Oren Elimelech, profile picture
Uploaded byOren Elimelech
PDF, PPTX2,367 views

Cyber Security in Transportation

This document discusses various aspects of cyber security in transportation, focusing on vulnerabilities within aviation, public transport, and connected vehicles. Specific incidents of cyber attacks are highlighted, including the LOT Polish Airlines disruption and hacks affecting United Airlines and Chrysler Jeep systems. The overall emphasis is on the need for comprehensive protection and awareness of both internal and external threats in transportation systems.

Embed presentation

Download as PDF, PPTX
Lecturer: Oren Elimelech Ministry of Transport & Road Safety Cyber Security Adviser / SecuRegion CISO CISO, CISM, CISA, CISSP, VCP, MCSE, MCT, A+, CCIE, CCSA Cyber Security in Transportation 19th August 2015
Oren Elimelech Cyber Security, GRC, ITC, Forensics & Cloud Consultant • • • • • • • • • • • • ISC2• ISSA• ISACA • IARM• CSA• OWASP 2 Who are you?... About Myself
• Transportation Cyber Security • Aviation Attacks • Public Transport Attack • Remote Exploitation of a Vehicle and other vegetables • Q & A Todays Agenda: 4
• The transportations segment includes many area: • Mass land transportation – Trains, Busses, Trucks etc. • Aviation transport – Planes, Airports among others. • Naval transport – Ships, harbors, nav. system etc. • Traffic & Transit control – signal control, warning lights, road crossing illumination, tunnels and many more • Vehicle – CAN bus, ECM, ECU, connected vehicles • Most of the systems used are SCADA systems • They are used for: power control, emergency ventilation control, alarms, indicators, sensors, fire/intrusion detection, control/signaling, AVL, access control etc. Transportation Cyber Security 5
• Most of the those system are vulnerable to cyber attacks since most are not totally disconnected • Some are prone to physical access or even Radio data link or Cellular (Watch Tower, Black Box etc) • Maintenance, firmware and software upgrades • And the list gets even longer • Manifestation Impact – a vulnerability cascading effect reaching other systems & services • One must ensure the Confidentiality (not necessarily security classified information), the Availability and the Integrity of information in ICT systems Areas of Compromise 6
• Expanding the scope from focusing only on external hostile threats to miscellaneous general external and internal threats – caused deliberately and accidently, technical failures and natural disasters • For instance: Avionics control system failure in UK following a software upgrade • Strong emphasis on supposedly peripheral systems that are not defined as critical national infrastructures • For instance: LOT airline company cyber attack My Work Objectives & Tasks 7
Aviation Attacks 8
• On June 21st operations were disrupted at Warsaw Chopin Airport by what LOT Polish Airlines said was a cyberattack on flight-planning computers. 10 LOT flights were canceled and some 15 others were grounded for several hours, affecting roughly 1,400 passengers LOT Airline Cyber Attack 9
• U.S. aviation regulators and industry officials have begun developing comprehensive cybersecurity protections for aircraft, seeking to cover everything from the largest commercial jetliners to small private planes LOT Airline Cyber Attack 10
• On July 8th 2015 – United Airlines issued a statement saying it suffered from “a network connectivity issue” – effecting 4,900 flights were impacted by the problem worldwide United Airline vulnerabilities 11
• On July 15th 2015 – United Airlines gave 1 million miles bug bounty to a security researcher after finding Remote-execute, XSS and CSRF bug in the Airline mobile-app & website enabling private information disclosure and exploits United Airline vulnerabilities 12
• On August 17th 2015 – United Airlines frequent Flyer App was hacked revealing passengers private information – Yosi Dahan (whitehat hacker) United Airline vulnerabilities 13
Public Transport Attack 14
Once in the system, they disconnected signal control boxes at four intersections and locked out anyone else from being able to fix the problem "So for four days in this major city, the traffic lights would just blink and go from color to color" A large US city locked in labor negotiations with union employees was hit by two employees who helped build the traffic control system for the organization in protest of the proceedings. Even though the city had pre-emptively disabled union employee access to systems due to concerns of potential sabotage, these two insiders managed to gain control of the system due to a supervisor previously sharing his credentials. Dawn Cappelli, principal engineer at CERT Insiders using authorized access 18
Vehicle Attack 16
• Two researchers from US: • Charlie Miller • Chris Valasek • Work diligently since 2010 on DARPA funding • VIDEO DEMO Hacking Chrysler Jeep Remotely 17
• Controller Area Network (CAN) • Developed by Bosch 1983-86 for automobile in- vehicle network • Multi-drop, Multi-master serial bus providing communication between controllers, sensor and actuators • Highly reliable and robust, well proven technology • Inexpensive • First car BMW series 8 - 1988 • 100% car since 2008 user CAN bus CAN Bus Quick Intro 18
• Until CAN Bus – vehicles contained enormous amounts of wiring that was necessary to interconnect all the various electronic components CAN Bus Quick Intro 19
• CAN Bus reduced wiring in over 2km and weight of over 50kg CAN Bus Quick Intro 20
• International Standard ISO 11898 • ISO 11898-2 High speed application –1 Mbps • ISO 11898-3 Low speed application –125 Kbps • CAN id being used widely in other applications: • Automotive • Military vehicles • Industrial machinery • Medical systems • Agricultural machinery • Marine control and navigation • Elevator control systems CAN Bus Quick Intro 21
• Network Layered Model CAN Bus – based on OSI model 22 Partially implemented by higher- level CAN protocols like CANopen, CANaerospace, MilCAN, SAE J1939, ISO 1132 and others Standard CAN implementation defines most of the lowest two layers (physical details often specified by higher-layer protocol) Bypass used without higher-layer protocols User Interface
• All messages are broadcast • Any node is allowed to broadcast a message • Each message contains an ID that identifies the source or content of a message • Each receiver decides to process or ignore each message • Single twisted pair wire terminated on each end CAN Bus Characteristics 23
• Physical medium CAN Bus Characteristics 24
• Oscilloscope – Signal levels (Differential signaling) CAN Bus Characteristics 25 CAN H CAN L
• Oscilloscope – Signal levels (Differential signaling) CAN Bus Characteristics 26 Recessive 0 Dominant 0 Recessive 1
• Data Frame • Used to transmit data • Remote Frame • Used to request data transmission • Error Frame • Sent by a node that detects an error • Overload Frame • Sent by a node to request a delay in transmission CAN Bus Network Frames 27
• Multiple operation sensors • Alarms & Alerts can be disabled and even used… CAN Bus Vehicle Platform 28
