CODE BLUE, profile picture
Uploaded byCODE BLUE
PDF, PPTX31,602 views

The Current State of Automotive Security by Chris Valasek

The document discusses automotive security, focusing on vulnerabilities within vehicle systems and the CAN bus architecture. It explains the anatomy of attacks, various electronic control units (ECUs), and the inherent lack of security in the design of automotive communication systems. Recommendations include improving detection of attacks, implementing layered security approaches, and segmenting CAN networks to enhance vehicle safety.

Embed presentation

Download as PDF, PPTX
The  current  state  of     automo/ve  security   Dr.  Charlie  Miller  (@0xcharlie)   Chris  Valasek  (@nudehaberdasher)  
INTRODUCTION  
Who   •  Charlie  Miller     [Security  Engineer]     |Twi2er|   •  Chris  Valasek     [Director  of  Security  Intelligence]  | IOAc8ve|    
Agenda   •  Anatomy  of  an  aJack   •  CAN  Basics   •  AJacking  the  CAN  bus   •  Securing  the  modern  vehicle  
ANATOMY  OF  AN  ATTACK  
Step  1:  Code  execu/on   •  Remote   Telema/cs  unit   TPMS   Bluetooth   “Connec/vity”  apps,   Web  browser,  etc  
Step  1:  Code  execu/on  (cont.)   •  Local  
Step  2:  CAN  message  injec/on   Compromised  ECU   ABS  ECU   Steering  ECU   Other  ECUs…  
AJack  Scenario   •  A  remote  vulnerability  s/ll  relies  on  ‘local’   informa/on   –  Example:  A  remote  exploit  targe/ng  a  vulnerability  in   the  Bluetooth  receiver  is  only  harmful  if  the  aJacker   knows  specific  informa/on  about  the  vehicle   •  Both  learning  the  local  control  and  remote   vulnerability  are  required     •  Local  can  actually  take  longer  due  to  being   different  for  every  vehicle   –  Remote  can  span  makes/models  due  to  nature  of   OEM  purchasing  of  devices  (i.e.  infotainment  systems)  
ELECTRONIC  CONTROL  UNITS   (ECUS)  
Electronic  Control  Units   •  Controls  almost  every  aspect  of  the  modern   automobile   •  Take  input  from  sensors  and  provide  output  to   actuators     •  Located  in  various  places  throughout  the  car   •  ECUs  are  running  custom  code  on  unusual   hardware   – Infotainment  systems  may  be  Linux/Windows   variant,  but  func/on  ECUs  are  custom  code  
ECU  Structure  
Ford  PCM  Connector  
Ford  PCM  ECU  
CAN  BASICS  
CAN  Overview   •  CAN  IDs  can  be  11  or  29  bits  long   •  Data  length  can  be  0  to  8  bytes  in  length   •  CAN  ID  is  used  as  a  priority  field   – CAN  ID  00  has  priority  over  CAN  ID  01   •  Interes/ng  data  is  in  the  applica/on  layer   •  Broadcast  in  nature.  Therefore  all  nodes  on  a   bus  will  see  all  messages  
Normal  CAN  message   •  Ford  Escape     –  IDH: 03, IDL: B1, Len: 08, Data: 80 00 00 00 00 00 00 00 •  Toyota  Prius   –  IDH: 00, IDL: B6, Len: 04, Data: 33 A8 00 95 •  Varying:  Lengths,  IDs,  Data   –  Toyota  has  a  checksum  of  “95”  at  the  app  layer   *  This  format  was  designed  by  us  to  be  human   readable  and  diges/ble  by  our  API  
Diagnos/c  Example   •  Ford  Escape  communica/ng  with  ABS  ECU   –  IDH: 07, IDL: 60, Len: 08, Data: 03 14 FF 00 00 00 00 00 IDH: 07, IDL: 68, Len: 08, Data: 03 7F 14 78 00 00 00 00 IDH: 07, IDL: 68, Len: 08, Data: 03 54 FF 00 00 00 00 00 •  Each  ECU  has  one  or  more  IDs  associated   – In  this  case,  ABS  is  0760   •  Responses  are  8  more  than  ID   •  Mainly  used  by  mechanics,  but  we’ll  show   how  some  are  used  by  us…  
STANDARDS  &  PROTOCOLS  
Useful  Standards  &  Protocols   •  ISO  15765-­‐2  (ISO-­‐TP)   – Standard  for  sending  arbitrary  length  data  over   CAN   •  ISO  14229/14230   – Standard  for  services  running  on  the  ECU   – No  service  is  mandatory   – Defines  certain  bytes  for  diagnos/c  purposes  
Services:  SecurityAccess   •  SecurityAccess  is  used  to  perform  sensi/ve  diagnos/c  ac/ons     (such  as  reprogramming  an  ECU)   –  IDH: 07, IDL: 26, Len: 08, Data: 02 27 01 00 00 00 00 00 IDH: 07, IDL: 2E, Len: 08, Data: 05 67 01 54 61 B6 00 00 IDH: 07, IDL: 26, Len: 08, Data: 05 27 02 D0 B6 F1 00 00 IDH: 07, IDL: 2E, Len: 08, Data: 02 67 02 00 00 00 00 00 •  Authen/ca/on  with  0726  (SJB)   –  27  01  =>  Request  Seed   •  ECU  sends  back  OK  and  seed  (challenge)   •  Programmer  sends  back  response   •  ECU  Sends  back  OK   –  67  02  =>  OK  for  security  level  02  
Services:  InputOuputControl   •  Authorized  tools  to  control  or  monitor   external  inputs  to  the  ECU  (i.e.  do  stuff)   –  IDH: 07, IDL: E0, Len: 08, Data: 06 2F 03 07 03 00 00 00 IDH: 07, IDL: E8, Len: 08, Data: 06 6F 03 07 03 36 90 00 •  Send  inputOutputControl  test  to  07E0   – 2F  =>  ISO-­‐14229  code  for  inputOutputControl   – 03  07  =>  The  control  to  be  tested   – 03  00  00  =>  Data  provided  for  the  test  
