Automotive Security (Connected Vehicle Security Issues)

May 22, 2017 Proprietary and Confidential - 1 -
Connected Car Security
IGATE is now a part of Capgemini
Arnab Chattopadhayay, Senior Director
Date: 13th May, 2017

Table of Content
 A Car Hack
 Evolution of Modern Car
 Components of a modern car
 Automotive security
– Threat Model
 Relationship between Safety and Cybersecurity
 Secure automotive design
 Attack Model
 Architectural Issues
 Recommendations

Chrysler Jeep Hack – Charlie Miller & Chris Valasek

Yesterday

Today

Tomorrow

Components of Modern Car

List of Car Components
•Accident Recorder
•Active Aerodynamics
•Active Cabin Noise Suppression
•Active Exhaust Noise Suppression
•Active Suspension
•Active Vibration Control
•Active Yaw Control
•Adaptive Cruise Control
•Adaptive Front Lighting
•Airbag Deployment
•Antilock Braking
•Auto-Dimming Mirrors
•Autonomous Emergency Braking
•Battery Management
•Blind Spot Detection
•Cabin Environment Controls
•Communication Systems
•Convertible Top Control
•Cylinder Deactivation
•DSRC
•Driver Alertness Monitoring
•Electronic Power Steering
•Electronic Seat Control
•Electronic Stability Control
•Electronic Throttle Control
•Electronic Toll Collection
•Electronic Valve Timing
•Engine Control
•Entertainment System
•Event Data Recorder
•Head-Up Displays
•Hill Hold Control
•Idle Stop-Start
•Instrument Cluster
•Intelligent Turn Signals
•Interior Lighting
•Lane Departure Warning
•Lane Keeping Assist
•Navigation
•Night Vision Systems
•On-Board Diagnostics
•Parental Controls
•Parking Systems
•Precrash Safety
•Rear-view Camera
•Regenerative Braking
•Remote Keyless Entry
•Security Systems
•Tire Pressure Monitoring
•Traction Control
•Traffic Sign Recognition
•Transmission Control
•Windshield Wiper Control

Schematic view of Connected Components

Four Main Components
 ECU (Electronic Control Unit)
 CAN Bus (Control Area Network Bus)
 OBD (Onboard Diagnostics)
 Infotainment

ECU – Overview
 Embedded Digital Computer
 Runs closed-control-loop
 Reads data from sensors (e.g.
temperature, tyre pressure, engine rev,
windows movement sensor)
– Example: Gather data from different sensors
the ECU looks up values in table and
performs long mathematical equations to
calculate best spark time or determine fuel
injector opening time
 Types of ECU
– ECM – Engine Control Module
– EBCM – Electronic Break Control Module
– PCM - Powertrain Control Module
– VCM – Vehicle Control Module
– BCM – Body Control Module
 32-bit 40-MHz Processor
 Average code size: 1 MB

ECU – Functional Block
 Power supply – digital and analog (power for analog sensors)
 MPU – Flash and RAM
 Communication Link (e.g. CAN Bus link)
 Discrete Inputs – On/Off switch type
 Frequency Inputs – encoder type signals (e.g. crank or vehicle speed)
 Analog Inputs – feedback signals from sensor
 Switch output – On/Off switch type
 PWM Outputs – variable frequency and duty cycle (e.g. injector,
ignition)
 Frequency Outputs – constant duty cycle (e.g. stepper motor)

Example Function of ECU
 At high speed circuit, drivers has to throttle more, rather
than applying gradually full throttle. The accelerator will
be set so that only a small movement will result in full
engine acceleration
– Read data captured by ADC on the Channel on which Accelerator
Pedal is connected
– Using the data, look-up the value from a multi-dimensional map
which contains the Engine RPM as another input
– Take output value from the map, multiply by correction factor
– The output is the Torque to be generated by the engine
– Repeat this sequence every 20 milliseconds

CAN Bus
 Multi-master serial bus
 Connects ECU
 Complexity of nodes can vary
– Simple I/O device
– Embedded computer with a CAN
interface
– Gateway to USB or Ethernet port
 Nodes are connected through
two wire bus with 120 Ohm
termination
 CAN-Hi
– 5V when transmitting 0
 CAN-Low
– 0V when transmitting 0
 Message broadcast to all
Nodes
– Nodes are expected to
ignore message that are not
addressed to them
 Frame does not include
source address

CAN Protocol Frame

OBD-II
 Diagnostics Connector
 SAE J1962
– Type A and Type B – both female pin
– 16 pin (2 x 8)
– D-shaped
 Type A connector is used for
vehicle that use 12V supply voltage
 Type B connector is used for
vehicle that use 24V supply voltage

Main Hackable Attack Surface
 Success of of hacking
car depends on:
– Remote attack surfaces
– Cyber-physical features
– In-Vehicle network
architecture
 20% models (2014-
2015) from different
manufacturers are
vulnerable to more
than seven categories
of remote attack
From research by Miller and Valasek