• CAN Bus can be used to access other vehicle systems CAN Bus & Other Vehicle Platforms 29
Chrysler Jeep 2014 Remote Hacking 30
• The Jeep Cherokee was chosen due to the fact that the head unit (Radio) is connected to both CAN buses Chrysler Jeep 2014 31
• Adaptive Cruise Control (ACC) • assists the driver in keeping the proper distance between themselves and cars ahead of them • Forward Collision Warning Plus (FCW+) • prevents the Jeep from colliding with objects in front of it Cyber Physical Features 32
• Lane Departure Warning (LDW+) • examines the lines on the road (i.e. paint) to detects the Jeep is leaving the current lane, it will adjust the steering wheel to keep the vehicle in the current lane Cyber Physical Features 33
• Park Assist System (PAM) • Permits the driver to effortlessly park the car without much driver interaction in various scenarios, such as parallel parking, backing into a space, etc. • The PAM technology played a key role in the hack • Enabling to use this PAM to steer an automobile at high speed with CAN messages alone Cyber Physical Features 34
• Other vulnerable systems • Tire Pressure Monitoring System (TPMS) • Passive Anti-Theft System (PATS) • Bluetooth • Radio Data System • WiFi • GPS • HVAC (Heating and Air Conditioning) • Display • Knobs Cyber Physical Features 35
• Every piece of technology that interacts with the outside world is a potential entry point Remote Attack Surface 36
• Many modern automobiles contain a cellular radio, generically referred to as a telematics system, used to connect the vehicle to a cellular network, for example GM’s OnStar. The cellular technology can also be used to retrieve data, such as traffic or weather information • This is the holy grail of automotive attacks (Long Cellular cover) • On the Jeep, all of these features are controlled by the Radio, which resides on both the CAN-IHS bus and the CAN-C bus Telematics / Internet / Apps 37
• The Uconnect system in the Jeep contains the ability to communicate over cellular network using a sierra wireless card for remote connectivity Telematics / Internet / Apps 38
• The telematics, Internet, radio, and Apps are all bundled into the Harman Uconnect system that comes with the 2014 Jeep Cherokee Infotainment 39
• The 2014 Jeep Cherokee uses the Uconnect 8.4AN/RA4 radio manufactured by Harman Kardon with the majority of functionality is physically located on a Texas Instruments OMAP- DM3730 system on a chip which is common within automotive systems • The system uses LUA language: a common powerful, fast, lightweight, embeddable scripting language used in many systems worldwide Uconnect System 40
• As mentioned earlier, the Uconnect system has the ability to interact with both the outside world, via Wi-Fi, Cellular, and BT and with the CAN bus • The processor responsible for interacting with the Interior High Speed CAN (CAN-IHS) and the primary CAN-C bus is a Renesas V850 CAN Connectivity 41
• To hack the V850 chip you need the right tools for the job… Which cost the researchers over $6,700 plus having a $1800 per year Tech Authority subscription for being able to buy and updates… CAN Hacking & Connectivity 42
• Using the wiTECH tools you are able to see the entire network of the vehicle Chrysler Jeep 43
WiFi Open Ports 44 • Scanning the vehicle exposed WiFi ports reveals many open ports
WiFi Open Ports 45
• With all of these services, there is a good chance a vulnerability would be present that could allow remote exploitation, port 6667 seems interesting • This port is D-Bus over IP, which is essentially an inter-process communication (IPC) and remote procedure call (RPC) mechanism used for communication between processes WiFi Open Ports 46 No Password Needed!!!
• Using DFeet (wiTECH tool) to interact with the D-Bus service on the Jeep for methods to start ‘com.harman.service.SoftwareUpdate’ service D-Bus Software Update 47
• Inserting a USB with a valid ISO to the Uconnect begins the updating process Jailbreak Uconnect 48
• So a new compromised Firmware enables to remotely control the vehicle. • Even an unsigned firmware can be used to update the system from the head unit • The problem is that the system is only designed to perform the upgrade from a USB • This is a big complication for an attacker, since we want to flash the V850 (OMAP chip) without a USB stick…  Software Firmware Upgrade 49
• Port 6667 IRC, is bound to all interfaces, therefore D-Bus communications can be performed against the Jeep over the cellular network! Cellular Exploitation – Remote Update 50
• Was used to enable the vehicle to connect to the hacker – using a miniature cell tower (provided to customers with bad reception in their residence). The device can also be used to intercept cellular traffic and modified to an attacker’s specifications Femtocell 51
• Scanning port 6667 from a Sprint device on the IP addresses 21.0.0.0/8 and 25.0.0.0/8. Anything that responds is a vulnerable Uconnect system Scanning for vulnerable vehicles 52
• The D-Bus service on port 6667 running on the Uconnect system in susceptible to command injection vulnerabilities • Utilizing the ‘NavTrailService’ where code is implemented in ‘/service/platform/nav/navTrailService.lua’ • Unbelievable the service includes ‘execute’ method which is designed to execute arbitrary shell commands!!! Gaining Code Execution 53
• Running arbitrary code on the head unit (OMAP chip) within the Uconnect system enables running various LUA scripts that can be used to affect the vehicle • This gives the hackers the possibility to remotely control the 2014 Jeep Cherokee – even when a person is inside the vehicle Uconnect Attack Payloads 54
• Identify target • Exploit the OMAP chip of the head unit • Control the Uconnect System • Flash the v850 with modified firmware remotely • Perform cyber physical actions Summary - The entire exploit chain 55
•‫סמל‬‫תוצר‬-‫לדוגמא‬:19 •‫תוצר‬ ‫שם‬-‫לדוגמא‬:‫האודי‬ •‫דגם‬ ‫קוד‬-10 •‫תאור‬‫דגם‬-4LB0EL •‫המרכב‬-‫פנאי‬-‫שטח‬ •‫כינוי‬-Q7 •‫מנוע‬ ‫נפח‬-4163 •‫כולל‬ ‫משקל‬-3065 •‫גובה‬-173 •‫גימור‬ ‫רמת‬- •‫סוס‬ ‫כוחות‬-350 •‫דלתות‬ ‫מספר‬-5 •‫מזגן‬-‫יש‬ •‫אוויר‬ ‫כריות‬ ‫מספר‬-6 •‫מערכת‬ABS -‫יש‬ •‫אוטומטיים‬ ‫הילוכים‬-‫יש‬ •‫חלון‬‫בגאז‬- •‫שנה‬-2007 Free Data available in Israel from 2008 56 •‫קבוצת‬‫אגרה‬-7 •‫רישום‬ ‫הוראות‬-06-0526 •‫סה‬"‫רשומים‬ ‫כ‬-3 •‫פעילים‬ ‫רשומים‬-3 •‫הנעה‬-4X4 •‫כוח‬ ‫הגה‬-‫יש‬ •‫חשמל‬ ‫חלונות‬-4 •‫מגנזיום‬ ‫גלגלי‬-‫יש‬ •‫דלק‬ ‫סוג‬-‫בנזין‬ •‫ארגז‬- •‫יציבות‬ ‫בקרת‬-‫יש‬ •‫היברידי‬- •‫מושבים‬ ‫מספר‬-7 •‫גרירה‬ ‫כושר‬- •‫זיהום‬ ‫קבוצת‬- •‫תקינה‬- •‫בקרת‬‫מנתיב‬ ‫סטיה‬- •‫מלפנים‬ ‫מרחק‬ ‫ניטור‬- •‫מת‬ ‫בשטח‬ ‫זיהוי‬- •‫אדפטיבית‬ ‫שיוט‬ ‫בקרת‬- •‫זיהוי‬‫הולגי‬‫רגל‬- •‫לבלימה‬ ‫עזר‬ ‫מערכת‬- •‫מצלמת‬‫רוורס‬- •‫בצמיגים‬ ‫אוויר‬ ‫לחץ‬ ‫חיישני‬- •‫חגורות‬ ‫חיישני‬- •‫בטיחות‬ ‫ניקוד‬- •‫רמת‬‫איבזור‬‫בטיחותי‬- •‫אוטומטית‬ ‫תאורה‬- •‫באורות‬ ‫אוטומטית‬ ‫שליטה‬ ‫הגבוהים‬- •‫מסוכנת‬ ‫התקרבות‬ ‫מצב‬ ‫זיהוי‬- •‫תנועה‬ ‫תמרורי‬ ‫זיהוי‬-
-/briefings.html#remote15-www.blackhat.com/ushttps:// vehicle-passenger-unaltered-an-of-exploitation http://illmatics.com/Remote%20Car%20Hacking.pdf 57 Further Reading
Questions ? 58
Oren.Elimelech@gmail.com +972-505-375-385 59