Some  other  interes/ng  PIDs   •  ECUReset   •  ReadMemoryByAddress   •  Rou/neControl     •  RequestDownload   •  RequestUpload   •  TransferData   •  TesterPresent   •  WriteMemoryByAddress  
Systemic  Issues   •  CAN  was  designed  decades  ago  without   security  in  mind   •  CAN,  by  nature,  does  not  support   authoriza/on,  authen/ca/on,  or  encryp/on   •  An  industry  relying  solely  on  entry  point   security  is  doomed  to  fail   •  Although  aJack  data  will  vary,  methods  are   universal  across  make  and  manufacturer  
CURRENT  ATTACKS  
Injec/on  Limita/ons   •  Not  all  func/ons  in  an  automobile  are   performed  over  CAN  (yet)   – Electric  ThroJle  in  Ford  Escape     •  Original  vs.  Forged  Messages   – S/ll  have  legi/mate  coming  from  the  ECU,  forging   may  produce  varying  results   •  Safety  features  might  need  bypassed   – Toyota  speed  limit  for  steering  during  IPAS    
Speedometer:  Ford   •  Set  the  speedometer  to  arbitrary  values   •  CAN  ID:  0201   •  Length:  08   •  Format:  AA  BB  00  00  CC  DD  00  00   •  Speed  =>  0.0065  *  (CC  DD)  –  67   •  RPM  =>  0.25  *  (AA  BB)  –  24   •  Example  (20.1mph  |  2233  rpm):     IDH: 02, IDL: 01, Len: 08, Data: 23 45 00 00 34 56 00 00
Speedometer:  Ford  II  
*  Please  see  paper  for  packet  dissec/on  and  code.    
Braking:  Toyota  II    
Steering:  Toyota  II  
Accelera/on:  Toyota  II  
DIAGNOSTIC  CAN  INJECTION  
SecurityAccess   •  A  few  ECUs  from  each  car  responded  and   accepted  the  SecurityAccess  service   •  For  these  ECUs  we’ve  figured  out  the  secrets   to  produce  valid  keys  from  the  seeds  provided   •  This  permits  the  ECUs  to  be  put  in   reprogramming  mode  and  other  special   diagnos/c  states  
SecurityAccess:  Ford   •  PAM  doesn’t  send  random  seeds   •  IDH: 07, IDL: 36, Len: 08, Data: 02 27 01 00 00 00 00 00 •  IDH: 07, IDL: 3E, Len: 08, Data: 05 67 01 11 22 33 00 00 •  IDH: 07, IDL: 36, Len: 08, Data: 05 27 02 CB BF 91 00 00 •  IDH: 07, IDL: 3E, Len: 08, Data: 02 67 02 00 00 00 00 00 •  Other  ECUs  do  send  random  seeds  
Reversing  the  Ford  IDS  tool  
Ford  Escape  keys   secret_keys = { 0x727: "50 C8 6A 49 F1", 0x733: "AA BB CC DD EE", 0x736: "08 30 61 55 AA", 0x737: "52 6F 77 61 6E", 0x760: "5B 41 74 65 7D", 0x765: "96 A2 3B 83 9B", 0x7a6: "50 C8 6A 49 F1", 0x7e0: "08 30 61 A4 C5",} secret_keys2 = { 0x7e0: "44 49 4F 44 45", 0x737: "5A 89 E4 41 72”}
Academic  research   •  securityAccess  to  ECU  then  diagnos/c  messages  using  the   ‘DeviceControl’  Service    
Kill  Engine:  Ford  
Lights:  Toyota  
Lights:  Ford  
Horn:  Toyota  
Seat  Belt:  Toyota  
Doors  Lock/Unlock:  Toyota  
Fuel  Gauge:  Toyota  
Disable  brakes:  Ford  
FIRMWARE  
Dumping  firmware   Freescale  USB  S08/HCS12  BDM  Mul/link  In-­‐Circuit  Debugger/ Programmer  is  connected  to  the  BDM  header  
Disassembling   target  processor  Motorola  HCS12X  
Con/nued  access  
SECURING  THE  MODERN  VEHICLE  
There  are  a  few  strategies   •  Secure  remote  endpoints   •  Cryptographically  verify  messages   •  Segment  CAN  network/isolate  ECUs   •  Detect/prevent  aJacks  real-­‐/me  
Industry  Statement   “Our  focus,  and  that  of  the  en/re  auto  industry,  is   to  prevent  hacking  into  a  vehicle's  by-­‐wire  control   system  from  a  remote/wireless  device  outside  of   the  vehicle.    Toyota  has  developed  very  strict  and   effec/ve  firewall  technology  against  such  remote   and  wireless  services.    We  con/nue  to  try  to  hack   our    systems  and  have  a  considerable  investment  in   state  of  the  art  electro-­‐magne/c  R&D  facili/es.    We   believe  our  systems  are  robust  and  secure.”      -­‐  John  Hanson  |  Toyota  Motor  Sales  U.S.A  
External  Security  Dependencies   •  Total  security  is  not  achievable     –  Humans  make  mistakes   –  We  haven’t  been  able  to  secure  PCs,  what  make  you   think  automo/ve  is  different?   –  Enterprises  do  not  implement  a  single  /ered  approach   with  PCs,  why  should  automobiles?     –  3rd  party  assessment  appears  to  be  rare   –  ECU  patching  for  known  vulnerabili/es  can  be   complicated   –  Addi/onal  remote  aJack  vectors  being  added  each   year  
Cryptography/Authen/ca/on   •  Many  suggest  encryp/ng  applica/on-­‐layer  data   –  Unfortunately  doesn’t  seem  viable  at  this  point  due  to   real-­‐/me  necessity  of  the  automo/ve  system   –  Example:  The  brakes  have  to  work  in  real-­‐/me  and  can   NEVER  take  too  long   –  Key  management  is  also  difficult   •  If  its  in  the  ECU,  it  can  probably  be  reversed   –  Reverse  Engineering  of  the  ECU/mechanics  tools  can   result  in  cryptography  being  subverted   –  Should  not  rely  on  obscurity  to  protect  driver  
