episode i: hacker menace - sans · episode i: hacker menace. brief history • 1913 –ford’s...
TRANSCRIPT
Episode I: Hacker Menace
Brief History
• 1913 – Ford’s first Assembly Line– What wires there were, were direct feed
• 1968 – VW puts first on-board computer• 1975 – Datsun 280Z – real-time fuel injection• 1980 – First Remote Keyless Entry (RKE) systems in Fords• 1991 – OBD-I and California Air Resources Board• 1993 – Smart Key (Passive Key) in Chevy Corvette• 1996 – OBD-II mandatory for all cars sold in US• Late 1990’s – Firestone recall (100+ deaths)• 2001 – EOBD mandatory for petrol vehicles sold in EU• 2007 – TPMS mandated in all cars in US (ref Firestone)• 2008 – ISO 15765-4 (CAN) required for all cars sold in US
Automobiles are made of many parts
Overview of Automotive Communication
• Digital communication• Shared medium
– Reduce Heavy Wiring Harnesses!
• CAN Bus – ISO 11898• LIN – Broadcast Serial• K-LINE, L-LINE – ISO 9141 (OBD)• J1850 and the last generation• Others
• Warning: MANY AND VARIED STANDARDS AHEAD– ISO and SAE
CAN details
• 1986 – First CAN protocol release by Bosch (CAN 2.0 in 1991)• 1993 – ISO 11898, SAE J1939• 8-byte messages
– Combined to form larger messages
• Arbitration ID (11-bit / 29-bit)– Source?– Dest?– Type of message?– Anything
• ISO 15765-2 – ISO/TP (up to 4k messages)• Used for more than just Cars!
Firmware Reflashing
• SAE J2534• Intended to allow mechanics to update (“flash”)
ECM’s without removing/touching them• “Adding Functionality”
– Reflashing to remove hurdles
• CAN as a Post-Exploitation Playground– Once you’ve connected to the CAN bus, game over.
It’s all just details from there.
Voltage doesn’t kill peopleCurrent does.
V2V Communication
• (from Wikipedia)• Safety• Traffic management• Driver assistance systems• Policing and enforcement• Pricing and payments• Direction and route optimization• Advertising, Travel-related information• General information services• Automated highways
V2V
• 802.11ish Wireless Communications(5.9GHz)
– Between Vehicles on the road– “…considerable research…ranging from safety to navigation and
law enforcement.”
• PKI and Rolling Certificates– Providing “Secure” communications– Updated monthly in-transit
• Multiple technologies have been suggested
• My car becomes an attack tool– Or grab a recent addition at the junk yard!
• And isn’t this technology supposed to control the steering, brakes, and accelerator!?
Privacy and TPMS
• TPMS sensors represent ISM-band wireless attack vectors directly against the Body Control Module (BCM)– But wait! There’s more!
• TPMS Sensors have a pseudo-unique identifier– And they broadcast plaintext messages– Every 30 seconds or so– IMME, RfCat, HackRF or other radio receiver
• Track specific vehicles
The Online Automobile
• Connectedness and it's inherent concerns
– Wifi
– Bluetooth
– Internet Uplink
– “Third-Party Assistance”
– TPMS Sensors and Receivers
– Infotainment Systems: the Automotive Tonsils
Chris and Charlie: Friend or Foe?
• Done. Now what?
Paths forward
• Segmentation and Intrusion Detection/Prevention
• Patching Security flaws• Updates via recall• Cell• On-street ISM Wireless
• Significant attention to security in Automotive design and implementation
• Hardware, Firmware, Software, Protocol hackers: GO!
In your playtime…
• CANCAT - Hacker tool for controlling/reversing CAN bus messages
• SocketCan - Linux NIC for CAN
• OpenGarages.org (Craig Smith)
– Car Hackers Handbook
• CanBusHack.com (Robert Leale)
• iamthecavalry.org/automotive (Josh Corman)
Where have we been
• UW/UCSD research– Attack Surface and Attacks on Automotive
Components
• Charlie and Chris– First showing how to manipulate CAN bus– Latest showing One remote exploitation path
• Corey Thuen– Progressive Insurance Dongle
• IamTheCavalry– Calling Industry to Standards and Ratings
What to expect in the future
• Connectedness is everywhere
What to expect in the future
• Connectedness is everywhere
What to expect in the future
• Regulation:– Will Markey/Blumenthal bill be the end?– NERC CIP for Automotive?
• Automotive OEMs and Tier 1 companies– Compliance: Likely– Actively pursuing Security: Probably– Defensible Automotive Design– Proactive Product Evaluation/Hacking
• Tier 2+:– Tier 1’s and OEM’s pressure, and help to “CTJ”
• Researchers:– Diversify, gaining steam (blood in water)– Deeper Hacks, more plentiful bounty– Closer relationships between researchers and OEM/Tier1’s
What to expect in the future
• Big Business:– Capitalizing on your data for $$$ and $$$– Insurance companies figuring out to use tech to reduce their risk– In-Car Targeted Advertising
• Sith:– Stealing data (you sync your contacts with your car?!?)– Auto-worms (Automorphic)– Automotive Extortion– Exploiting Manufacturers’ Back End systems through Cars– “Enemy of the State” style assassination by vehicle.
• As passengers• As targets of compromised vehicles• If do right, no can forensicate!
Resources
• SocketCAN - ~$110-150 (depends on hardware)– http://elinux.org/CAN_Bus– https://canusb-shop.com/
• Komodo CanSolo- $350– http://www.totalphase.com/products/komodo-cansolo/
• CanCat - $50– https://github.com/atlas0fd00m/CanCat
• RfCat - $100– https://rfcat.com
• HackRf - $300– https://greatscottgadgets.com/hackrf/
Resources
• Wikipedia gets this right:– https://en.wikipedia.org/wiki/CAN_bus
• Look for “Standards” and “Higher Layer” sections• ISO 11898• ISO 15765-2/4• SAE J1939-15
• J1939 Document from Vector:– http://vector.com/portal/medien/cmc/application_notes/AN-ION-1-
3100_Introduction_to_J1939.pdf
• UCSD research:– http://www.autosec.org/pubs/woot-foster.pdf– http://www.autosec.org/pubs/cars-usenixsec2011.pdf
• UW/UCSD research:– http://www.autosec.org/pubs/cars-oakland2010.pdf
• Legislation:– http://www.markey.senate.gov/news/press-releases/markey-report-reveals-automobile-
security-and-privacy-vulnerabilities– http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-hackers/
Resources
• Open Garages – Car Hackers Handbook– http://opengarages.org/handbook/
• Progressive Dongle Hack - Corey Thuen– http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-
insurance-dongle-totally-insecure/
• Chris and Charlie– http://www.countermeasure2013.com/documents/presentations/Miller_and_Valasek_Adven
tures_in_Automotive_Network_and_Control_Units.pdf– http://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf– http://illmatics.com/Remote%20Car%20Hacking.pdf