More Related Content

PDF
Latest Seminar Topics for Engineering,MCA,MSc Students
byArun Kumar
 
PPTX
Quality attributes(Non operational) of embedded systems
byShreyaBhoje
 
PPTX
Security in an embedded system
byUrmilasSrinivasan
 
PPTX
Smart card technologya
bypuneet bhatia
 
PPTX
E.s (2)
bySneha Chopra
 
PPTX
Geographic Routing in WSN
byMahbubur Rahman
 
PPTX
Smart card technology
byLav Pratap
 
PPTX
RFID TECHNOLOGY
bysathish sak
 
Latest Seminar Topics for Engineering,MCA,MSc Students
byArun Kumar
 
Quality attributes(Non operational) of embedded systems
byShreyaBhoje
 
Security in an embedded system
byUrmilasSrinivasan
 
Smart card technologya
bypuneet bhatia
 
E.s (2)
bySneha Chopra
 
Geographic Routing in WSN
byMahbubur Rahman
 
Smart card technology
byLav Pratap
 
RFID TECHNOLOGY
bysathish sak
 

What's hot

PPTX
Chapter 3 Charateristics and Quality Attributes of Embedded System
byMoe Moe Myint
 
PDF
Embedded Systems and IoT
byDr. Shivananda Koteshwar
 
DOCX
IoT Home Automation System
byPratibha Chaudhary
 
PPT
Cyber-Physical Systems
bySinem Coleri Ergen
 
PPTX
SMART DUST
byKhyravdhy Tannaya
 
PPTX
Embedded system
byPankaj Upadhyay
 
PPTX
Design of band notched antenna for ultra wide band applications
byEngr Syed Absar Kazmi
 
