Downloaded 73 times
![• Charlie
Miller
[Security
Engineer]
|Twi,er|
• Chris
Valasek
[Director
of
Security
Intelligence]
|
IOAc4ve|](https://image.slidesharecdn.com/chrisvalasekjapub-140312041928-phpapp02/85/by-Chris-Valasek-3-320.jpg)
![CAN
• ID
•
Hit
Counts:
Primary[03A9]
=>
9
|
Secondary[03A9]
=>
5
Hit
Counts:
Primary[0255]
=>
166
|
Secondary[0255]
=>
119
Hit
Counts:
Primary[0230]
=>
991
|
Secondary[0230]
=>
1011
Hit
Counts:
Primary[0250]
=>
168
|
Secondary[0250]
=>
209
Hit
Counts:
Primary[03C4]
=>
41
|
Secondary[03C4]
=>
46
Hit
Counts:
Primary[0340]
=>
80
|
Secondary[0340]
=>
82
Hit
Counts:
Primary[0422]
=>
83
|
Secondary[0422]
=>
36
Hit
Counts:
Primary[0423]
=>
17
|
Secondary[0423]
=>
6
Hit
Counts:
Primary[0420]
=>
83
|
Secondary[0420]
=>
47
Hit
Counts:
Primary[0200]
=>
496
|
Secondary[0200]
=>
630](https://image.slidesharecdn.com/chrisvalasekjapub-140312041928-phpapp02/85/by-Chris-Valasek-61-320.jpg)
Uploaded byCODE BLUE
自動車セキュリティの現状 by クリス・ヴァラセク Chris Valasek
The document contains details on security measures for automotive Electronic Control Units (ECUs) and their communication protocols via CAN bus, focusing on various data packets and security access methods. Key security techniques and ECU identifiers are discussed, along with examples of data transmission for input and output control. The document emphasizes the importance of protecting sensitive automotive information to prevent malicious attacks.
More Related Content
![[CB16] IoTとしての自動車とセキュリティ: リモートサービスのセキュリティ評価とその対策の検討 - by 和栗直英](https://cdn.slidesharecdn.com/ss_thumbnails/cb16wagurija-161109051322-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to 自動車セキュリティの現状 by クリス・ヴァラセク Chris Valasek
![[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t2s052022-10-28-dfirandthreathuntingwithwindowseventlogszachmathisversion3-230103072306-eb57bdc0-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Tales of 5G hacking by Karsten Nohl](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s09221127-230103071757-420d7b85-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...](https://cdn.slidesharecdn.com/ss_thumbnails/anjieyangyourprintercodebluefortranslator-230103071138-8fcd3032-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashien-230103064031-868ff2ae-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07hiroyukiitabashijp-230103063336-b5b21552-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07lorenzopupiloen-230103062123-07ea5347-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07lorenzopupilojp-230103061253-df49295c-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07allanfriedmanen-230103060535-324b96bf-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07allanfriedmanjp-230103060017-24438771-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07ikuotakahashien-230103055145-37529240-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s07ikuotakahashijp-230103054428-3dbd8ee7-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s05u25yuumatakienkentarovar5-230102092618-bbf74898-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s04vladislavhrckaunderthehoodofwslinksvirtualmachinejapanesemachinetranslation-230102091457-ae9568be-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s04vladislavhrckaunderthehoodofwslinksvirtualmachine-230102091156-e3c59f0e-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...](https://cdn.slidesharecdn.com/ss_thumbnails/d2t1s04zih-cingliaoyu-tungchnagclouddragonscredentialfactoryispoweringupitsespionageactivitiesagains-230102085356-8e46661b-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...](https://cdn.slidesharecdn.com/ss_thumbnails/codeblue2022chechangsilviayeh-230102084414-c1570bd5-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s09yutawhoisthemalgopherenglishesix1-230102083158-ba91a7f7-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s09yutawhoisthemalgopherjapanese1-230102082553-e0b239bb-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s08takahiroharuyamac2scan-230101090416-eee10a0a-thumbnail.jpg?width=640&height=640&fit=bounds)
![[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t1s07tomonagamasubuchifightagainstmalwaredevelopmentlifecycle2022-10-1806-230101090047-9ab922cd-thumbnail.jpg?width=640&height=640&fit=bounds)
自動車セキュリティの現状 by クリス・ヴァラセク Chris Valasek
- 1. Dr. Charlie Miller (@0xcharlie) Chris Valasek (@nudehaberdasher)
- 2.
- 3. • Charlie Miller [Security Engineer] |Twi,er| • Chris Valasek [Director of Security Intelligence] | IOAc4ve|
- 4. • • CAN • CAN •
- 5.
- 6. 1: • Bluetooth
- 7. 1: () •
- 8. 2: CAN ECU ABS ECU ECU ECU…
- 9. • – : Bluetooth • • – OEM
- 10.
- 11. • • • • ECU – Linux Windows ECU
- 12.
- 13.
- 14.
- 15.
- 16. CAN • CAN ID 11 29 • 0 8 • CAN ID – CAN ID 00 CAN ID 01 • •
- 17. CAN • – ID: 03, ID: B1, : 08, : 80 00 00 00 00 00 00 00 • – ID: 00, ID: B6, : 04, : 33 A8 00 95 • ID – 95 * API
- 18. • ABS ECU – ID:07, ID: 60, : 08, : 03 14 FF 00 00 00 00 00 ID:07, ID: 68, : 08, : 03 7F 14 78 00 00 00 00 ID:07, ID: 68, : 08, : 03 54 FF 00 00 00 00 00 • ECU ID – ABS ID 0760 • ID 8 ID •
- 19.