More  on  obscurity  and  security   •  "One  reason  for  the  industry's  success  in  preven4ng  bad   actors  from  doing  malicious  things  to  vehicles  is  that   individual  automakers  have  done  a  very  good  job  of  keeping   security  sensi4ve  informa4on  from  falling  into  the  wrong   hands,"  wrote  Mitch  Bainwol,  the  CEO  of  the  Alliance  of   Automobile  Manufacturers  and  Mike  Stanton  of  the   Associa/on  of  Global  Automakers   •  If  the  only  thing  preven/ng  a  bad  guy  from  crashing  your  car   is  that  they  have  to  look  hard  for  the  info,  there  is  no  real   security  
Segmenta/on   •  Isolate  ECUs  on  different  CAN  buses   – Bridging  traffic  is  s/ll  necessary   •  Example:  Infotainment  system  s/ll  needs  to  get   messages  about  speed   •  Status  of  car  must  be  presented  on  instrument  cluster   – Bridge  must  NOT  forward  incorrect  traffic   – Bridge  is  now  the  weakest  link  /  aJack  target   – CAN  bridges  will  be  proprietary  in  nature,  forcing   them  to  be  updated  &  augmented  constantly  
Detec/on  of  aJacks   •  Don’t  exclusively  rely  on  making  aJacks   difficult,  instead  focus  on  detec/ng  aJacks   and  taking  ac/on   •  Can’t  always  stop  aJack,  but  you  can  take   ac/on  when  one  is  happening   •  Analogous  to  IDS/IPS  in  enterprise   environments  
Advantages   •  Vehicular  networks  are  especially  well  suited   for  aJack  detec/on   •  CAN  messages  are  very  standard  and   predictable   •  The  frequency  of  messages  and  their  content   vary  in  predictable  ways   •  AJacks  stand  out  and  can  easily  be  detected  
CAN  Traffic  is  Simple   •  We  recorded  CAN  traffic  while  driving  around   for  15  minutes   •  The  CAN  ID’s  found  in  the  first  second  of  the   trip  were  recorded  for  both  Ford  and  Toyota   •  No  addi/onal  CAN  ID’s  were  found  the  rest  of   the  trip   •  Any  addi/onal  CAN  ID’s  (such  as  diagnos/c   messages)  would  be  suspicious  
Frequency  of  CAN  messages   •  Frequency  of  messages  from  IDs  does  not  have   much  devia/on   •  Comparison  of  messages  from  the  start  of  a   capture  and  in  random  loca/ons  within  the  same   capture   Hit  Counts:  Primary[03A9]  =>  9          |  Secondary[03A9]  =>  5   Hit  Counts:  Primary[0255]  =>  166  |  Secondary[0255]  =>  119   Hit  Counts:  Primary[0230]  =>  991  |  Secondary[0230]  =>  1011   Hit  Counts:  Primary[0250]  =>  168  |  Secondary[0250]  =>  209   Hit  Counts:  Primary[03C4]  =>  41      |  Secondary[03C4]  =>  46   Hit  Counts:  Primary[0340]  =>  80      |  Secondary[0340]  =>  82   Hit  Counts:  Primary[0422]  =>  83      |  Secondary[0422]  =>  36   Hit  Counts:  Primary[0423]  =>  17      |  Secondary[0423]  =>  6   Hit  Counts:  Primary[0420]  =>  83      |  Secondary[0420]  =>  47   Hit  Counts:  Primary[0200]  =>  496  |  Secondary[0200]  =>  630  
Detec/ng  AJacks:  Normal  Packets   •  Our  injec/on  aJacks  are  ‘loud’   –  Use  high  frequency  of  packets  to  ensure  that  it  out  numbers  legi/mate   traffic   •  Example:  Sending  speed  packets  will  conflict  with  actual  speed     (in  MPH  and  frequency)   •  Frequency  per  second  (we  send  about  20x  faster)   0 10 20 30 40 50 60 70 80 90 100 Frequency distribution of 0201 CAN id
Detec/ng  AJacks:  Diagnos/c   Messages   •  Diagnos/c  packets  are  usually  performed   when  mechanics  are  performing  tests   – Not  while  car  is  moving  (or  at  least  driving  at   highway  speeds)   •  Our  aJacks  based  on  this  would  easily  be   detected   •  ALL  significant  aJacks  outlines  in   “Experimental  Security  Analysis  of  a  Modern   Automobile”  stem  from  diagnos/c  messages  
Ac/ons  to  take   •  Alert  driver   •  Shut  down  CAN  network     (for  example,  short  CAN  Hi  to  CAN  Lo)   •  Safely  stop  vehicle   •  Poten/ally  ignore  certain  messages  for  a   period  of  /me  (if  not  cri/cal)  
The  detec/on  code   •  Add  an  IPS  ECU  to  each  CAN  network   •  Add  code  to  exis/ng  ECUs   •  Add  hardware  module  which  plugs  into  obdii   port  
CONCLUSION  
Conclusion   •  AJacks  consist  of  two  sides:  compromise  &  control   •  Vehicles  can  be  physically  controlled  via  the  CAN  bus   by  malicious  aJackers   •  CAN  and  corresponding  architecture  were  NOT   designed  with  security  in  mind   •  Relying  solely  on  external  input  security  is  imperfect  at   best   •  A  layered  approach  to  security  is  beJer  (and  cheaper)   •  Generically  detec/ng  &  protec/ng  the  vehicle  appears   to  be  the  most  effec/ve  method  for  automo/ve  safety  
Ques/ons?   •  Dr.  Charlie  Miller  (@0xcharlie)   –  TwiJer  Guy   –  cmiller@openrce.org   •  Chris  Valasek  (@nudehaberdasher)   –  Director  of  Security  Intelligence  @  IOAc/ve   –  cvalasek@gmail.com  