PPTX
Industry 4.0 and the Internet of Things
bySchneider Electric
 
PPTX
PPT on Bluetooth Based Wireless Sensor Networks
bySiya Agarwal
 
DOCX
Smatcard documentation
byBhadra Gowdra
 
PPT
Embedded firmware
byJoel P
 
PPTX
3D OPTICAL DATA STORAGE
byRishikese MR
 
PPTX
electronics seminar ppt
byVibhu Mishra
 
PPTX
Digital twin technology - seminar presentation
by1js20ec036ksspoorthi
 
PDF
Security in Embedded systems
byNaveen Jakhar, I.T.S
 
PDF
IoT internet of things
byGd Insaa
 
DOCX
Seminar report of ewt
byRanol R C
 
PPT
Manet
byPushkar Dutt
 
PDF
Introduction to embedded system design
byMukesh Bansal
 
PPTX
Introduction to Embedded System I: Chapter 2 (5th portion)
byMoe Moe Myint
 
Chapter 3 Charateristics and Quality Attributes of Embedded System
byMoe Moe Myint
 
Embedded Systems and IoT
byDr. Shivananda Koteshwar
 
IoT Home Automation System
byPratibha Chaudhary
 
Cyber-Physical Systems
bySinem Coleri Ergen
 
SMART DUST
byKhyravdhy Tannaya
 
Embedded system
byPankaj Upadhyay
 
Design of band notched antenna for ultra wide band applications
byEngr Syed Absar Kazmi
 
Industry 4.0 and the Internet of Things
bySchneider Electric
 
PPT on Bluetooth Based Wireless Sensor Networks
bySiya Agarwal
 
Smatcard documentation
byBhadra Gowdra
 
Embedded firmware
byJoel P
 
3D OPTICAL DATA STORAGE
byRishikese MR
 
electronics seminar ppt
byVibhu Mishra
 
Digital twin technology - seminar presentation
by1js20ec036ksspoorthi
 
Security in Embedded systems
byNaveen Jakhar, I.T.S
 
IoT internet of things
byGd Insaa
 
Seminar report of ewt
byRanol R C
 
Manet
byPushkar Dutt
 
Introduction to embedded system design
byMukesh Bansal
 
Introduction to Embedded System I: Chapter 2 (5th portion)
byMoe Moe Myint
 

Viewers also liked

PPTX
Cyber security in_next_gen_air_transportation_system_wo_video
byOWASP Delhi
 
PPTX
Cyber security presentation
byBijay Bhandari
 
PPT
Cyber Security in Civil Aviation
byNetwork Intelligence India
 
PPTX
Cyber Security in the market place: HP CTO Day
bySymantec
 
PDF
Business Values for IoT Solutions
byIBM Analytics
 
PPTX
Damn Vulnerable Chemical Process
byPositive Hack Days
 
PPTX
Smart & Secure City Solutions by Rupinder Singh
byIPPAI
 
PDF
Cyber security for smart cities an architecture model for public transport
byAndrey Apuhtin
 
PPTX
Cyber security in smart cities
byAboul Ella Hassanien
 
PDF
Malaysia's National Cyber Security Policy
byDirectorate of Information Security | Ditjen Aptika
 
PPT
CYBER CRIME AND SECURITY
bySahil Vashishtha
 
PPT
Cyber Crime and Security
byDipesh Waghela
 
PPTX
Cybercrime.ppt
byAeman Khan
 
PPTX
Cyber-crime PPT
byAnshuman Tripathi
 
PPTX
Cyber security
bySiblu28
 
PPTX
Cyber crime ppt
byMOE515253
 
PPTX
Cyber crime and security ppt
byLipsita Behera
 
Cyber security in_next_gen_air_transportation_system_wo_video
byOWASP Delhi
 
Cyber security presentation
byBijay Bhandari
 
Cyber Security in Civil Aviation
byNetwork Intelligence India
 
Cyber Security in the market place: HP CTO Day
bySymantec
 
Business Values for IoT Solutions
byIBM Analytics
 
Damn Vulnerable Chemical Process
byPositive Hack Days
 
Smart & Secure City Solutions by Rupinder Singh
byIPPAI
 
Cyber security for smart cities an architecture model for public transport
byAndrey Apuhtin
 
Cyber security in smart cities
byAboul Ella Hassanien
 
Malaysia's National Cyber Security Policy
byDirectorate of Information Security | Ditjen Aptika
 
CYBER CRIME AND SECURITY
bySahil Vashishtha
 
Cyber Crime and Security
byDipesh Waghela
 
Cybercrime.ppt
byAeman Khan
 
Cyber-crime PPT
byAnshuman Tripathi
 
Cyber security
bySiblu28
 
Cyber crime ppt
byMOE515253
 
Cyber crime and security ppt
byLipsita Behera
 

Similar to Cyber Security in Transportation

PDF
Automotive Linux, Cybersecurity and Transparency
byAlison Chaiken
 
PDF
Countering Cybersecurity Risk in Today's IoT World
byBrad Nicholas
 
PPTX
Automotive Hacking
byGAURAV. H .TANDON
 
PPT
Feasible car cyber defense - ESCAR 2010
byIddan Halevy
 
PDF
Connected Car Security
bySuresh Mandava
 
PPTX
Is cybersecurity protection of commercial vehicles harder?
byGilad Bandel
 
PDF
SANS - Developments car hacking - 36607
byFelipe Prado
 
PPTX
Automotive security (cvta)
byAlan Tatourian
 
PPTX
Automotive Cyber-Security Insights learned from IT and ICS/SCADA
byGilad Bandel
 
