SlideShare a Scribd company logo

Fast and Vulnerable

M
mrlanrat

Fast and Vulnerable: A Story of Telematic Failures Controlling automobiles over the internet with an aftermarket TCU.

Technology
1 of 28
Download to read offline
Fast and Vulnerable A Story of Telematic Failures Center for Automotive Embedded Systems Security Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage
Telematic Control Units ● Connects to car’s OBD-II port ● Monitors vehicle state ● Local sensors ○ GPS ○ Accelerometers ● Transmits data off device ○ Cellular, WiFi, Bluetooth ● Common uses: ○ Fleet tracking ○ Remote diagnostics
Our TCU Mobile Devices Ingenierie - C4E (munic.box) ● ARM 11 500MHz CPU ● 64 MB RAM ● 256 MB Flash Storage ● Sensors ○ GPS ○ 3D accelerometer ○ 3 axis gyroscope ● Communication ○ GSM modem ○ USB “Debug” port ○ OBD Connector
Controller Area Network (CAN Bus) ● Connects various ECUs in cars ● Message based protocol ● Identifier for addressing destination ● Previously shown to be vulnerable ○ Charlie Miller and Chris Valasek ○ UCSD & UW image source: munic.io
CAN Frame Identifier Size Data can0 442 [8] 42 01 80 00 00 00 00 00 'B.......' can0 440 [8] 42 02 00 00 00 00 00 00 'B.......' can0 442 [8] 40 02 00 00 00 00 00 00 '@.......' can0 440 [8] 42 02 00 00 00 00 00 00 'B.......' can0 620 [8] 10 00 00 00 00 40 00 80 '.....@..' can0 442 [8] 40 02 00 00 00 00 00 00 '@.......'
Attack Surface Local ● USB “debug” port ● NAND flash Adversary has physical access to the TCU. Do not consider the automobile communications in this model. Remote ● SMS ● 2G/3G Adversary does not have physical access to the TCU, and may not even know where the TCU is geographically located.
Local Attacks
Debug Interface ● Exposes USB network ○ Web & Telnet server for debug “console” ○ SSH Server ○ FTP Server for log retrieval and update uploading
NAND Dump ● Filesystem layout pulled from debug logs ○ dmesg ● NAND flash removed and dumped ○ de-soldered & read using hardware reader ● NAND flash simulated from dump ○ nandsim Linux kernel module ● Partitions mounted for reading ○ Unsorted Block Image File System (UBIFS)
SSH Mounting the NAND flash dump revealed the private key for the root user.
SSH Mounting the NAND flash dump revealed the private key for the root user. The same private key worked on all C4 TCUs we tested.
SSH Mounting the NAND flash dump revealed the private key for the root user. The same private key worked on all C4 TCUs we tested. /etc/shadow was identical across devices and included weak passwords.
CAN Bus Capabilities ● PIC Coprocessor ○ Used by devices with older firmware. ○ Custom interface for sending & receiving can messages. ○ Required ACC or ignition to be on to function. ■ Bypassed by reflashing PIC firmware without this check. ● SocketCAN ○ Used on devices with newer firmware. ○ Exposes the CAN interface as a traditional network interface. ○ Shipped with can-utils package. ■ Supports reading, saving, creating, and replying CAN messages.
Local Access Summary ● No authentication for debug consoles ● USB provides root access via web, telnet console, and SSH. ● Can send and receive arbitrary CAN messages.
Remote Attacks
IP (2G) ● All services bound to all network interfaces. ○ web ○ telnet console ○ SSH ● Same local network attacks work over the internet. ● Some devices protected by wireless carrier’s NAT implementation.
SMS The device responds to SMS “commands” Examples: ● status ● gps position ● reset ● remote update
Normal Update Procedure 1. SCP UpdateFile.txt from update server to device 2. SCP new files from UpdateFile.txt from update server to temp folder 3. Move new files from temp folder to destination directory 4. Optionally perform an additional action a. clear b. identify c. status d. reset
Normal Update Procedure Problems 1. Updates are not cryptographically signed. 2. TCU does not authenticate the update server, instead the update server authenticates the TCU.
Exploiting Update Replaced a binary (console) that was called post update to execute commands: 1. Replace console with console.bak (original) 2. Start reverse SSH tunnel to update server 3. Send SMS notification when reverse shell is ready 4. Execute original console command
Remote Access Summary ● Same local debug consoles exposed remotely. ● SMS allows access if wireless carrier uses NAT. ● Can obtain root shell from IP or SMS. ○ Send arbitrary can packets remotely. ○ Get GPS coordinates remotly.
Finding Devices ● Need to know either IP address (without NAT) or SMS number. ● SMS numbers were found to be from the 566 area code, which is reserved for “personal communication devices” ● Numbers were not random; appeared to be sequentially assigned. ● Could likely enumerate them all by sending a “status” SMS request to all numbers.
Shodan Search Telnet Console PromptSSH Server Fingerprint
Proof of Concept Attack
Proposed Solutions 1. Require update authentication 2. Disable remote SMS administration 3. Don’t distribute identical private keys 4. Use strong passwords 5. Disable WAN administration 6. Require debug console authentication 7. Maintain update server
Disclosure ● June 29th - Reach out to Mobile Devices with details of vulnerabilities ● July 2nd - Mobile-devices responds ○ Developer SIM ○ Advanced debug mode ○ Older software version ● July 8th - Reach out to Metromile with details of vulnerabilities ● July 8th - Metromile responds, will disable debug mode and disable SMS.
Disclosure - CERT ● July 12th - Inform CERT of vulnerabilities found in C4 platform ● July 14th - CERT responds, assigned vulnerability #209512 ● August 6th - CERT assigned 5 CWEs: ○ CWE-306: Missing Authentication For a Critical Function ○ CWE-321: Use of a Hard-Coded Cryptographic Key ○ CWE-798: Use of Hard-Coded Credentials ○ CWE-285: Improper Authorization ○ CWE-345: Insufficient Verification of Data Authenticity ● Ongoing - Creating CVEs.
Thank You Questions? idfoster@cs.ucsd.edu

