Embed Size (px)
Citation preview
Vehicle Electronic Security
and "Hacking" Your Car
Jeremy Daily, Ph.D., P.E. Associate Professor of Mechanical Engineering
James Johnson
Ph.D. Candidate in Computer Science
Andrew Kongs
Undergraduate in Electrical Engineering
Overview
• Introduction – How we got involved in vehicle electronics through crash testing
– What is Hacking?
– What does Cyber Security mean to Automotive systems?
• Technology Overview – Controller Area Network (CAN) fundamentals
– Connecting Hardware to the Network
– Reverse Engineering Signals
• Automotive Security Testing and Vulnerabilities – Literature Review
– Security Analysis Tools (Fuzzing, Debugging, etc)
• Digital Forensics for Automotive Systems – Sensor Simulators
– Chip Level Examination
The University of Tulsa
• Private co-ed doctoral university with
about 4500 students.
• TU is in the top 100 among national
doctoral universities
• Institutions for information security
– designated by the NSA as one of its
Centers of Academic Excellence in
Information Assurance Education.
• Many privately funded research
consortia
4
• Crash testing around the country
• Leverage on-board sensors for data acquisition
• CAN bus monitoring
• 8 SAE Publications
• Videos on website:
http://tucrrc.utulsa.edu/
What is a “Hacker?”
• A technically inclined person who is really curious about how things work but don’t have the manual (or don’t use it)
• Most engineer’s are hackers to some extent.
• Hacker + complicated kids toy = dad at Christmas
• Hacker + patent attorney = inventor
• Hacker + business opportunity = entrepreneur
• Hacker + university = researcher
• Hacker + prankster = drain on society
• Hacker + evil empire = national security threat
• Outcome depends on the context of the “Hack” and the ethics of the “hacker”
• Tuners and Street Racers
• Event Data Recorders – Third party EDR testing
and verification
• CAN Data Interpretation – Decoding library is
proprietary
• Things Unpleasant – Stealing Cars
– Breaking and Entering
– Or worse…
Hacking Cars
8
Consequences of Unpleasant Hacks
• Public paranoia has commercial implications – Customers may start pushing for improved security
• Attribution is difficult – We don’t know who the perpetrator is.
• Consequences can be scary – Unintended Accelerations
– Loss of brakes
– Pulling the steering wheel
• Remote interfaces eliminate the need for physical access.
Why Cars are Hackable? Its the Network!
• Introduction to Automotive Networks
• Measurement and Control Systems
– System Models
– Sensing and Converting
• Controller Area Network Basics
• Standards and Protocols
– J1939, J1708, J1587
• Demonstrations
• Enable optimal operation across broader ranges
– Fuel map changes with altitudes
• Enable compliance with stricter environmental
regulations
• Improve economy and performance
• Increase longevity and enable machine condition
monitoring
• Enable data logging for warranty disputes
• Provide fleet management tools and safety monitoring
Purpose of Measurement and Control
12
• Functional Block Diagram
Sensing and
Control
Controller Sensor Transmitter Signal Conditioner
Data Logger
Actuator Plant (Process)
CAN Bus
13
• Considerations
– Rate, Range and Resolution
• Signal Sampling (Rate)
– Converts a continuous signal into a discrete signal
– Frequency?
• Range
– Amplify or attenuate signal to match A/D converter electronics
– Example: Voltmeters don’t operate at 120 V
• Quantization (Resolution)
– Converts a discrete signal into a digital word
– Quantizing bits, N
– Number of combinations: 2N
– 12 bit = 212 = 4096
– 16 bit = 216 = 65536
– Least Significant Bit Value = Full Scale Range / 2N
Converting Analog to Digital
14
• Binary: Represented by ones and zeros (bits) – Native computer language
– Cumbersome and long
• Hexadecimal: 0-F – 16 values
– 4 binary bits (nibble)
– 2 hex values = 8 bits = 1 byte (256 values)
• Quantizing Table
27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1
217decimal = 1101 1001binary = D9hex
Digital Concepts
15
• Since computers speak binary, we need conversions – ASCII: American Standard Code for Information
Interchange
– SAE Standards for Heavy Trucks • J1939 (many parts)
• J1708
• J1587
– ISO11992
• Standards compliant vehicles contain common elements
• Useful for Horizontal Integration
Standards and
Protocols
• Controller Area Network (CAN) serial bus introduced by
Bosch in mid 1980s
• A 2-wire bus with multi-master capability with Collision
Detection, Arbitration, and Error Checking
– Result: nearly 100% data integrity in harsh environments
• Implemented using CAN transceiver hardware
– Inexpensive
– Single quantity prices around $4.00 with big benefits in
economies of scale
CAN Basics
17
• Bosch CAN Specification is free online.
