetooth –  GSM
  11. 11. The Car – Reality•  War Texting: Identifying and Interacting with Devices on the Telephone Network –  Method for attacking telematics •  In general: GSM Baseband + uC Chip •  UART -> RE -> Firmware -> Vulnerability –  How2 find targets? •  FindMe •  WhoIs
  12. 12. The Car – Reality•  Put it to the test –  Zoombak Tracking Device •  Zoombak Scanner •  Ask nicely via SMS –  Subaru Outback 1998 •  after market telematics unit •  unlock and start engine •  http://youtu.be/bNDv00SGb6w
  13. 13. Transport - GSM•  A5/1•  SRLabs –  CCC 2009, BlackHat 2010 –  Rainbow tables (100.000 years to 1 month) –  Decode voice •  100-300m upstream •  5-35km downstream
  14. 14. Transport – GPRS/EDGE No encryption•  GEA/0•  GEA/1•  GEA/2•  GEA/3•  GEA/4 No users•  SRLabs –  CCC 2011, Crypto analysis (weak crypto) –  Decode GPRS -> Wireshark
  15. 15. Transport – cell USRP H W
  16. 16. Server•  Car interface –  Proprietary protocol •  ASN.1 – Touring complete •  GPRS, EDGE, SMS and data over voice –  “We use a Private APN” •  Generic Routing Encapsulation •  Node to Node communication•  Operator web application•  Smartphone interface: REST/JSON
  17. 17. Client - browser•  Web application –  no news –  move on –  there is nothing to see –  DriveBy Trojan Download & Install •  Starring Windows •  Guest appearance by Mac OSX
  18. 18. Client – smart phone•  Few real vulnerability tests performed•  iOS –  Continous Jailbreak –  iOS 5.0.1 - iPhone 4GS and iPad2 –  iOS 5.1.x – iPad3 – no public (i0n1c, pod2g)•  Android –  Rouge apps –  Android Market - ‘Bouncer’
  19. 19. Conclusion•  All components are possible targets•  Very few has the complete picture•  Activity in the security arena•  This is going to get worse before it gets better –  2012 models CAN bus is unprotected –  New tools arriving every day –  Larger attack surface than ever•  Use fast shoes
  20. 20. What’s to come? “Internet of Things” TLA = IoT
  21. 21. The Future
  22. 22. The Future•  Telematics – M2M –  “integrated use of telecommunications and informatics” Insulin pump Prescription medication
  23. 23. The Future ABB IRB 6640Industrial robot
  24. 24. The Future Three GorgesInfrastructure - SCADA – Stuxnet
  25. 25. The FutureHome Metering Unit - SmartGrid 270 000 HMU using ZigBee
  26. 26. everything is a computerThank You!@mjidhagemattias.jidhage@owasp.org
  27. 27. References•  http://www.autosec.org/publications.html•  http://www.isecpartners.com/storage/docs/presentations/ isec_bh2011_war_texting.pdf•  http://events.ccc.de/congress/2009/Fahrplan/ attachments/1519_26C3.Karsten.Nohl.GSM.pdf•  https://srlabs.de/blog/wp-content/uploads/ 2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf•  http://events.ccc.de/camp/2011/Fahrplan/attachments/ 1868_110810.SRLabs-Camp-GRPS_Intercept.pdf

×