More Related Content

PDF
Introduction to Automotive Bootloader | Programming Sequence
byKapil Thakar
 
PDF
Automotive embedded systems part6 v2
byKeroles karam khalil
 
PDF
Future Intelligent Mobility with Adaptive AUTOSAR - Transforming Vehicle E/E A
byGlobalLogic Croatia
 
PDF
Automotive embedded systems part2 v1
byKeroles karam khalil
 
PPTX
Understanding Flash Bootloader Software and Automotive ECU Reprogramming
byEmbitel Technologies - A VOLKSWAGEN GROUP COMPANY
 
PDF
Automotive embedded systems part5 v2
byKeroles karam khalil
 
PDF
In‐Vehicle Networking: a Survey and Look Forward
byRealTime-at-Work (RTaW)
 
PDF
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
byEmbitel Technologies - A VOLKSWAGEN GROUP COMPANY
 
Introduction to Automotive Bootloader | Programming Sequence
byKapil Thakar
 
Automotive embedded systems part6 v2
byKeroles karam khalil
 
Future Intelligent Mobility with Adaptive AUTOSAR - Transforming Vehicle E/E A
byGlobalLogic Croatia
 
Automotive embedded systems part2 v1
byKeroles karam khalil
 
Understanding Flash Bootloader Software and Automotive ECU Reprogramming
byEmbitel Technologies - A VOLKSWAGEN GROUP COMPANY
 
Automotive embedded systems part5 v2
byKeroles karam khalil
 
In‐Vehicle Networking: a Survey and Look Forward
byRealTime-at-Work (RTaW)
 
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
byEmbitel Technologies - A VOLKSWAGEN GROUP COMPANY
 

Viewers also liked

PDF
Connected Car Security
bySuresh Mandava
 
PDF
Addressing Security in the Automotive Industry
bySasken Technologies Ltd.
 
PPTX
Red Bend Software: Optimizing the User Experience with Over-the-Air Updates
byRed Bend Software
 
PPTX
Over-the-air (OTA) updates and the Connected car
byPratik Desai, PhD
 
PDF
Vector red bend_webinar_flashing_over_the_air_and_delta_technology_20140121_en
byRed Bend Software
 
PPTX
Infotainment system of car
byBrundha Sholaganga
 
PPTX
Infotainment
byManish Kumar
 
PDF
20160914 EuroSPI: "Automotive Security: Challenges, Standards and Solutions"
byAlexander Much
 
PDF
From Connected To Self-Driving - Securing the Automotive Revolution
byAlexander Schellong
 
PDF
Tesla's technological innovations
byGhanesh Kulkarni, PMP
 
PPTX
Automotive security (cvta)
byAlan Tatourian
 
PDF
IoT Seminar (Oct. 2016) Tao Lin - Movimento Group
byOpen Mobile Alliance
 
PPTX
M2M Workshop: How FOTA can increase M2M Adoption
byRed Bend Software
 
PPTX
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
byCODE BLUE
 
PDF
Critical Success Factors for A Data Analytics Initiative
bySasken Technologies Ltd.
 
PPTX
Megatrends 2013: Manage the Accelerating Amount of Software in Cars
byRed Bend Software
 
PPTX
Arynga CEO, Walter Buga at Automotive Linux Summit, 5/2013
byArynga
 
Connected Car Security
bySuresh Mandava
 
Addressing Security in the Automotive Industry
bySasken Technologies Ltd.
 
Red Bend Software: Optimizing the User Experience with Over-the-Air Updates
byRed Bend Software
 
Over-the-air (OTA) updates and the Connected car
byPratik Desai, PhD
 
Vector red bend_webinar_flashing_over_the_air_and_delta_technology_20140121_en
byRed Bend Software
 
Infotainment system of car
byBrundha Sholaganga
 
Infotainment
byManish Kumar
 
20160914 EuroSPI: "Automotive Security: Challenges, Standards and Solutions"
byAlexander Much
 
From Connected To Self-Driving - Securing the Automotive Revolution
byAlexander Schellong
 
Tesla's technological innovations
byGhanesh Kulkarni, PMP
 
Automotive security (cvta)
byAlan Tatourian
 
IoT Seminar (Oct. 2016) Tao Lin - Movimento Group
byOpen Mobile Alliance
 
M2M Workshop: How FOTA can increase M2M Adoption
byRed Bend Software
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
byCODE BLUE
 
Critical Success Factors for A Data Analytics Initiative
bySasken Technologies Ltd.
 
Megatrends 2013: Manage the Accelerating Amount of Software in Cars
byRed Bend Software
 
Arynga CEO, Walter Buga at Automotive Linux Summit, 5/2013
byArynga
 

Similar to The Current State of Automotive Security by Chris Valasek

PDF
自動車セキュリティの現状 by クリス・ヴァラセク Chris Valasek
byCODE BLUE
 
PDF
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
byShakacon
 
PPTX
Automotive Security (Connected Vehicle Security Issues)
byPriyanka Aash
 
PDF
DEFCON-21 - How to Hack Your Mini Cooper, by Jason Staggs
byGuy Boulianne
 
PDF
Car hacking
bysoxxxcool
 
PPTX
Will future vehicles be secure?
byAlan Tatourian
 
PPT
Automobile Computer Security.ppt
byNiraj Bhatta
 
PDF
CSW2017 jun li_car anomaly detection
byCanSecWest
 
PDF
SANS - Developments car hacking - 36607
byFelipe Prado
 
PPTX
poster presentation
byBhanuprakash K
 
PDF
Asia 14-garcia-illera-dude-wtf-in-my-can
byinjenerzntu
 
PPTX
Как «вправить» автомобилю «мозги»
byPositive Hack Days
 
PDF
Carlos Sahuquillo - Car Hacking: de Angelina Jolie a Charlize Theron [rootedv...
byRootedCON
 
PDF
Wfcs2019
byAlexios Lekidis
 
PDF
20181116.smart can cable_v2
byMocke Tech
 
PDF
Controller area network as the security of the vehicles
byIAEME Publication
 
PDF
Analyzing the Security of Cars Efficiently
byNiek Timmers
 
DOCX
thesis paper
byBhanuprakash K
 
PDF
Implementation of a bluetooth attack on controller area network
bynooriasukmaningtyas
 