PDF
Hackers are the new highway threat
byHarman Innovation
 
PDF
Connected vehicles: An Overview on Security, Vulnerabilities and Remedies
byMadhur Gupta
 
PDF
Cybersecurity For Commercial Vehicles 1st Edition Gloria Danna
bydziwkiademu31
 
PDF
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
byBill Harpley
 
PDF
Carlos Sahuquillo - Car Hacking: de Angelina Jolie a Charlize Theron [rootedv...
byRootedCON
 
PDF
Gentlemen, Start Your Engines 20120419
byMattias Jidhage
 
PPTX
Car Hacking Explained: Automotive Penetration Testing & Cybersecurity for Saf...
bydefencerabbit Team
 
PPTX
Backdooring a car
byAlexey Sintsov
 
PDF
IRJET- Data Acquistion through Connectivities in Cars
byIRJET Journal
 
PDF
IRJET- Data Acquistion through Connectivities in Cars
byIRJET Journal
 
PDF
Securing the Connected Car - SCaLE 2018
byMender.io
 
Automotive Linux, Cybersecurity and Transparency
byAlison Chaiken
 
Countering Cybersecurity Risk in Today's IoT World
byBrad Nicholas
 
Automotive Hacking
byGAURAV. H .TANDON
 
Feasible car cyber defense - ESCAR 2010
byIddan Halevy
 
Connected Car Security
bySuresh Mandava
 
Is cybersecurity protection of commercial vehicles harder?
byGilad Bandel
 
SANS - Developments car hacking - 36607
byFelipe Prado
 
Automotive security (cvta)
byAlan Tatourian
 
Automotive Cyber-Security Insights learned from IT and ICS/SCADA
byGilad Bandel
 
Hackers are the new highway threat
byHarman Innovation
 
Connected vehicles: An Overview on Security, Vulnerabilities and Remedies
byMadhur Gupta
 
Cybersecurity For Commercial Vehicles 1st Edition Gloria Danna
bydziwkiademu31
 
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
byBill Harpley
 
Carlos Sahuquillo - Car Hacking: de Angelina Jolie a Charlize Theron [rootedv...
byRootedCON
 
Gentlemen, Start Your Engines 20120419
byMattias Jidhage
 
Car Hacking Explained: Automotive Penetration Testing & Cybersecurity for Saf...
bydefencerabbit Team
 
Backdooring a car
byAlexey Sintsov
 
IRJET- Data Acquistion through Connectivities in Cars
byIRJET Journal
 
IRJET- Data Acquistion through Connectivities in Cars
byIRJET Journal
 
Securing the Connected Car - SCaLE 2018
byMender.io
 

Recently uploaded

PDF
Forth Roadmap Conference: Call for Proposals Info Session
byForth
 
PDF
Chapter 2-1 Free Vibration of Single-Degree of-Freedom System
by201870063
 
PPTX
Textual_Evidence_Lesson to support a claim.pptx
byAlexandranalapo1
 
PPTX
Extraction_of_Essential_Oils_Project.pptx
bylakshyasinghal000
 
PDF
120D John Deere Excavator Repair Manual TM10737.pdf
byabjekGoogle
 
PDF
Hitachi Zaxis ZX140-3, Zx310 Excavator Repair Manual.pdf
byabjekGoogle
 
PDF
Common Logistics Bottlenecks and How to Eliminate Them
byRoadies Inc
 
PDF
chemistry Sec-A PPTDEFEDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEESCSASDWED.pdf
byAhmedIbrahim463759
 
PPTX
METHODS OF GAINING SPACE.pptxhhgffgfddddd
byYashrajAvaghade
 
PDF
Modeling of thermal system Hydraulic Systems
by201870063
 
PPTX
Презентация _My profession is teacher_.pptx
byalievafotima6
 
PPTX
Aldehydes, Ketones and Carboxy special notes
byAnhadjotsingh3
 
PDF
Introduction_A1_PDF_ቅጂ.pdf seeraa maatii Oromiyaa
byAlebachew Negasa
 
PPTX
Fenske_4e_ch03_Cultural and Spiritual Considerations.pptxadfafad
bybalwaqfi
 
PPTX
Unveiling-Wireless-Power-Transfer-for-EVs.pptx
byjkenidi1
 
PDF
Stay Charged and Confident Professional Solutions for Porsche Electrical Issues
byBimmer Performance
 
PDF
Caterpillar 314D LCR Engine Oil and Filter Change.pdf
byabjekGoogle
 
PPTX
Week 3 of development.pptx cfcxxxfftddy sfffg
bykyulemutunga7
 
PDF
Your Go-To Guide for Buying Facebook Ads Accounts in the USA.pdf
byaiasbtcnwf43323w2nj9
 
PPTX
DESIGN AND FABRICATION OF THE IBM 90-90 SEAT BELT CLAMP KIA VEHICLE[1].pptx 2...
bySrinivasKy1
 
Forth Roadmap Conference: Call for Proposals Info Session
byForth
 
Chapter 2-1 Free Vibration of Single-Degree of-Freedom System
by201870063
 
Textual_Evidence_Lesson to support a claim.pptx
byAlexandranalapo1
 
Extraction_of_Essential_Oils_Project.pptx
bylakshyasinghal000
 
120D John Deere Excavator Repair Manual TM10737.pdf
byabjekGoogle
 
Hitachi Zaxis ZX140-3, Zx310 Excavator Repair Manual.pdf
byabjekGoogle
 
Common Logistics Bottlenecks and How to Eliminate Them
byRoadies Inc
 
chemistry Sec-A PPTDEFEDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEESCSASDWED.pdf
byAhmedIbrahim463759
 
