Caleb Walter
Covert Channels in Electronic Car Chargers
• iPhone style charger Malware channel
• Exploit Vehicle CAN network
• Create Covert Channel at Public Charging Stations• Custom Arduino CAN EVSE
Basic Concept
• Three Georgia Tech researchers designed charger in 1 week•Normal chargers only contain transformers• This charger contains small computer running Linux
Iphone Malware Charger
• Linux delivers payload when Phone is plugged in
• Must be unlocked by User
• Takes advantage of multiple Apple security flaws
• UDID query to send to apple web Page
• Bypassed App Vetting by hiding Malicious Code using Covert Channel
Iphone Malware Charger (Cont.)
• Development began in 1983 at Robert Bosch GmbH
• Officially Released in 1986 by SAE in Detroit.
• First CAN Chips produced and installed in 1987
• Intel
CAN bus History
• Can 2.0 Designed and released in 1991• Improved CAN Data Link Layer in 2012• CAN FD – ISO 11898-1
• CAN 2.0 included in all OBD II Vehicles
• OBD II mandatory for all cars and trucks sold in the USA since 1996
CAN Bus History
• Controller Area Network• Message Based Protocol for
vehicles• Allows microcontrollers
and devices to communicate without host computer
Vehicle CAN Basics
• CAN Standard Format• 11-bit Header ID for
Manufacturer Proprietary protocols
CAN Format
• SOF – Start of Frame
• Identifier – UID w/ Priority
• RTR – Remote Transmission Request
• IDE – CAN vs. Can Extended
• DLC – Data Length Code (This is the Paylod Location)
• CRC – Cycle Redundancy Check
• ACK – Acknowledge
• EOF – End of Frame
CAN Frame
CAN Bus Network
• Electronic Control Units:• Control various parts of the
vehicles electronics• Engine Control• ABS• Radio• Doors• Reprogrammable for Manufacture
Updates
ECUs
• 8 Bytes available to modify in Data Code Frame• Hide coding within Data Layer through basic Obfuscation Technique• Can pass along payloads or other messages with this 8 byte space
The Covert Channel
•When Vehicle Plugs into charge, various data transmission happen• OBD II ECU to Charging Station Computer• CAN Network messages exchange between Battery ECU and Charger Computer
Charging Handshake for Electronic Cars
• Custom Arduino/Raspberry PI/ BeagleBoard• Plugged into EV Charging station
via Cat5 Communication Port• Injects custom code into EV
Handshake• CAN Controller Libraries for Code• MCP2515• SPI
Hacking the Charger
• Interrupts Handshake ECU process with
• Obfuscates code to prevent Message Anomaly Detection and CRC check
• Transmits message through SAE J1772 Charger Port
Hacking the Charger (Cont)
• Can potentially modify any ECU Controlled system in the car
• Make Radio display custom messages
• Max out Speedo and Tacho even when sitting
• Cut Brakes (Not recommended…)
Extra Fun!
• 8416 Electronic Charging Stations in USA
• Most Charging Stations use the same CAN and ECU checks
• Most also use same charging type and plug type
• 67,295 Electronic Vehicles in the US
• May 2013 Statistics
Potential Outreach
• Firewalls within the CAN Network• Vehicle IPS for CAN Network• Physical Intrusion Detection on EV Charger• CAN Bus update for slack code prevention
Potential Prevention
• Target most popular Charging Stations in US• Implement Arduinos into EV Stations• Infect/Pass communication between as many cars as possible.
Implementation Goal
• http://www.net-security.org/malware_news.php?id=2548
• http://en.wikipedia.org/wiki/CAN_bus#Data_transmission
• http://www.afdc.energy.gov/fuels/electricity_locations.html
• http://www.eia.gov/tools/faqs/faq.cfm?id=93&t=4
Sources