PDF
Automotive Electronics - Internals and Security Implications
byAanjhan Ranganathan
 
自動車セキュリティの現状 by クリス・ヴァラセク Chris Valasek
byCODE BLUE
 
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
byShakacon
 
Automotive Security (Connected Vehicle Security Issues)
byPriyanka Aash
 
DEFCON-21 - How to Hack Your Mini Cooper, by Jason Staggs
byGuy Boulianne
 
Car hacking
bysoxxxcool
 
Will future vehicles be secure?
byAlan Tatourian
 
Automobile Computer Security.ppt
byNiraj Bhatta
 
CSW2017 jun li_car anomaly detection
byCanSecWest
 
SANS - Developments car hacking - 36607
byFelipe Prado
 
poster presentation
byBhanuprakash K
 
Asia 14-garcia-illera-dude-wtf-in-my-can
byinjenerzntu
 
Как «вправить» автомобилю «мозги»
byPositive Hack Days
 
Carlos Sahuquillo - Car Hacking: de Angelina Jolie a Charlize Theron [rootedv...
byRootedCON
 
Wfcs2019
byAlexios Lekidis
 
20181116.smart can cable_v2
byMocke Tech
 
Controller area network as the security of the vehicles
byIAEME Publication
 
Analyzing the Security of Cars Efficiently
byNiek Timmers
 
thesis paper
byBhanuprakash K
 
Implementation of a bluetooth attack on controller area network
bynooriasukmaningtyas
 
Automotive Electronics - Internals and Security Implications
byAanjhan Ranganathan
 

More from CODE BLUE

PDF
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
byCODE BLUE
 
PDF
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
byCODE BLUE
 
PDF
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
byCODE BLUE
 
PDF
[cb22] Tales of 5G hacking by Karsten Nohl
byCODE BLUE
 
PDF
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
byCODE BLUE
 
PDF
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
byCODE BLUE
 
PDF
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
byCODE BLUE
 
PPTX
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
byCODE BLUE
 
PPTX
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
byCODE BLUE
 
PDF
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
byCODE BLUE
 
PDF
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
byCODE BLUE
 
PDF
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
byCODE BLUE
 
PDF
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
byCODE BLUE
 
PDF
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
PDF
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
PDF
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
byCODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
byCODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
byCODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
byCODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
byCODE BLUE
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
byCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
byCODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
byCODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
byCODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
byCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
byCODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
byCODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
byCODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
byCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
byCODE BLUE
 

Recently uploaded

PDF
John Deere 7200R Series Repair Manual PDF.pdf
byabjekGoogle
 
PDF
Complete Guide to Volkswagen Factory Recommended Maintenance for Long-Term En...
byM Service Inc
 
PDF
CCST9014_202324S2_Chapter 10_RelationBetweenScienceMusic.pdf
byjerrylam2005dg
 
PPT
adjectives.ppt bbvf bhhh bgfdss bhgfddxv
byEnasHesham
 
PDF
John Deere 8260R 8285r Tractors Repair Technical Manual TM110319.pdf
byabjekGoogle
 
PDF
LOLER Inspection checklist with eAuditor Audits & Inspections
byeAuditor Audits & Inspections
 
PDF
Electric Vehicle Development in Indian Sub continent
bysouvik296164
 
PPTX
Hgfffhjfgjjgfgghhgggghgggslide_19129.pptx
bylolalaylola123
 
PDF
Seller Syndication--Used Cars India. The 3 Lakh Crore Gridlock
bykritarth1981
 
PDF
Solar tracking using Arduino pdf form.pdf
bysuryapratapsinghonli
 
PDF
ICT Prep2 Lesson1-2 SM_251002_074210.pdf
bymhalexeg82
 
PPTX
Kompani profile dari PT BSC Company Profile
byAdiKendil
 
PDF
ICT Prep2 Lesson1-2 SM_251002_074210.pdf
bymhalexeg82
 
PDF
Solid state physics_Ch-3.ppt last year acadimic
byabdulsalamhazim30
 
PDF
New Holland TN95FA 4WD Tractor Excavator Manual.pdf
byabjekGoogle
 
PDF
Forth Stage Chapter Two Nuclear.ppt last year
byabdulsalamhazim30
 
PPTX
High advances in Clinical Diagnosis and disease discovery.pptx
bygauravop2004
 
PDF
osward@1234567789876654_&67546450091.pdf
bymartinosward39
 
PPTX
The Transformative Impact of Artificial Intelligence on Modern Society: A Com...
byuvbhatkar
 
PDF
A comprehensive guide to heat treatment - Volume 2.pdf
byssuser27c167
 
John Deere 7200R Series Repair Manual PDF.pdf
byabjekGoogle
 
Complete Guide to Volkswagen Factory Recommended Maintenance for Long-Term En...
byM Service Inc
 
CCST9014_202324S2_Chapter 10_RelationBetweenScienceMusic.pdf
byjerrylam2005dg
 
adjectives.ppt bbvf bhhh bgfdss bhgfddxv
byEnasHesham
 
John Deere 8260R 8285r Tractors Repair Technical Manual TM110319.pdf
byabjekGoogle
 
LOLER Inspection checklist with eAuditor Audits & Inspections
byeAuditor Audits & Inspections
 