- 20. • ISO 15765-‐2 (ISO-‐TP) – CAN • ISO 14229/14230 – ECU – –
- 21. : SecurityAccess • SecurityAccess (ECU ) – IDH: 07, IDL: 26, Len: 08, Data: 02 27 01 00 00 00 00 00 IDH: 07, IDL: 2E, Len: 08, Data: 05 67 01 54 61 B6 00 00 IDH: 07, IDL: 26, Len: 08, Data: 05 27 02 D0 B6 F1 00 00 IDH: 07, IDL: 2E, Len: 08, Data: 02 67 02 00 00 00 00 00 • 0726 (SJB) – 27 01 => • ECU OK • • ECU OK – 67 02 => 02
- 22. : InputOuputControl • ECU (i.e. do stuff) – IDH: 07, IDL: E0, Len: 08, Data: 06 2F 03 07 03 00 00 00 IDH: 07, IDL: E8, Len: 08, Data: 06 6F 03 07 03 36 90 00 • 07E0 inputOutputControl – 2F => ISO-‐14229 inputOutputControl – 03 07 => – 03 00 00 =>
- 23. • ECUReset • ReadMemoryByAddress • RoueneControl • RequestDownload • RequestUpload • TransferData • TesterPresent • WriteMemoryByAddress
- 24. • CAN • CAN • •
- 25.
- 26. • CAN – • vs. – ECU • –
- 27. : • • CAN ID: 0201 • : 08 • : AA BB 00 00 CC DD 00 00 • => 0.0065 * (CC DD) – 67 • RPM => 0.25 * (AA BB) – 24 • (20.1mph | 2233 rpm): ID:02, ID:01, :08, : 23 45 00 00 34 56 00 00
- 28. : II
- 29.
- 30. : II
- 31. : II
- 32. : II
- 33.
- 34. SecurityAccess • ECUSecurityAccess • ECU • ECU
- 35. SecurityAccess: • PAM • IDH: 07, IDL: 36, Len: 08, Data: 02 27 01 00 00 00 00 00 • IDH: 07, IDL: 3E, Len: 08, Data: 05 67 01 11 22 33 00 00 • IDH: 07, IDL: 36, Len: 08, Data: 05 27 02 CB BF 91 00 00 • IDH: 07, IDL: 3E, Len: 08, Data: 02 67 02 00 00 00 00 00 • ECU
- 36.
- 37. secret_keys = { 0x727:"50 C8 6A 49 F1", 0x733: "AA BB CC DD EE", 0x736: "08 30 61 55 AA", 0x737: "52 6F 77 61 6E", 0x760: "5B 41 74 65 7D", 0x765: "96 A2 3B 83 9B", 0x7a6: "50 C8 6A 49 F1", 0x7e0: "08 30 61 A4 C5",} secret_keys2 = { 0x7e0: "44 49 4F 44 45", 0x737: "5A 89 E4 41 72”}
- 38. • securityAccess DeviceControl ECU
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48. BDM Freescale USB S08/HCS12 BDM /
- 49.
- 50.
- 51.
- 52. • • • CAN ECU • /
- 53.
- 54. • – – PC – PC – – ECU –
- 55. / • – – : – • ECU – ECU –
- 56. • 悪意ある攻撃から車両を保護するのに業界が成功している 理由の1つは、各メーカーがセキュリティ上重要な情報の保 護に成功しているからである CEO Mitch Bainwol Mike Stanton •
- 57. • ECU CAN – • : • – – – CAN
- 58. • • • IDS/ IPS
- 59. • • CAN • •
- 60. CAN • 15 CAN • 1 CAN ID • 1 CAN ID • CAN ID
- 61. CAN • ID • Hit Counts: Primary[03A9] => 9 | Secondary[03A9] => 5 Hit Counts: Primary[0255] => 166 | Secondary[0255] => 119 Hit Counts: Primary[0230] => 991 | Secondary[0230] => 1011 Hit Counts: Primary[0250] => 168 | Secondary[0250] => 209 Hit Counts: Primary[03C4] => 41 | Secondary[03C4] => 46 Hit Counts: Primary[0340] => 80 | Secondary[0340] => 82 Hit Counts: Primary[0422] => 83 | Secondary[0422] => 36 Hit Counts: Primary[0423] => 17 | Secondary[0423] => 6 Hit Counts: Primary[0420] => 83 | Secondary[0420] => 47 Hit Counts: Primary[0200] => 496 | Secondary[0200] => 630
- 62. : • – • : ( ) • 1 ( 20 ) 0 10 20 30 40 50 60 70 80 90 100 Frequency distribution of 0201 CAN id
- 63. : • – ( ) • • “Experimental Security Analysis of a Modern Automobile”
- 64. • • CAN ( CAN CAN ) • •
- 65. • CAN IPS ECU • ECU • OBD-‐II
- 66.
- 67. • • CAN • CAN • • •
- 68. • Dr. Charlie Miller (@0xcharlie) – Twimer Guy – cmiller@openrce.org • Chris Valasek (@nudehaberdasher) – Director of Security Intelligence @ IOAceve – cvalasek@gmail.com