Recommended

WiFi SoC ESP8266
WiFi SoC ESP8266WiFi SoC ESP8266
WiFi SoC ESP8266Devesh Samaiya
 
Arduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz RadiosArduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz Radiosroadster43
 
Adafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardAdafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardBiagio Botticelli
 
ESP8266 and IOT
ESP8266 and IOTESP8266 and IOT
ESP8266 and IOTdega1999
 
Telnet & SSH Configuration
Telnet & SSH ConfigurationTelnet & SSH Configuration
Telnet & SSH ConfigurationVinod Gour
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Esp8266 wi fi_module_quick_start_guide_v_1.0.4
Esp8266 wi fi_module_quick_start_guide_v_1.0.4Esp8266 wi fi_module_quick_start_guide_v_1.0.4
Esp8266 wi fi_module_quick_start_guide_v_1.0.4Melvin Gutiérrez Rivero
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 

Recommended

WiFi SoC ESP8266
WiFi SoC ESP8266WiFi SoC ESP8266
WiFi SoC ESP8266Devesh Samaiya
 
Arduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz RadiosArduino Meetup with Sonar and 433Mhz Radios
Arduino Meetup with Sonar and 433Mhz Radiosroadster43
 
Adafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardAdafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardBiagio Botticelli
 
ESP8266 and IOT
ESP8266 and IOTESP8266 and IOT
ESP8266 and IOTdega1999
 
Telnet & SSH Configuration
Telnet & SSH ConfigurationTelnet & SSH Configuration
Telnet & SSH ConfigurationVinod Gour
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Esp8266 wi fi_module_quick_start_guide_v_1.0.4
Esp8266 wi fi_module_quick_start_guide_v_1.0.4Esp8266 wi fi_module_quick_start_guide_v_1.0.4
Esp8266 wi fi_module_quick_start_guide_v_1.0.4Melvin Gutiérrez Rivero
 
Port Security
Port SecurityPort Security
Port SecurityNetProtocol Xpert
 
lesson2 - Nodemcu course - NodeMCU dev Board
lesson2 - Nodemcu course - NodeMCU dev Board lesson2 - Nodemcu course - NodeMCU dev Board
lesson2 - Nodemcu course - NodeMCU dev BoardElaf A.Saeed
 
Nodemcu - introduction
Nodemcu - introductionNodemcu - introduction
Nodemcu - introductionMichal Sedlak
 
lwM2M OTA for ESP8266
lwM2M OTA for ESP8266lwM2M OTA for ESP8266
lwM2M OTA for ESP8266Manolis Nikiforakis
 
Esp8266 NodeMCU
Esp8266 NodeMCUEsp8266 NodeMCU
Esp8266 NodeMCUroadster43
 
Esp8266 - Intro for dummies
Esp8266 - Intro for dummiesEsp8266 - Intro for dummies
Esp8266 - Intro for dummiesPavlos Isaris
 
Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Akash Thakur
 
INTERACTIVE APPLICATIONS IN MACHINE LEARNING
INTERACTIVE APPLICATIONS IN MACHINE LEARNINGINTERACTIVE APPLICATIONS IN MACHINE LEARNING
INTERACTIVE APPLICATIONS IN MACHINE LEARNINGFrancisco Bernardo
 
Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Marcus Tarquinio
 
Remote desktop win to linux
Remote desktop win to linuxRemote desktop win to linux
Remote desktop win to linuxphanleson
 
TMS320DM8148 Embedded Linux
TMS320DM8148 Embedded LinuxTMS320DM8148 Embedded Linux
TMS320DM8148 Embedded LinuxNEEVEE Technologies
 
Remote temperature monitor (DHT11)
Remote temperature monitor (DHT11)Remote temperature monitor (DHT11)
Remote temperature monitor (DHT11)Parshwadeep Lahane
 
L'aposta de Pluribus en el camp de les SDN
L'aposta de Pluribus en el camp de les SDNL'aposta de Pluribus en el camp de les SDN
L'aposta de Pluribus en el camp de les SDNCSUC - Consorci de Serveis Universitaris de Catalunya
 
Espressif Introduction
Espressif IntroductionEspressif Introduction
Espressif IntroductionAmazon Web Services
 
Esp8266 hack sonoma county 4/8/2015
Esp8266 hack sonoma county 4/8/2015Esp8266 hack sonoma county 4/8/2015
Esp8266 hack sonoma county 4/8/2015mycal1
 
Cohesive Networks Support Docs: VNS3 Configuration for IBM Softlayer
Cohesive Networks Support Docs: VNS3 Configuration for IBM SoftlayerCohesive Networks Support Docs: VNS3 Configuration for IBM Softlayer
Cohesive Networks Support Docs: VNS3 Configuration for IBM SoftlayerCohesive Networks
 
Esp8266 Workshop
Esp8266 WorkshopEsp8266 Workshop
Esp8266 WorkshopStijn van Drunen
 
IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...
IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...
IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...David Fowler
 
NodeMCU with Blynk and Firebase
NodeMCU with Blynk and FirebaseNodeMCU with Blynk and Firebase
NodeMCU with Blynk and FirebaseEueung Mulyana
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Home Automation by ESP8266
Home Automation by ESP8266Home Automation by ESP8266
Home Automation by ESP8266Gleb Vinnikov
 
Hardware hacking
Hardware hackingHardware hacking
Hardware hackingTavish Naruka
 
SlingSecure USB Eng
SlingSecure USB EngSlingSecure USB Eng
SlingSecure USB EngSlingSecure Mobile Encryption
 

More Related Content

What's hot

lesson2 - Nodemcu course - NodeMCU dev Board
lesson2 - Nodemcu course - NodeMCU dev Board lesson2 - Nodemcu course - NodeMCU dev Board
lesson2 - Nodemcu course - NodeMCU dev BoardElaf A.Saeed
 
Nodemcu - introduction
Nodemcu - introductionNodemcu - introduction
Nodemcu - introductionMichal Sedlak
 
Esp8266 NodeMCU
Esp8266 NodeMCUEsp8266 NodeMCU
Esp8266 NodeMCUroadster43
 
Esp8266 - Intro for dummies
Esp8266 - Intro for dummiesEsp8266 - Intro for dummies
Esp8266 - Intro for dummiesPavlos Isaris
 
Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Akash Thakur
 
INTERACTIVE APPLICATIONS IN MACHINE LEARNING
INTERACTIVE APPLICATIONS IN MACHINE LEARNINGINTERACTIVE APPLICATIONS IN MACHINE LEARNING
INTERACTIVE APPLICATIONS IN MACHINE LEARNINGFrancisco Bernardo
 
Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Marcus Tarquinio
 
Remote desktop win to linux
Remote desktop win to linuxRemote desktop win to linux
Remote desktop win to linuxphanleson
 
Remote temperature monitor (DHT11)
Remote temperature monitor (DHT11)Remote temperature monitor (DHT11)
Remote temperature monitor (DHT11)Parshwadeep Lahane
 
Esp8266 hack sonoma county 4/8/2015
Esp8266 hack sonoma county 4/8/2015Esp8266 hack sonoma county 4/8/2015
Esp8266 hack sonoma county 4/8/2015mycal1
 