Electric Vehicle Development in Indian Sub continent
bysouvik296164
 
Hgfffhjfgjjgfgghhgggghgggslide_19129.pptx
bylolalaylola123
 
Seller Syndication--Used Cars India. The 3 Lakh Crore Gridlock
bykritarth1981
 
Solar tracking using Arduino pdf form.pdf
bysuryapratapsinghonli
 
ICT Prep2 Lesson1-2 SM_251002_074210.pdf
bymhalexeg82
 
Kompani profile dari PT BSC Company Profile
byAdiKendil
 
ICT Prep2 Lesson1-2 SM_251002_074210.pdf
bymhalexeg82
 
Solid state physics_Ch-3.ppt last year acadimic
byabdulsalamhazim30
 
New Holland TN95FA 4WD Tractor Excavator Manual.pdf
byabjekGoogle
 
Forth Stage Chapter Two Nuclear.ppt last year
byabdulsalamhazim30
 
High advances in Clinical Diagnosis and disease discovery.pptx
bygauravop2004
 
osward@1234567789876654_&67546450091.pdf
bymartinosward39
 
The Transformative Impact of Artificial Intelligence on Modern Society: A Com...
byuvbhatkar
 
A comprehensive guide to heat treatment - Volume 2.pdf
byssuser27c167
 

The Current State of Automotive Security by Chris Valasek

  • 1.
    The  current  state  of     automo/ve  security   Dr.  Charlie  Miller  (@0xcharlie)   Chris  Valasek  (@nudehaberdasher)  
  • 2.
  • 3.
    Who   •  Charlie  Miller     [Security  Engineer]     |Twi2er|   •  Chris  Valasek     [Director  of  Security  Intelligence]  | IOAc8ve|    
  • 4.
    Agenda   •  Anatomy  of  an  aJack   •  CAN  Basics   •  AJacking  the  CAN  bus   •  Securing  the  modern  vehicle  
  • 5.
    ANATOMY  OF  AN  ATTACK  
  • 6.
    Step  1:  Code  execu/on   •  Remote   Telema/cs  unit   TPMS   Bluetooth   “Connec/vity”  apps,   Web  browser,  etc  
  • 7.
    Step  1:  Code  execu/on  (cont.)   •  Local  
  • 8.
    Step  2:  CAN  message  injec/on   Compromised  ECU   ABS  ECU   Steering  ECU   Other  ECUs…  
  • 9.
    AJack  Scenario   • A  remote  vulnerability  s/ll  relies  on  ‘local’   informa/on   –  Example:  A  remote  exploit  targe/ng  a  vulnerability  in   the  Bluetooth  receiver  is  only  harmful  if  the  aJacker   knows  specific  informa/on  about  the  vehicle   •  Both  learning  the  local  control  and  remote   vulnerability  are  required     •  Local  can  actually  take  longer  due  to  being   different  for  every  vehicle   –  Remote  can  span  makes/models  due  to  nature  of   OEM  purchasing  of  devices  (i.e.  infotainment  systems)  
  • 10.
  • 11.
    Electronic  Control  Units   •  Controls  almost  every  aspect  of  the  modern   automobile   •  Take  input  from  sensors  and  provide  output  to   actuators     •  Located  in  various  places  throughout  the  car   •  ECUs  are  running  custom  code  on  unusual   hardware   – Infotainment  systems  may  be  Linux/Windows   variant,  but  func/on  ECUs  are  custom  code  
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
    CAN  Overview   • CAN  IDs  can  be  11  or  29  bits  long   •  Data  length  can  be  0  to  8  bytes  in  length   •  CAN  ID  is  used  as  a  priority  field   – CAN  ID  00  has  priority  over  CAN  ID  01   •  Interes/ng  data  is  in  the  applica/on  layer   •  Broadcast  in  nature.  Therefore  all  nodes  on  a   bus  will  see  all  messages  
  • 17.
    Normal  CAN  message   •  Ford  Escape     –  IDH: 03, IDL: B1, Len: 08, Data: 80 00 00 00 00 00 00 00 •  Toyota  Prius   –  IDH: 00, IDL: B6, Len: 04, Data: 33 A8 00 95 •  Varying:  Lengths,  IDs,  Data   –  Toyota  has  a  checksum  of  “95”  at  the  app  layer   *  This  format  was  designed  by  us  to  be  human   readable  and  diges/ble  by  our  API  
  • 18.
    Diagnos/c  Example   • Ford  Escape  communica/ng  with  ABS  ECU   –  IDH: 07, IDL: 60, Len: 08, Data: 03 14 FF 00 00 00 00 00 IDH: 07, IDL: 68, Len: 08, Data: 03 7F 14 78 00 00 00 00 IDH: 07, IDL: 68, Len: 08, Data: 03 54 FF 00 00 00 00 00 •  Each  ECU  has  one  or  more  IDs  associated   – In  this  case,  ABS  is  0760   •  Responses  are  8  more  than  ID   •  Mainly  used  by  mechanics,  but  we’ll  show   how  some  are  used  by  us…  
  • 19.
  • 20.
    Useful  Standards  &  Protocols   •  ISO  15765-­‐2  (ISO-­‐TP)   – Standard  for  sending  arbitrary  length  data  over   CAN   •  ISO  14229/14230   – Standard  for  services  running  on  the  ECU   – No  service  is  mandatory   – Defines  certain  bytes  for  diagnos/c  purposes  
  • 21.
    Services:  SecurityAccess   • SecurityAccess  is  used  to  perform  sensi/ve  diagnos/c  ac/ons     (such  as  reprogramming  an  ECU)   –  IDH: 07, IDL: 26, Len: 08, Data: 02 27 01 00 00 00 00 00 IDH: 07, IDL: 2E, Len: 08, Data: 05 67 01 54 61 B6 00 00 IDH: 07, IDL: 26, Len: 08, Data: 05 27 02 D0 B6 F1 00 00 IDH: 07, IDL: 2E, Len: 08, Data: 02 67 02 00 00 00 00 00 •  Authen/ca/on  with  0726  (SJB)   –  27  01  =>  Request  Seed   •  ECU  sends  back  OK  and  seed  (challenge)   •  Programmer  sends  back  response   •  ECU  Sends  back  OK   –  67  02  =>  OK  for  security  level  02  
  • 22.