METHODS OF GAINING SPACE.pptxhhgffgfddddd
byYashrajAvaghade
 
Modeling of thermal system Hydraulic Systems
by201870063
 
Презентация _My profession is teacher_.pptx
byalievafotima6
 
Aldehydes, Ketones and Carboxy special notes
byAnhadjotsingh3
 
Introduction_A1_PDF_ቅጂ.pdf seeraa maatii Oromiyaa
byAlebachew Negasa
 
Fenske_4e_ch03_Cultural and Spiritual Considerations.pptxadfafad
bybalwaqfi
 
Unveiling-Wireless-Power-Transfer-for-EVs.pptx
byjkenidi1
 
Stay Charged and Confident Professional Solutions for Porsche Electrical Issues
byBimmer Performance
 
Caterpillar 314D LCR Engine Oil and Filter Change.pdf
byabjekGoogle
 
Week 3 of development.pptx cfcxxxfftddy sfffg
bykyulemutunga7
 
Your Go-To Guide for Buying Facebook Ads Accounts in the USA.pdf
byaiasbtcnwf43323w2nj9
 
DESIGN AND FABRICATION OF THE IBM 90-90 SEAT BELT CLAMP KIA VEHICLE[1].pptx 2...
bySrinivasKy1
 

Cyber Security in Transportation

  • 1.
    Lecturer: Oren Elimelech Ministry ofTransport & Road Safety Cyber Security Adviser / SecuRegion CISO CISO, CISM, CISA, CISSP, VCP, MCSE, MCT, A+, CCIE, CCSA Cyber Security in Transportation 19th August 2015
  • 2.
    Oren Elimelech Cyber Security,GRC, ITC, Forensics & Cloud Consultant • • • • • • • • • • • • ISC2• ISSA• ISACA • IARM• CSA• OWASP 2 Who are you?... About Myself
  • 3.
    • Transportation CyberSecurity • Aviation Attacks • Public Transport Attack • Remote Exploitation of a Vehicle and other vegetables • Q & A Todays Agenda: 4
  • 4.
    • The transportationssegment includes many area: • Mass land transportation – Trains, Busses, Trucks etc. • Aviation transport – Planes, Airports among others. • Naval transport – Ships, harbors, nav. system etc. • Traffic & Transit control – signal control, warning lights, road crossing illumination, tunnels and many more • Vehicle – CAN bus, ECM, ECU, connected vehicles • Most of the systems used are SCADA systems • They are used for: power control, emergency ventilation control, alarms, indicators, sensors, fire/intrusion detection, control/signaling, AVL, access control etc. Transportation Cyber Security 5
  • 5.
    • Most ofthe those system are vulnerable to cyber attacks since most are not totally disconnected • Some are prone to physical access or even Radio data link or Cellular (Watch Tower, Black Box etc) • Maintenance, firmware and software upgrades • And the list gets even longer • Manifestation Impact – a vulnerability cascading effect reaching other systems & services • One must ensure the Confidentiality (not necessarily security classified information), the Availability and the Integrity of information in ICT systems Areas of Compromise 6
  • 6.
    • Expanding thescope from focusing only on external hostile threats to miscellaneous general external and internal threats – caused deliberately and accidently, technical failures and natural disasters • For instance: Avionics control system failure in UK following a software upgrade • Strong emphasis on supposedly peripheral systems that are not defined as critical national infrastructures • For instance: LOT airline company cyber attack My Work Objectives & Tasks 7
  • 7.
  • 8.
    • On June21st operations were disrupted at Warsaw Chopin Airport by what LOT Polish Airlines said was a cyberattack on flight-planning computers. 10 LOT flights were canceled and some 15 others were grounded for several hours, affecting roughly 1,400 passengers LOT Airline Cyber Attack 9
  • 9.
    • U.S. aviationregulators and industry officials have begun developing comprehensive cybersecurity protections for aircraft, seeking to cover everything from the largest commercial jetliners to small private planes LOT Airline Cyber Attack 10
  • 10.
    • On July8th 2015 – United Airlines issued a statement saying it suffered from “a network connectivity issue” – effecting 4,900 flights were impacted by the problem worldwide United Airline vulnerabilities 11
  • 11.
    • On July15th 2015 – United Airlines gave 1 million miles bug bounty to a security researcher after finding Remote-execute, XSS and CSRF bug in the Airline mobile-app & website enabling private information disclosure and exploits United Airline vulnerabilities 12
  • 12.
    • On August17th 2015 – United Airlines frequent Flyer App was hacked revealing passengers private information – Yosi Dahan (whitehat hacker) United Airline vulnerabilities 13
  • 13.
  • 14.
    Once in the system,they disconnected signal control boxes at four intersections and locked out anyone else from being able to fix the problem "So for four days in this major city, the traffic lights would just blink and go from color to color" A large US city locked in labor negotiations with union employees was hit by two employees who helped build the traffic control system for the organization in protest of the proceedings. Even though the city had pre-emptively disabled union employee access to systems due to concerns of potential sabotage, these two insiders managed to gain control of the system due to a supervisor previously sharing his credentials. Dawn Cappelli, principal engineer at CERT Insiders using authorized access 18