Cohesive Networks Support Docs: VNS3 Configuration for IBM Softlayer
Cohesive Networks Support Docs: VNS3 Configuration for IBM SoftlayerCohesive Networks Support Docs: VNS3 Configuration for IBM Softlayer
Cohesive Networks Support Docs: VNS3 Configuration for IBM SoftlayerCohesive Networks
 
IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...
IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...
IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...David Fowler
 
NodeMCU with Blynk and Firebase
NodeMCU with Blynk and FirebaseNodeMCU with Blynk and Firebase
NodeMCU with Blynk and FirebaseEueung Mulyana
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Home Automation by ESP8266
Home Automation by ESP8266Home Automation by ESP8266
Home Automation by ESP8266Gleb Vinnikov
 

What's hot (20)

lesson2 - Nodemcu course - NodeMCU dev Board
lesson2 - Nodemcu course - NodeMCU dev Board lesson2 - Nodemcu course - NodeMCU dev Board
lesson2 - Nodemcu course - NodeMCU dev Board
 
Nodemcu - introduction
Nodemcu - introductionNodemcu - introduction
Nodemcu - introduction
 
lwM2M OTA for ESP8266
lwM2M OTA for ESP8266lwM2M OTA for ESP8266
lwM2M OTA for ESP8266
 
Esp8266 NodeMCU
Esp8266 NodeMCUEsp8266 NodeMCU
Esp8266 NodeMCU
 
Esp8266 - Intro for dummies
Esp8266 - Intro for dummiesEsp8266 - Intro for dummies
Esp8266 - Intro for dummies
 
Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266
 
INTERACTIVE APPLICATIONS IN MACHINE LEARNING
INTERACTIVE APPLICATIONS IN MACHINE LEARNINGINTERACTIVE APPLICATIONS IN MACHINE LEARNING
INTERACTIVE APPLICATIONS IN MACHINE LEARNING
 
Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1Iot Bootcamp - abridged - part 1
Iot Bootcamp - abridged - part 1
 
Remote desktop win to linux
Remote desktop win to linuxRemote desktop win to linux
Remote desktop win to linux
 
TMS320DM8148 Embedded Linux
TMS320DM8148 Embedded LinuxTMS320DM8148 Embedded Linux
TMS320DM8148 Embedded Linux
 
Remote temperature monitor (DHT11)
Remote temperature monitor (DHT11)Remote temperature monitor (DHT11)
Remote temperature monitor (DHT11)
 
L'aposta de Pluribus en el camp de les SDN
L'aposta de Pluribus en el camp de les SDNL'aposta de Pluribus en el camp de les SDN
L'aposta de Pluribus en el camp de les SDN
 
Espressif Introduction
Espressif IntroductionEspressif Introduction
Espressif Introduction
 
Esp8266 hack sonoma county 4/8/2015
Esp8266 hack sonoma county 4/8/2015Esp8266 hack sonoma county 4/8/2015
Esp8266 hack sonoma county 4/8/2015
 
Cohesive Networks Support Docs: VNS3 Configuration for IBM Softlayer
Cohesive Networks Support Docs: VNS3 Configuration for IBM SoftlayerCohesive Networks Support Docs: VNS3 Configuration for IBM Softlayer
Cohesive Networks Support Docs: VNS3 Configuration for IBM Softlayer
 
Esp8266 Workshop
Esp8266 WorkshopEsp8266 Workshop
Esp8266 Workshop
 
IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...
IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...
IoT simple with the ESP8266 - presented at the July 2015 Austin IoT Hardware ...
 
NodeMCU with Blynk and Firebase
NodeMCU with Blynk and FirebaseNodeMCU with Blynk and Firebase
NodeMCU with Blynk and Firebase
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Home Automation by ESP8266
Home Automation by ESP8266Home Automation by ESP8266
Home Automation by ESP8266
 

Similar to Fast and Vulnerable

Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyFReeze FRancis
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Multipilot pres-ufficiale def
Multipilot pres-ufficiale defMultipilot pres-ufficiale def
Multipilot pres-ufficiale defRoberto Navoni
 
Cellular technology with Embedded Linux - COSCUP 2016
Cellular technology with Embedded Linux - COSCUP 2016Cellular technology with Embedded Linux - COSCUP 2016
Cellular technology with Embedded Linux - COSCUP 2016SZ Lin
 