    Services:  InputOuputControl   • Authorized  tools  to  control  or  monitor   external  inputs  to  the  ECU  (i.e.  do  stuff)   –  IDH: 07, IDL: E0, Len: 08, Data: 06 2F 03 07 03 00 00 00 IDH: 07, IDL: E8, Len: 08, Data: 06 6F 03 07 03 36 90 00 •  Send  inputOutputControl  test  to  07E0   – 2F  =>  ISO-­‐14229  code  for  inputOutputControl   – 03  07  =>  The  control  to  be  tested   – 03  00  00  =>  Data  provided  for  the  test  
  • 23.
    Some  other  interes/ng  PIDs   •  ECUReset   •  ReadMemoryByAddress   •  Rou/neControl     •  RequestDownload   •  RequestUpload   •  TransferData   •  TesterPresent   •  WriteMemoryByAddress  
  • 24.
    Systemic  Issues   • CAN  was  designed  decades  ago  without   security  in  mind   •  CAN,  by  nature,  does  not  support   authoriza/on,  authen/ca/on,  or  encryp/on   •  An  industry  relying  solely  on  entry  point   security  is  doomed  to  fail   •  Although  aJack  data  will  vary,  methods  are   universal  across  make  and  manufacturer  
  • 25.
  • 26.
    Injec/on  Limita/ons   • Not  all  func/ons  in  an  automobile  are   performed  over  CAN  (yet)   – Electric  ThroJle  in  Ford  Escape     •  Original  vs.  Forged  Messages   – S/ll  have  legi/mate  coming  from  the  ECU,  forging   may  produce  varying  results   •  Safety  features  might  need  bypassed   – Toyota  speed  limit  for  steering  during  IPAS    
  • 27.
    Speedometer:  Ford   • Set  the  speedometer  to  arbitrary  values   •  CAN  ID:  0201   •  Length:  08   •  Format:  AA  BB  00  00  CC  DD  00  00   •  Speed  =>  0.0065  *  (CC  DD)  –  67   •  RPM  =>  0.25  *  (AA  BB)  –  24   •  Example  (20.1mph  |  2233  rpm):     IDH: 02, IDL: 01, Len: 08, Data: 23 45 00 00 34 56 00 00
  • 28.
  • 29.
    *  Please  see  paper  for  packet  dissec/on  and  code.    
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
    SecurityAccess   •  A  few  ECUs  from  each  car  responded  and   accepted  the  SecurityAccess  service   •  For  these  ECUs  we’ve  figured  out  the  secrets   to  produce  valid  keys  from  the  seeds  provided   •  This  permits  the  ECUs  to  be  put  in   reprogramming  mode  and  other  special   diagnos/c  states  
  • 35.
    SecurityAccess:  Ford   • PAM  doesn’t  send  random  seeds   •  IDH: 07, IDL: 36, Len: 08, Data: 02 27 01 00 00 00 00 00 •  IDH: 07, IDL: 3E, Len: 08, Data: 05 67 01 11 22 33 00 00 •  IDH: 07, IDL: 36, Len: 08, Data: 05 27 02 CB BF 91 00 00 •  IDH: 07, IDL: 3E, Len: 08, Data: 02 67 02 00 00 00 00 00 •  Other  ECUs  do  send  random  seeds  
  • 36.
    Reversing  the  Ford  IDS  tool  
  • 37.
    Ford  Escape  keys   secret_keys = { 0x727: "50 C8 6A 49 F1", 0x733: "AA BB CC DD EE", 0x736: "08 30 61 55 AA", 0x737: "52 6F 77 61 6E", 0x760: "5B 41 74 65 7D", 0x765: "96 A2 3B 83 9B", 0x7a6: "50 C8 6A 49 F1", 0x7e0: "08 30 61 A4 C5",} secret_keys2 = { 0x7e0: "44 49 4F 44 45", 0x737: "5A 89 E4 41 72”}
  • 38.
    Academic  research   • securityAccess  to  ECU  then  diagnos/c  messages  using  the   ‘DeviceControl’  Service    
  • 39.
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
    Dumping  firmware   Freescale  USB  S08/HCS12  BDM  Mul/link  In-­‐Circuit  Debugger/ Programmer  is  connected  to  the  BDM  header  
  • 49.
  • 50.
  • 51.
  • 52.
    There  are  a  few  strategies   •  Secure  remote  endpoints   •  Cryptographically  verify  messages   •  Segment  CAN  network/isolate  ECUs   •  Detect/prevent  aJacks  real-­‐/me  
  • 53.
    Industry  Statement   “Our  focus,  and  that  of  the  en/re  auto  industry,  is   to  prevent  hacking  into  a  vehicle's  by-­‐wire  control   system  from  a  remote/wireless  device  outside  of   the  vehicle.    Toyota  has  developed  very  strict  and   effec/ve  firewall  technology  against  such  remote   and  wireless  services.    We  con/nue  to  try  to  hack   our    systems  and  have  a  considerable  investment  in   state  of  the  art  electro-­‐magne/c  R&D  facili/es.    We   believe  our  systems  are  robust  and  secure.”      -­‐  John  Hanson  |  Toyota  Motor  Sales  U.S.A  
  • 54.
    External  Security  Dependencies   •  Total  security  is  not  achievable     –  Humans  make  mistakes   –  We  haven’t  been  able  to  secure  PCs,  what  make  you   think  automo/ve  is  different?   –  Enterprises  do  not  implement  a  single  /ered  approach   with  PCs,  why  should  automobiles?     –  3rd  party  assessment  appears  to  be  rare   –  ECU  patching  for  known  vulnerabili/es  can  be   complicated   –  Addi/onal  remote  aJack  vectors  being  added  each   year  
  • 55.
    Cryptography/Authen/ca/on   •  Many  suggest  encryp/ng  applica/on-­‐layer  data   –  Unfortunately  doesn’t  seem  viable  at  this  point  due  to   real-­‐/me  necessity  of  the  automo/ve  system   –  Example:  The  brakes  have  to  work  in  real-­‐/me  and  can   NEVER  take  too  long   –  Key  management  is  also  difficult   •  If  its  in  the  ECU,  it  can  probably  be  reversed   –  Reverse  Engineering  of  the  ECU/mechanics  tools  can   result  in  cryptography  being  subverted   –  Should  not  rely  on  obscurity  to  protect  driver  
  • 56.
