2What is…? What is a car? Why are there computers in cars? Why can something other than a car access these computers?We don’t know.
3Not an Outline Internal Structure Exploits ECUs Controller Area NetworksSeed to Key AlgorithmsDevice ControlExploitsTesting MethodologyAttack StrategiesAttack Results
4Why is car hacking bad? Control car components remotely Physical implicationsPrivacy concernsYou won’t know about it afterwardsmost components, such as windscreen wipers, to brakes can be controlled by a computerour gps can be part of this network and have personal information on it like addressesit’s easy for an attacker to wipe all evidence of an attack from the system
5Controller Area Network CAN: Controller Area NetworkECU: Electronic Control UnitCar computers in generalComprised of 2 busesHigh speed bus: safety critical, more trustedLow speed bus: non-critical, convenience modulesRequired in all cars sold in US since 2008required for diagnosticsa gateway can route things between the buses
6Here is a list of various ECUs and which bus each is connected to. Source: Article
7CAN Security CAN packets: header that says where the packet goes No addresses usedAll packets broadcast physically and logically to all nodesEach node decides if it should process the packetVulnerabilities:All nodes see all trafficAll nodes communicate all other nodesDoS-ableNo identifiersFirmware updatesWeak access controls that aren’t usedmany vulnerabilities, and on are common to most implementationsbecause of the broadcast naturevulnerable to denial of service attacksDon’t know who sent a packetanswers to standard challenges for authentication when doing sensitive things, like reflashing components, are stored in memoryThere are several protection mechanisms written into the protocol, but they are often ignored by ECUs, such as ignore disable communications command
8Seed to Key Algorithms Authentication method for sensitive operations One ECU sends the seed (the challenge)The other replies with the keyEach ECU has its own seed and keyKeys and seeds are fixed and stored in the memory of each ECUAlgorithms used to compute them are not stored in ECUs for “security”Return of challenge not always usedBrute forcible keysThe algorithm is the challenge and the response between the ecus, one ecu sends a packet requesting access to the protected resource the other responds with the challenge then the keyAlso, all nodes see all requests so you can sit on the network and see all keys and seeds passed
9DeviceControl Essentially debuggers for cars Assists in diagnosis of a car’s componentsExamines stateManipulates stateIn operating systems debuggers are limited by access-controlCANs do not have access-control
11Testing Methodology Bench Stationary Car Car in motion CarShark Testing individual ECUsStationary CarCar on jacksCar in motionProfessional driver, closed course.Do not attempt.CarSharkBench: Working with individual ECUs. Setup involves an ECU either off the shelf or from a car, a CAN-to-USB connector, an oscilloscope, and a power supplyStationary Car: Similar tests conducted on ECUs in the car through the Onboard Diagnostics II port to determine the effects hacking the CAN can have. For safety purposes, the car was on jacks.Car in Motion: Testing the exploits in motion on the road to determine if there are any differences between stationary and in-motion effects. Testing was completed with a chase car with a wifi connection to a laptop plugged into the test car’s OBD-II port.
12Source: ArticleCarShark - CAN bus analyser and packed injection tool. Needed to be adapted for proprietary packets in the Car’s CAN. Having a custom tool also added additional testing abilities.
13Attack Vectors Packet Sniffing and Target Probing Fuzzing Analyze packets with CarSharkOnly sees normal operationsFuzzingSend random or partially random packetsUseful for system disruptionExploit the DeviceControl serviceReverse-EngineeringDump assembly code & analyzeAdding new functionalityDetermine how ECUs communicate with each other.Perform many normal car operations (turn on the headlights, adjust the stereo, apply the brakes)Packets for safety-critical actions, such as SRS or ABS, are not visible normally with this approachUsing packets picked up by the CarShark, determine the general format of the CAN packets of the vehicleSend random packets of the same format into the CANIdentified the small range of bytes that DeviceControl uses, and quickly determined what combinations control whatOnly needed for the most complex ECUs, such as the telematics unitRequired to add functionality that is not available in any normal car operation, such as bridging buses
14Non-Moving Car Testing I.E. StationaryTested on all ECUs in the carRadioFirst ECU tested, easiest to exploitDisable user controlDisplay arbitrary messages and play arbitrary soundsBrakesFuzzing showed how to lock individual brakes as well as setsDeviceControl Key not neededTwo arbitrary ECUs, there are plenty more.BUT we are able to release the brakes at speed
15Non-Stationary Car Testing I.E. MovingTested on ECUs that don’t affect the safety of the car or driverExploits were transmitted from a chase carCancellation packet sent after exploit is verifiedLaptop pulled from port if anything goes wrongCar functions return to normal shortly after laptop is removedOnly difference was EBCMAlso not enough allotted time at airportLaptop in test car plugged into OBD-II port and connects with chase car via local wifiEBCM: When stationary no DeviceControl authentication was required, but after 5 MPH, DeviceControl was needed to apply the breaks. Contrary to that, DeviceControl is not required to release the breaks or prevent the breaks from being applied while stationary or at speed.
16Source: ArticleAt speed means on jacks with wheels spinning at 40On runway means actually tested while moving (some were too dangerous to try).Need to unlock refers to DeviceControl. Nothing on this table needed to be unlocked, but on other tables the Engine Control Module did need to be unlocked, and the Electronic Brake Control Module did not need to be unlocked when stationary, but did need to be unlocked when going more than 5 MPH
17Issues Required (almost) physical access to car via OBD-II port BluetoothWireless Tire Pressure SensorsGiven physical access an attacker couldCut breaksSet fire to carPlace bomb in carOBD: On Board DiagnosticsNot in paper: can be accessed through a bad CD
18Future (to the paper) work Comprehensive Experimental Analyses of Automotive Attack Surfaces
19You’re all engineers, fix it. [In] ConclusionCars are insecure.You’re all engineers, fix it.Every electronic control unit in the cars in question was vulnerable to attack, and many of them were exploitable without DeviceControl authentication at speed.This was not limited to a specific car at the time, and is likely not limited to specific cars now. Some high-end luxury car makers such as BMW and Merc may be implementing more security measures, however.
21Defenses Prevent reflashing Signed firmware updates Disallow 3rd party componentsPreventing reflashing is unrealisticpeople may want to tune their carwould require you to trust certain mechanicswhich ones do you trustLess extreme: prevent arbitrary ECUs from using reflashing commandsSigned Firmware Updates3rd Party components increase the attack surfaceOne option is to have all communication from 3rd party components to go through a “secure” communicatorThe secure communicator will filter out bad commandsWhat is a bad command?