Auto_Security
Download as PPTX, PDF0 likes155 views
This document discusses automotive security and connected vehicles. It covers the attack surface of connected vehicles, common bus protocols like CAN and OBD-II, vehicle networks, and tools for analyzing vehicle communication. The document uses the example of the 2015 Jeep hack to illustrate the challenges of exploiting vulnerabilities. It recommends best practices from Auto-ISAC and the need for lightweight endpoint security solutions to protect automobiles similarly to other internet-connected devices.
Auto_Security
- 1. Automotive Security Myths & Realities Heather Axworthy, CISSP, GMOB hla@haxworthy.com January 2017
- 2. Agenda • Connected Vehicle Attack Surface • BUS Protocols – OBD-II – CAN (Controller Area Network) • Vehicle Network • Vehicle Spy • The Jeep Hack – Myth vs. Reality • More Tools • Best Practices • Where To Go Next © 2017 Heather L. Axworthy 2
- 3. Connected Vehicle Attack Surface • The connected vehicle aka “cars with Internet enabled components” • Cars are really endpoints (258 million in USA) • Several ways to exploit a vehicle – Keypad access – Sensors – Charging outlet (if electric car) – Audio inputs (Bluetooth, USB, CD/DVD) – Diagnostic Ports (OBD-II) – Mobile App 3© 2017 Heather L. Axworthy
- 4. BUS Protocols • Vehicles contain different BUS’s and protocols • ECU (Electronic Control Units) connect to each embedded system (Climate, Steering, etc. and communicate via the BUS) • Connected Vehicles need faster protocols for communication • CAN (Controller Area Network) – Most common, standard on US vehicles since 2008, also on Formula1 – Process multiple signals faster than other BUS types – Dual-wire channel has high and low speed lines 4© 2017 Heather L. Axworthy
- 5. 5 Smith, Craig. (2016) The Car Hacker’s Handbook, A Guide for the Penetration Tester. San Francisco, CA: No Starch Press TheVehicleNetwork Least Trusted Most Trusted
- 6. OBD-II (On Board Diagnostic) • Communicates to vehicle internal network using CAN protocol • Diagnostic messages • Usually located under the steering wheel panel • CAN wires are always in dual- wire pairs, if the connector is not visible immediately • Technician plugs in to run diagnostics, and you can too • See diagnostic data and everything else 6© 2017 Heather L. Axworthy
- 7. CAN Packets • CAN packets are broadcast, all controllers see the same packets • Non-diagnostic packets are the ones you want to see • Use arbitration field also referred to as the “CAN ID” to filter • Every auto manufacturer has different ID’s for their service packets 7© 2017 Heather L. Axworthy
- 8. Vehicle-Spy • Windows tool for analyzing CAN messages • Not free, commercial software $395 – kit, includes the CAN3 network interface cable 8© 2017 Heather L. Axworthy
- 11. The Jeep Hack - Myth vs. Reality • Myth: Really easy, anyone can get into a car from anywhere… • Reality: Challenging – Target 2014 Jeep Cherokee, vulnerability in the Uconnect service – Paid to perform the research by Wired magazine – 1-year to fully exploit – Able to gain access to car via cellular network “Sprint” – IRC port 6667 was open – Reverse Engineer the firmware to accept their CAN packets 11© 2017 Heather L. Axworthy
- 12. More Tools OpenGarages on Google Group https://groups.google.com/forum/?fromgroups#!forum/open-garages Vehicle Spy, commercial tool http://www.intrepidcs.com/support/video_vspy3_videos.htm The Car Hacker’s Handbook, March 2016 by Craig Smith https://www.nostarch.com/carhacking Can-UTILS – free, open source https://github.com/linux-can/can-utils Kayak – free, open source http://kayak.2codeornot2code.org/ 12© 2017 Heather L. Axworthy
- 13. Best Practices • Developed by the Automotive Information Sharing and Analysis Center (Auto-ISAC) in July 2016 • Cover the organizational and technical aspects of vehicle cyber security • Controls for the automobile are identical to security controls for other internet-enabled systems 1. Governance 4. Threat Detection & Response 2. Risk Management 5. Incident Response & Recovery 3. Security by Design 6. Training & Awareness 13© 2017 Heather L. Axworthy
- 14. Where To Go Next… • If regulating bodies are treating the automobile like every other Internet- enabled system…. • Security vendors need to do the same • Market Opportunity: A light-weight end-point solution for the automobile (and other consumer-facing devices) (T) – Identify & protect trust boundaries with security and/or behavioral controls – Emphasize secure connections to, from, and within the vehicle – Limit network interactions to ensure appropriate separation of environments 14© 2017 Heather L. Axworthy
- 15. Questions Heather Axworthy, CISSP, GMOB hla@haxworthy.com January, 2017
Editor's Notes
- #3: Automobile systems How they are connected ECU CAN-BUS The Jeep Hack – myth vs reality Tools to try at home
- #4: What is the connected vehicle Several ways today to examine a vehicle for potential exploitation 41B Industrial Internet of Things (IIoT) forecasted by 2020
- #5: Cars today are “mini computers” that have several electrical components that need faster protocols for communication Critical car communication like RPM, braking is on the high-speed line, things like door locks, climate control are on lower speed lines
- #6: What is the connected vehicle Several ways today to examine a vehicle for potential exploitation Infotainment/Nav Console is a primary entry point for auto communications. Cellular and wi-fi components have a direct line into the vehicle.
- #7: OBDII is mandated in the USA for Vehicles 1996 and newer OBDII is for Emission Related Diagnostics EOBD is mandated on 2001 and newer (petrol) and 2004 and newer (diesel). OBDII Connector Example: over 25 up to 100 controllers Main Controller (MCU) Inputs (Switch and Analog) Outputs (Motors and lights) Connected to share info Contains Memory: Volatile Non-Volatile Power Supply (12V -> 3.3V or 5V)
- #8: CAN packets, this is the traffic that Arbitration ID identifies the device trying to communicate Non-diag packets are the ones the car uses to perform functions A lot of noise once connected, use arbitration ID’s to filter them out Differs by manufacturer.
- #12: Originally began by infiltrating the vehicle using the built-in wireless connection. Playing around, they found a public IP on one of the interfaces. Every car that has U Connect installed, operates on the Sprint network for it’s communication. Each vehicle has an IP address on the Sprint network. From scanning the range, port 6667 was open. Able to access the vehicle internally, in order to get to the BUS to read the CAN messages (from the wireless “untrust” direction), had to get past the ECU, able to reverse engineer the firmware for it to accept their custom CAN messages.
- #14: Governance: Define executive oversight for product security, Functionally align the organization to address vehicle cybersecurity, with defined roles and responsibilities across the organization. Risk Management: Establish a risk-management process, ensure it is adhered to at every stage of the vehicle life-cycle Security by Design: Establish safe coding guidelines and ensure they are adhered to at every stage, identify trust boundaries, protect at every level. Threat Detection and Response: Test, Test, Test, respond to results, Incident Response: Respond and fix Training and awareness:
- #15: If the ISAC’s are treating the automobile like a connected system, security vendors need to figure out how to protect it. Now that we know automobiles are vulnerable and are becoming more connected not just to the consumer, but to each other. Endpoint space, there is a need for a lightweight end-point solution that is capable of running on the automobile. Something that would only allow trusted access via the OBD and/or the cellular/wifi interface, also monitor firmware uploads and re-writes from trusted sources. Only allow it from the manufacturer, must be tethered to the service unit