    More  on  obscurity  and  security   •  "One  reason  for  the  industry's  success  in  preven4ng  bad   actors  from  doing  malicious  things  to  vehicles  is  that   individual  automakers  have  done  a  very  good  job  of  keeping   security  sensi4ve  informa4on  from  falling  into  the  wrong   hands,"  wrote  Mitch  Bainwol,  the  CEO  of  the  Alliance  of   Automobile  Manufacturers  and  Mike  Stanton  of  the   Associa/on  of  Global  Automakers   •  If  the  only  thing  preven/ng  a  bad  guy  from  crashing  your  car   is  that  they  have  to  look  hard  for  the  info,  there  is  no  real   security  
  • 57.
    Segmenta/on   •  Isolate  ECUs  on  different  CAN  buses   – Bridging  traffic  is  s/ll  necessary   •  Example:  Infotainment  system  s/ll  needs  to  get   messages  about  speed   •  Status  of  car  must  be  presented  on  instrument  cluster   – Bridge  must  NOT  forward  incorrect  traffic   – Bridge  is  now  the  weakest  link  /  aJack  target   – CAN  bridges  will  be  proprietary  in  nature,  forcing   them  to  be  updated  &  augmented  constantly  
  • 58.
    Detec/on  of  aJacks   •  Don’t  exclusively  rely  on  making  aJacks   difficult,  instead  focus  on  detec/ng  aJacks   and  taking  ac/on   •  Can’t  always  stop  aJack,  but  you  can  take   ac/on  when  one  is  happening   •  Analogous  to  IDS/IPS  in  enterprise   environments  
  • 59.
    Advantages   •  Vehicular  networks  are  especially  well  suited   for  aJack  detec/on   •  CAN  messages  are  very  standard  and   predictable   •  The  frequency  of  messages  and  their  content   vary  in  predictable  ways   •  AJacks  stand  out  and  can  easily  be  detected  
  • 60.
    CAN  Traffic  is  Simple   •  We  recorded  CAN  traffic  while  driving  around   for  15  minutes   •  The  CAN  ID’s  found  in  the  first  second  of  the   trip  were  recorded  for  both  Ford  and  Toyota   •  No  addi/onal  CAN  ID’s  were  found  the  rest  of   the  trip   •  Any  addi/onal  CAN  ID’s  (such  as  diagnos/c   messages)  would  be  suspicious  
  • 61.
    Frequency  of  CAN  messages   •  Frequency  of  messages  from  IDs  does  not  have   much  devia/on   •  Comparison  of  messages  from  the  start  of  a   capture  and  in  random  loca/ons  within  the  same   capture   Hit  Counts:  Primary[03A9]  =>  9          |  Secondary[03A9]  =>  5   Hit  Counts:  Primary[0255]  =>  166  |  Secondary[0255]  =>  119   Hit  Counts:  Primary[0230]  =>  991  |  Secondary[0230]  =>  1011   Hit  Counts:  Primary[0250]  =>  168  |  Secondary[0250]  =>  209   Hit  Counts:  Primary[03C4]  =>  41      |  Secondary[03C4]  =>  46   Hit  Counts:  Primary[0340]  =>  80      |  Secondary[0340]  =>  82   Hit  Counts:  Primary[0422]  =>  83      |  Secondary[0422]  =>  36   Hit  Counts:  Primary[0423]  =>  17      |  Secondary[0423]  =>  6   Hit  Counts:  Primary[0420]  =>  83      |  Secondary[0420]  =>  47   Hit  Counts:  Primary[0200]  =>  496  |  Secondary[0200]  =>  630  
  • 62.
    Detec/ng  AJacks:  Normal  Packets   •  Our  injec/on  aJacks  are  ‘loud’   –  Use  high  frequency  of  packets  to  ensure  that  it  out  numbers  legi/mate   traffic   •  Example:  Sending  speed  packets  will  conflict  with  actual  speed     (in  MPH  and  frequency)   •  Frequency  per  second  (we  send  about  20x  faster)   0 10 20 30 40 50 60 70 80 90 100 Frequency distribution of 0201 CAN id
  • 63.
    Detec/ng  AJacks:  Diagnos/c   Messages   •  Diagnos/c  packets  are  usually  performed   when  mechanics  are  performing  tests   – Not  while  car  is  moving  (or  at  least  driving  at   highway  speeds)   •  Our  aJacks  based  on  this  would  easily  be   detected   •  ALL  significant  aJacks  outlines  in   “Experimental  Security  Analysis  of  a  Modern   Automobile”  stem  from  diagnos/c  messages  
  • 64.
    Ac/ons  to  take   •  Alert  driver   •  Shut  down  CAN  network     (for  example,  short  CAN  Hi  to  CAN  Lo)   •  Safely  stop  vehicle   •  Poten/ally  ignore  certain  messages  for  a   period  of  /me  (if  not  cri/cal)  
  • 65.
    The  detec/on  code   •  Add  an  IPS  ECU  to  each  CAN  network   •  Add  code  to  exis/ng  ECUs   •  Add  hardware  module  which  plugs  into  obdii   port  
  • 66.
  • 67.
    Conclusion   •  AJacks  consist  of  two  sides:  compromise  &  control   •  Vehicles  can  be  physically  controlled  via  the  CAN  bus   by  malicious  aJackers   •  CAN  and  corresponding  architecture  were  NOT   designed  with  security  in  mind   •  Relying  solely  on  external  input  security  is  imperfect  at   best   •  A  layered  approach  to  security  is  beJer  (and  cheaper)   •  Generically  detec/ng  &  protec/ng  the  vehicle  appears   to  be  the  most  effec/ve  method  for  automo/ve  safety  
  • 68.
    Ques/ons?   •  Dr.  Charlie  Miller  (@0xcharlie)   –  TwiJer  Guy   –  cmiller@openrce.org   •  Chris  Valasek  (@nudehaberdasher)   –  Director  of  Security  Intelligence  @  IOAc/ve   –  cvalasek@gmail.com