SFScon 22 - Gabriele Scarton - Creating an independent BLE beacon.pdf
SFScon 22 - Gabriele Scarton - Creating an independent BLE beacon.pdfSFScon 22 - Gabriele Scarton - Creating an independent BLE beacon.pdf
SFScon 22 - Gabriele Scarton - Creating an independent BLE beacon.pdfSouth Tyrol Free Software Conference
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsRoshan Kulkarni
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-caninjenerzntu
 
Presentation on ccna
Presentation on ccnaPresentation on ccna
Presentation on ccnaHoneyKumar34
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)iman darabi
 
Pandora FMS: Cisco Remote inventory modules
Pandora FMS: Cisco Remote inventory modulesPandora FMS: Cisco Remote inventory modules
Pandora FMS: Cisco Remote inventory modulesPandora FMS
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PROIDEA
 
Kernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusKernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusAnne Nicolas
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlPriyanka Aash
 

Similar to Fast and Vulnerable (20)

Hardware hacking
Hardware hackingHardware hacking
Hardware hacking
 
SlingSecure USB Eng
SlingSecure USB EngSlingSecure USB Eng
SlingSecure USB Eng
 
RemoteAdmin.pptx
RemoteAdmin.pptxRemoteAdmin.pptx
RemoteAdmin.pptx
 
Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case Study
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
GREAT MINDS
GREAT MINDSGREAT MINDS
GREAT MINDS
 
Human Alert Sensor Design
Human Alert Sensor DesignHuman Alert Sensor Design
Human Alert Sensor Design
 
Multipilot pres-ufficiale def
Multipilot pres-ufficiale defMultipilot pres-ufficiale def
Multipilot pres-ufficiale def
 
Cellular technology with Embedded Linux - COSCUP 2016
Cellular technology with Embedded Linux - COSCUP 2016Cellular technology with Embedded Linux - COSCUP 2016
Cellular technology with Embedded Linux - COSCUP 2016
 
SFScon 22 - Gabriele Scarton - Creating an independent BLE beacon.pdf
SFScon 22 - Gabriele Scarton - Creating an independent BLE beacon.pdfSFScon 22 - Gabriele Scarton - Creating an independent BLE beacon.pdf
SFScon 22 - Gabriele Scarton - Creating an independent BLE beacon.pdf
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
Human Alert Sensor
Human Alert SensorHuman Alert Sensor
Human Alert Sensor
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud Platforms
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-can
 
Presentation on ccna
Presentation on ccnaPresentation on ccna
Presentation on ccna
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
 
Pandora FMS: Cisco Remote inventory modules
Pandora FMS: Cisco Remote inventory modulesPandora FMS: Cisco Remote inventory modules
Pandora FMS: Cisco Remote inventory modules
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
 
Kernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusKernel Recipes 2015: Greybus
Kernel Recipes 2015: Greybus
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten Nohl
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