  • 15.
  • 16.
    • Two researchersfrom US: • Charlie Miller • Chris Valasek • Work diligently since 2010 on DARPA funding • VIDEO DEMO Hacking Chrysler Jeep Remotely 17
  • 17.
    • Controller AreaNetwork (CAN) • Developed by Bosch 1983-86 for automobile in- vehicle network • Multi-drop, Multi-master serial bus providing communication between controllers, sensor and actuators • Highly reliable and robust, well proven technology • Inexpensive • First car BMW series 8 - 1988 • 100% car since 2008 user CAN bus CAN Bus Quick Intro 18
  • 18.
    • Until CANBus – vehicles contained enormous amounts of wiring that was necessary to interconnect all the various electronic components CAN Bus Quick Intro 19
  • 19.
    • CAN Busreduced wiring in over 2km and weight of over 50kg CAN Bus Quick Intro 20
  • 20.
    • International StandardISO 11898 • ISO 11898-2 High speed application –1 Mbps • ISO 11898-3 Low speed application –125 Kbps • CAN id being used widely in other applications: • Automotive • Military vehicles • Industrial machinery • Medical systems • Agricultural machinery • Marine control and navigation • Elevator control systems CAN Bus Quick Intro 21
  • 21.
    • Network LayeredModel CAN Bus – based on OSI model 22 Partially implemented by higher- level CAN protocols like CANopen, CANaerospace, MilCAN, SAE J1939, ISO 1132 and others Standard CAN implementation defines most of the lowest two layers (physical details often specified by higher-layer protocol) Bypass used without higher-layer protocols User Interface
  • 22.
    • All messagesare broadcast • Any node is allowed to broadcast a message • Each message contains an ID that identifies the source or content of a message • Each receiver decides to process or ignore each message • Single twisted pair wire terminated on each end CAN Bus Characteristics 23
  • 23.
    • Physical medium CANBus Characteristics 24
  • 24.
    • Oscilloscope –Signal levels (Differential signaling) CAN Bus Characteristics 25 CAN H CAN L
  • 25.
    • Oscilloscope –Signal levels (Differential signaling) CAN Bus Characteristics 26 Recessive 0 Dominant 0 Recessive 1
  • 26.
    • Data Frame •Used to transmit data • Remote Frame • Used to request data transmission • Error Frame • Sent by a node that detects an error • Overload Frame • Sent by a node to request a delay in transmission CAN Bus Network Frames 27
  • 27.
    • Multiple operationsensors • Alarms & Alerts can be disabled and even used… CAN Bus Vehicle Platform 28
  • 28.
    • CAN Buscan be used to access other vehicle systems CAN Bus & Other Vehicle Platforms 29
  • 29.
    Chrysler Jeep 2014Remote Hacking 30
  • 30.
    • The JeepCherokee was chosen due to the fact that the head unit (Radio) is connected to both CAN buses Chrysler Jeep 2014 31
  • 31.
    • Adaptive CruiseControl (ACC) • assists the driver in keeping the proper distance between themselves and cars ahead of them • Forward Collision Warning Plus (FCW+) • prevents the Jeep from colliding with objects in front of it Cyber Physical Features 32
  • 32.
    • Lane DepartureWarning (LDW+) • examines the lines on the road (i.e. paint) to detects the Jeep is leaving the current lane, it will adjust the steering wheel to keep the vehicle in the current lane Cyber Physical Features 33
  • 33.
    • Park AssistSystem (PAM) • Permits the driver to effortlessly park the car without much driver interaction in various scenarios, such as parallel parking, backing into a space, etc. • The PAM technology played a key role in the hack • Enabling to use this PAM to steer an automobile at high speed with CAN messages alone Cyber Physical Features 34
  • 34.
    • Other vulnerablesystems • Tire Pressure Monitoring System (TPMS) • Passive Anti-Theft System (PATS) • Bluetooth • Radio Data System • WiFi • GPS • HVAC (Heating and Air Conditioning) • Display • Knobs Cyber Physical Features 35
  • 35.
    • Every pieceof technology that interacts with the outside world is a potential entry point Remote Attack Surface 36
  • 36.
    • Many modernautomobiles contain a cellular radio, generically referred to as a telematics system, used to connect the vehicle to a cellular network, for example GM’s OnStar. The cellular technology can also be used to retrieve data, such as traffic or weather information • This is the holy grail of automotive attacks (Long Cellular cover) • On the Jeep, all of these features are controlled by the Radio, which resides on both the CAN-IHS bus and the CAN-C bus Telematics / Internet / Apps 37
  • 37.
    • The Uconnectsystem in the Jeep contains the ability to communicate over cellular network using a sierra wireless card for remote connectivity Telematics / Internet / Apps 38
  • 38.