Relationship between Car Safety and Cyber Security
 Strong relationship between automotive safety and cyber
security
 SAE J3061 – Cyber Security Guidebook for Cyber-Physical
Vehicle Systems
 System Safety is concerned with protecting against harm
to life, property and environment
 System Cybersecurity aims to prevent financial,
operational, privacy and safety loses
– All safety critical systems are security critical but there could be
systems e.g. Infotainment that are security critical but not safety
critical

Cyber Security Threat Model – Threat Agents
 Researchers and Hobbyists
– Universities, government labs, defense labs. Motivations are usually positive to study and conduct research
 Pranksters and Hacktivists
– Takes opportunity to demonstrate their skills or promote their cause but with negative outcomes for the product
owners and manufacturers
 Owners and Operators
– Many car hacking tools exists with owners and often they want to hack their own vehicles to improve
performance, to bypass restriction set by manufacturers or regulators or disable components to obfuscate their
fraudulent actions
 Organized crime
– Has always been a threat to vehicles. Main motivation is financial gain. DoS, malware, ransomware
– Cyber crime-as-a-service !
 Nation States
– Not easy to determine motivation
– Industrial espionage, surveillance, economic and physical warfare
– Intervention to assist national manufacturers against foreign competitions
– Tracking and audio monitoring of high-value objects
 Transportation Infrastructure
– Next-gen car V2V communication
– Security and safety issue can occur through attacks and misbehavior of the surrounding infrastructure
 Example: manipulation of traffic light confusing smart cars causing accidents

Cyber Security Threat Model
 One-to-many connected
ECUs on same CAN Bus as
the OBD-II Port
 The ability to control the
ECU results in attacker
getting control of the
vehicle
 Assume, OBD-II device can
be compromised
 Determine the attack
proximity and
vulnerability
 Classify vulnerabilities
using Microsoft STRIDE
and SAE SPFO Impact
model the potential areas of vulnerability and particular types of threats that may take
e of those vulnerabilities.
ying types of vehicle bus architecture and varying types of OBD-II devices, we use a
d diagram (Figure 4) to present potential connections in the vehicle. Each ECU in Figure 4
s the one or many connected ECUs on the same bus as the OBD-II port. The ability to control
esults in attacker control of that vehicle’s function.
Generic OBD-II Device Threat Model Diagram
by analyzing the impacts of various attacks assuming the OBD-II device can be
ised and an attacker can execute arbitrary code. Although each attack is the same, the impact
on the capabilities of the device (e.g., how far away the attacker needs to be). Once the attack
y and vulnerability are defined, the vulnerability is classified using Microsoft’s STRIDE
ECU A ECU B ECU C
Aftermarket OBD-II Device
OBD-II Port

SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 6
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright
notice for non-US Government use and distribution.
technique (Microsoft, 2005). We also use the Society of Automotive Engineers (SAE) safety, privacy,
financial, and operational impact to define how a vulnerability may affect a vehicle (Ward, et al.,
2013). (Both STRIDE and the SAE techniques are described in Appendix D.)
Table 2: Vulnerability Impact on the Device and the Vehicle
Vulnerability ECU
Affected
Comments Vulnerability Impact
(STRIDE)
Impact (Ward, et al.,
2013)
Hardcoded
credentials
None X S0 S0 S0 S0
Arbitrary
command
injection
OBD-
connected
buses
X S0 S3 S0 S0
Vulnerability ECU
Affected
Comments VulnerabilityImpact
(STRIDE)
2013)
Arbitrary CAN
injection
OBD-
connected
buses
Full device compromise
(See Table 3 for
complete impact.)
X X X X X X

Table 3: Vulnerability Impact on Vehicle with Complete Device Compromise by Proximity
Vulnerability ECU
Affected
Proximity Vulnerability Impact
(STRIDE)
2013)
S T R I D E S P F O
Compromise of
OBD-II device
OBD-
connected
buses
Physical X X X X X X S1 S1 S2 S2
Compromise of
OBD-II device
OBD-
connected
buses
Short range (Bluetooth) X X X X X X S2 S2 S3 S3
Compromise of
OBD-II device
OBD-
connected
buses
Long range
(Wi-Fi)
X X X X X X S2 S2 S3 S3
Compromise of
OBD-II device
OBD-
connected
buses
Anywhere (cellular) X X X X X X S4 S4 S4 S4