Fast and Vulnerable

  • 1. Fast and Vulnerable A Story of Telematic Failures Center for Automotive Embedded Systems Security Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage
  • 2. Telematic Control Units ● Connects to car’s OBD-II port ● Monitors vehicle state ● Local sensors ○ GPS ○ Accelerometers ● Transmits data off device ○ Cellular, WiFi, Bluetooth ● Common uses: ○ Fleet tracking ○ Remote diagnostics
  • 3. Our TCU Mobile Devices Ingenierie - C4E (munic.box) ● ARM 11 500MHz CPU ● 64 MB RAM ● 256 MB Flash Storage ● Sensors ○ GPS ○ 3D accelerometer ○ 3 axis gyroscope ● Communication ○ GSM modem ○ USB “Debug” port ○ OBD Connector
  • 4. Controller Area Network (CAN Bus) ● Connects various ECUs in cars ● Message based protocol ● Identifier for addressing destination ● Previously shown to be vulnerable ○ Charlie Miller and Chris Valasek ○ UCSD & UW image source: munic.io
  • 5. CAN Frame Identifier Size Data can0 442 [8] 42 01 80 00 00 00 00 00 'B.......' can0 440 [8] 42 02 00 00 00 00 00 00 'B.......' can0 442 [8] 40 02 00 00 00 00 00 00 '@.......' can0 440 [8] 42 02 00 00 00 00 00 00 'B.......' can0 620 [8] 10 00 00 00 00 40 00 80 '.....@..' can0 442 [8] 40 02 00 00 00 00 00 00 '@.......'
  • 6. Attack Surface Local ● USB “debug” port ● NAND flash Adversary has physical access to the TCU. Do not consider the automobile communications in this model. Remote ● SMS ● 2G/3G Adversary does not have physical access to the TCU, and may not even know where the TCU is geographically located.
  • 8. Debug Interface ● Exposes USB network ○ Web & Telnet server for debug “console” ○ SSH Server ○ FTP Server for log retrieval and update uploading
  • 9. NAND Dump ● Filesystem layout pulled from debug logs ○ dmesg ● NAND flash removed and dumped ○ de-soldered & read using hardware reader ● NAND flash simulated from dump ○ nandsim Linux kernel module ● Partitions mounted for reading ○ Unsorted Block Image File System (UBIFS)
  • 10. SSH Mounting the NAND flash dump revealed the private key for the root user.
  • 11. SSH Mounting the NAND flash dump revealed the private key for the root user. The same private key worked on all C4 TCUs we tested.
  • 12. SSH Mounting the NAND flash dump revealed the private key for the root user. The same private key worked on all C4 TCUs we tested. /etc/shadow was identical across devices and included weak passwords.
  • 13. CAN Bus Capabilities ● PIC Coprocessor ○ Used by devices with older firmware. ○ Custom interface for sending & receiving can messages. ○ Required ACC or ignition to be on to function. ■ Bypassed by reflashing PIC firmware without this check. ● SocketCAN ○ Used on devices with newer firmware. ○ Exposes the CAN interface as a traditional network interface. ○ Shipped with can-utils package. ■ Supports reading, saving, creating, and replying CAN messages.
  • 14. Local Access Summary ● No authentication for debug consoles ● USB provides root access via web, telnet console, and SSH. ● Can send and receive arbitrary CAN messages.
  • 16. IP (2G) ● All services bound to all network interfaces. ○ web ○ telnet console ○ SSH ● Same local network attacks work over the internet. ● Some devices protected by wireless carrier’s NAT implementation.
  • 17. SMS The device responds to SMS “commands” Examples: ● status ● gps position ● reset ● remote update
  • 18. Normal Update Procedure 1. SCP UpdateFile.txt from update server to device 2. SCP new files from UpdateFile.txt from update server to temp folder 3. Move new files from temp folder to destination directory 4. Optionally perform an additional action a. clear b. identify c. status d. reset
  • 19. Normal Update Procedure Problems 1. Updates are not cryptographically signed. 2. TCU does not authenticate the update server, instead the update server authenticates the TCU.
  • 20. Exploiting Update Replaced a binary (console) that was called post update to execute commands: 1. Replace console with console.bak (original) 2. Start reverse SSH tunnel to update server 3. Send SMS notification when reverse shell is ready 4. Execute original console command
  • 21. Remote Access Summary ● Same local debug consoles exposed remotely. ● SMS allows access if wireless carrier uses NAT. ● Can obtain root shell from IP or SMS. ○ Send arbitrary can packets remotely. ○ Get GPS coordinates remotly.
  • 22. Finding Devices ● Need to know either IP address (without NAT) or SMS number. ● SMS numbers were found to be from the 566 area code, which is reserved for “personal communication devices” ● Numbers were not random; appeared to be sequentially assigned. ● Could likely enumerate them all by sending a “status” SMS request to all numbers.
  • 23. Shodan Search Telnet Console PromptSSH Server Fingerprint
  • 25. Proposed Solutions 1. Require update authentication 2. Disable remote SMS administration 3. Don’t distribute identical private keys 4. Use strong passwords 5. Disable WAN administration 6. Require debug console authentication 7. Maintain update server
  • 26. Disclosure ● June 29th - Reach out to Mobile Devices with details of vulnerabilities ● July 2nd - Mobile-devices responds ○ Developer SIM ○ Advanced debug mode ○ Older software version ● July 8th - Reach out to Metromile with details of vulnerabilities ● July 8th - Metromile responds, will disable debug mode and disable SMS.
  • 27. Disclosure - CERT ● July 12th - Inform CERT of vulnerabilities found in C4 platform ● July 14th - CERT responds, assigned vulnerability #209512 ● August 6th - CERT assigned 5 CWEs: ○ CWE-306: Missing Authentication For a Critical Function ○ CWE-321: Use of a Hard-Coded Cryptographic Key ○ CWE-798: Use of Hard-Coded Credentials ○ CWE-285: Improper Authorization ○ CWE-345: Insufficient Verification of Data Authenticity ● Ongoing - Creating CVEs.