    • The telematics,Internet, radio, and Apps are all bundled into the Harman Uconnect system that comes with the 2014 Jeep Cherokee Infotainment 39
  • 39.
    • The 2014Jeep Cherokee uses the Uconnect 8.4AN/RA4 radio manufactured by Harman Kardon with the majority of functionality is physically located on a Texas Instruments OMAP- DM3730 system on a chip which is common within automotive systems • The system uses LUA language: a common powerful, fast, lightweight, embeddable scripting language used in many systems worldwide Uconnect System 40
  • 40.
    • As mentionedearlier, the Uconnect system has the ability to interact with both the outside world, via Wi-Fi, Cellular, and BT and with the CAN bus • The processor responsible for interacting with the Interior High Speed CAN (CAN-IHS) and the primary CAN-C bus is a Renesas V850 CAN Connectivity 41
  • 41.
    • To hackthe V850 chip you need the right tools for the job… Which cost the researchers over $6,700 plus having a $1800 per year Tech Authority subscription for being able to buy and updates… CAN Hacking & Connectivity 42
  • 42.
    • Using thewiTECH tools you are able to see the entire network of the vehicle Chrysler Jeep 43
  • 43.
    WiFi Open Ports 44 •Scanning the vehicle exposed WiFi ports reveals many open ports
  • 44.
  • 45.
    • With allof these services, there is a good chance a vulnerability would be present that could allow remote exploitation, port 6667 seems interesting • This port is D-Bus over IP, which is essentially an inter-process communication (IPC) and remote procedure call (RPC) mechanism used for communication between processes WiFi Open Ports 46 No Password Needed!!!
  • 46.
    • Using DFeet(wiTECH tool) to interact with the D-Bus service on the Jeep for methods to start ‘com.harman.service.SoftwareUpdate’ service D-Bus Software Update 47
  • 47.
    • Inserting aUSB with a valid ISO to the Uconnect begins the updating process Jailbreak Uconnect 48
  • 48.
    • So anew compromised Firmware enables to remotely control the vehicle. • Even an unsigned firmware can be used to update the system from the head unit • The problem is that the system is only designed to perform the upgrade from a USB • This is a big complication for an attacker, since we want to flash the V850 (OMAP chip) without a USB stick…  Software Firmware Upgrade 49
  • 49.
    • Port 6667IRC, is bound to all interfaces, therefore D-Bus communications can be performed against the Jeep over the cellular network! Cellular Exploitation – Remote Update 50
  • 50.
    • Was usedto enable the vehicle to connect to the hacker – using a miniature cell tower (provided to customers with bad reception in their residence). The device can also be used to intercept cellular traffic and modified to an attacker’s specifications Femtocell 51
  • 51.
    • Scanning port6667 from a Sprint device on the IP addresses 21.0.0.0/8 and 25.0.0.0/8. Anything that responds is a vulnerable Uconnect system Scanning for vulnerable vehicles 52
  • 52.
    • The D-Busservice on port 6667 running on the Uconnect system in susceptible to command injection vulnerabilities • Utilizing the ‘NavTrailService’ where code is implemented in ‘/service/platform/nav/navTrailService.lua’ • Unbelievable the service includes ‘execute’ method which is designed to execute arbitrary shell commands!!! Gaining Code Execution 53
  • 53.
    • Running arbitrarycode on the head unit (OMAP chip) within the Uconnect system enables running various LUA scripts that can be used to affect the vehicle • This gives the hackers the possibility to remotely control the 2014 Jeep Cherokee – even when a person is inside the vehicle Uconnect Attack Payloads 54
  • 54.
    • Identify target •Exploit the OMAP chip of the head unit • Control the Uconnect System • Flash the v850 with modified firmware remotely • Perform cyber physical actions Summary - The entire exploit chain 55
  • 55.
    •‫סמל‬‫תוצר‬-‫לדוגמא‬:19 •‫תוצר‬ ‫שם‬-‫לדוגמא‬:‫האודי‬ •‫דגם‬ ‫קוד‬-10 •‫תאור‬‫דגם‬-4LB0EL •‫המרכב‬-‫פנאי‬-‫שטח‬ •‫כינוי‬-Q7 •‫מנוע‬‫נפח‬-4163 •‫כולל‬ ‫משקל‬-3065 •‫גובה‬-173 •‫גימור‬ ‫רמת‬- •‫סוס‬ ‫כוחות‬-350 •‫דלתות‬ ‫מספר‬-5 •‫מזגן‬-‫יש‬ •‫אוויר‬ ‫כריות‬ ‫מספר‬-6 •‫מערכת‬ABS -‫יש‬ •‫אוטומטיים‬ ‫הילוכים‬-‫יש‬ •‫חלון‬‫בגאז‬- •‫שנה‬-2007 Free Data available in Israel from 2008 56 •‫קבוצת‬‫אגרה‬-7 •‫רישום‬ ‫הוראות‬-06-0526 •‫סה‬"‫רשומים‬ ‫כ‬-3 •‫פעילים‬ ‫רשומים‬-3 •‫הנעה‬-4X4 •‫כוח‬ ‫הגה‬-‫יש‬ •‫חשמל‬ ‫חלונות‬-4 •‫מגנזיום‬ ‫גלגלי‬-‫יש‬ •‫דלק‬ ‫סוג‬-‫בנזין‬ •‫ארגז‬- •‫יציבות‬ ‫בקרת‬-‫יש‬ •‫היברידי‬- •‫מושבים‬ ‫מספר‬-7 •‫גרירה‬ ‫כושר‬- •‫זיהום‬ ‫קבוצת‬- •‫תקינה‬- •‫בקרת‬‫מנתיב‬ ‫סטיה‬- •‫מלפנים‬ ‫מרחק‬ ‫ניטור‬- •‫מת‬ ‫בשטח‬ ‫זיהוי‬- •‫אדפטיבית‬ ‫שיוט‬ ‫בקרת‬- •‫זיהוי‬‫הולגי‬‫רגל‬- •‫לבלימה‬ ‫עזר‬ ‫מערכת‬- •‫מצלמת‬‫רוורס‬- •‫בצמיגים‬ ‫אוויר‬ ‫לחץ‬ ‫חיישני‬- •‫חגורות‬ ‫חיישני‬- •‫בטיחות‬ ‫ניקוד‬- •‫רמת‬‫איבזור‬‫בטיחותי‬- •‫אוטומטית‬ ‫תאורה‬- •‫באורות‬ ‫אוטומטית‬ ‫שליטה‬ ‫הגבוהים‬- •‫מסוכנת‬ ‫התקרבות‬ ‫מצב‬ ‫זיהוי‬- •‫תנועה‬ ‫תמרורי‬ ‫זיהוי‬-
  • 56.
  • 57.
  • 58.