Anatomy of Chrysler Jeep Cherokee Hack
 Head Unit is connected to both CAN Buses
 Targeted to compromise Radio to get access to ECU
connected to CAN-IHS and CAN-C
 Radio receives GPS, AM/FM and Satellite Radio signal
 Radio unit – Harman Uconnect system
 Uconnect runs QNX
 Uconnect system has Wifi
 Wifi password was compromised
 Performed port scan and identify D-Bus service
 Exploited D-Bus vulnerability execute expoit as root
 Jailbreak Uconnect
 Uconnect payload – LUA Script
 Uconnect communicates with CAN Buses using
V850E/FJ3
 The test OMAP chip can only read from CAN not send
 Reverse engineer firmware of OMAP
 Re-program by uploading code via USB that will allow
V850 to send command to CAN
 Then use CAN commands to do malicious activities
– Jamming steering, slow down accelerator response
Network Architecture
The architecture of the 2014 Jeep Cherokee was very intriguing to us due to the fact that
(Radio) is connected to both CAN buses that are implemented in the vehicle.
Figure: 2014 Jeep Cherokee architecture diagram
We speculated that if the Radio could be compromised, then we would have access to EC
CAN-IHS and CAN-C networks, meaning that messages could be sent to all ECUs that cont
attributes of the vehicle. You’ll see later in this paper that our remote compromise of the
not directly lead to access to the CAN buses and further exploitation stages were necessa
being said, there are no CAN bus architectural restrictions, such as the steering being on a
separate bus. If we can send messages from the head unit, we should be able to send the
ECU on the CAN bus.

Potential Risks
 Safety-Critical Risks
– Driver Distractions (e.g. volume, wipers)
– Engine Shutoff or Degradation
– Steering Changes (autonomous vehicles)
 Less Safety-Critical Vehicle Specific Risks
– Theft of the car or contents
– Enabling physical crime against occupants
– Insurance or lease fraud
– Eavesdropping on occupants
– Theft of information (e.g. personal profile, phone list)
– Vector for attacking mobile devices in the car
– Theft of PII
– Tracking the vehicles location

Key Vulnerabilities Found in Car
 Insecure firmware updates and downloads
 Hardcoded or non-existent Bluetooth PIN
 Weak WPA2 password
 Hardcoded credentials
 Internet-enabled administration interface

Some Important Attack Vectors
 Arbitrarily modify firmware
 Maliciously update remote firmware
 Lock/unlock doors
 Turn on/off vehicle
 Affect vehicle GPS tracking, speed, heading and
altitude
 Read the car’s internal data – temperature, fuel
levels, diagnostic trouble codes etc.
 Inject arbitrary CAN packet

Common Architecture Issues
 The Primary Processor
– Simple processor
– Convert External Network Protocol to CAN and vice versa
– Logic is implemented in upstream systems
– Do not include any security e.g. authentication, command validation
 External Network Interface
– Due to no filtering at device and OBD-II port, security is completely
dependent on perimeter i.e. external network interface
– External network interface security strength varies
 WPA2 with not strong password
 Easy to guess BT PIN
 Widely shared BT PIN
 Undocumented features
 Insecure Firmware upgrades

Recommendations
 Hardware Security
– Secure Boot and
software attestation
function
– TPM
– Tamper Protection
– Cryptographic
Acceleration
– Active Memory
Protection
– Device Identity Directly
on Device
 Intel EPID, PUF
 Software Security
– Secure Boot
– Partitioned OS
– Authentication
– Enforcement of
approved and
appropriate behavior
– Secure SDL

Recommendations
 Network Security
– Message and Device
Authentication
– Identify and enforce
predictably holistic
behavior
– Access Controls
 Cloud Security
– Secure authenticated
channel to cloud
– Remote monitoring of
vehicle
– Threat intelligence
exchange
– OTA updates
– Credential
management

Recommendations
 Supply-chain Security
– Authorized distribution channel
– Track and trace
– Continuity of supply

Recommendations
 ISO/IEC
– 9797-1, 11889
 ISO/IEC 9797-1: Security techniques – Message
Authentication Codes
 ISO/IEC 11889: Trusted Platform Module
 ISO 12207: Systems and software engineering –
Software life cycle processes
 ISO 15408: Evaluation criteria for IT security
 ISO 26262: Functional safety for road vehicles
 ISO 27001: Information Security Management
System
 ISO 27002: Code of Practice – Security
 ISO 27018: Code of Practice – Handling PII / SPI
(Privacy)
 ISO 27034: Application security techniques
 ISO 29101: Privacy architecture frameworks
 ISO 29119: Software testing standard
 IEC 62443: Industrial Network and System
Security
 SAE J2945: Dedicated Short Range
Communication (DSRC) Minimum
Performance Requirements.
 SAE J3061: Cybersecurity Guidebook for
Cyber-Physical Vehicle Systems.
 SAE J3101: Requirements for Hardware-
Protected Security for Ground Vehicle
Applications.
 E-safety Vehicle Intrusion Protected
Applications (EVITA)
 Trusted Platform Module
 Secure Hardware Extensions (SHE): From
the German OEM consortium Hersteller
Initiative Software (HIS), these on-chip
extensions provide a set of cryptographic
services to the application layer and isolate
the keys.

THANK YOU

Automotive Security (Connected Vehicle Security Issues)

More Related Content

What's hot (20)

Similar to Automotive Security (Connected Vehicle Security Issues) (20)

More from Priyanka Aash (20)

Recently uploaded (20)

Automotive Security (Connected Vehicle Security Issues)