• SAE J1939: Recommended Practice for a Serial
Control and Communications Vehicle Network
• J2284: High Speed CAN (HSC) for Vehicle
Applications at 250 Kbps
• J2411: Single Wire CAN Network for Vehicle
Applications
Controller Area
Networks
• Up to 40 meters of twisted pair with 120 ohm terminating
resistors.
– Linear bus with 1m stubs
• CAN is resilient; deviations may not affect performance.
Physical
Transmission Media
CAN Bus
• Pin A: Battery (-)
• Pin B: Battery (+)
• Pin C: CAN High
• Pin D: CAN Low
• Pin E: CAN Shield
• Pin F: J1708 (+)
• Pin G: J1708 (-)
• Pin H: OEM Use or 2nd CAN High
• Pin J: OEM Use or 2nd CAN Low
Connector
Standards (9-Pin)
Source: J1939-11
• Pin A: Battery (+)
• Pin B: Battery (-)
• Pin C: CAN Shield
• Pin D: CAT Data Link Hi
• Pin E: CAT Data Link Lo
• Pin F: CAN/J1939 Lo
• Pin G: CAN/J1939 Hi
• Pin H: J1708 Lo
• Pin J: J1708 Hi
17 January
2013
1
Except Caterpillar
Source: DG Technologies (www.dgtech.com)
Message
Structure
29-bit Identifier
(Arbitration)
Data Field Error Checking Control
Field
Data typically transferred up to 8 bytes at a time
• Problem:
– All have access to the bus at the same time
– Multiple devices try to send data at once
• Solution:
– CAN Arbitration where the highest Priority message comes
through
– Others wait and retry
• Arbitration
– Message Identifier (MID) determines priority
– 0 is dominant, so lowest MID wins
CAN Collisions
and Arbitration
Extended CAN
Format for J1939
• SOF = Start of Frame
• EDP = Extended Data Page
• DP = Data Page
• PDU = Protocol Data Unit
• PF = PDU Format
• PG = Parameter Group
• SRR = Substitute Remote Request
• IDE = Identifier Extension Bit
• RTR = Remote transmission request
• Light vehicles typically use “Standard” CAN
– 500 kbps (250kpbs for J1939 on heavy trucks)
– Also known as Class C, or High Speed CAN
• Example: 2010 Dodge Ram
17 January
2013
6
11-bit Identifiers
• Logic Levels
– 0 Volts = Binary 1
– 1 Volt = Binary 0 (Dominant Bit)
• Bit Stuffing
– Oscilloscope shows
Binary 0’s for decoded FF
– Used to ensure timing
– Taken care of with hardware
• Starting procedure shows many more messages when
engine is running
• Two traces: High Speed CAN and “Comfort” CAN
17 January
2013
9
Observations
17 January
2013
0
Wiring Schematic
Obtained from:
http://www.rambodybuilder.com/year.pdf
17 January
2013
6
Plot Combinations
of Bytes
0
5
10
15
20
25
30
0 10 20 30 40 50 60 70 80 90 100
Veh
icle
Sp
eed
(M
PH
)
Time (sec)
0x153 Byte 2 CAN Message
Truck-In-A-Box
and
Chip-Level Forensics
Truck-In-A-Box
• Our Truck-In-A-Box was designed to simulate a vehicle
for an ECM, including active and passive sensors
• Funded by DARPA through the Cyber Fast Track
Program
• Our first TIB simulated a vehicle for a Navistar
MaxxForce 13 ECM
• Included Instrument Cluster, ECM and simulated ABS
Computer Science / www.isec.utulsa.edu
Active Signal
Simulation
• Characterized real vehicle sensor signals
• Created programs to generate the signals
• Feed the signals to the ECM in the Truck-In-A-Box
• Recorded data during driving tests in real vehicles,
played back data to the ECM using a Truck-In-A-Box
• Also replayed J1939 traffic from the drive tests
What is it for?
• Very Flexible – Testing and research framework for
heavy vehicle ECMs
• Forensic Recovery of Functional ECM Data
• Security and Pen Testing for Vehicle Networks
• Can be used to simulate driving sequences, set hard
brake events on some ECMs (Key-on Engine-Off has
limitations)
• Much lower acquisition cost than an actual vehicle
More
Trucks-in-Boxes
• Since the first one (which got shipped away to DARPA),
we’ve build boxes for about 10 different ECMs
• Includes Detroit Diesel, Caterpillar, Cummins, Navistar
• Simplest one is the DDEC IV, most complicated so far is
Navistar
• Complexity largely depends on the ECM and what it
requires
What happens when an ECM is damaged
in a crash, but may contain valuable data?
Chip Level
Forensics
• Follow on project to Truck-In-A-Box through DARPA’s
Cyber Fast Track program
• Researching ways to recover data from the ECM directly,
not over the vehicle network
• Use Trucks-in-boxes to simulate driving sequences with
ECMs, tear down the ECM, remove the chips, read the
data
• Ongoing project
Challenges
• All of the ECMs have environmental protection –
conformal coatings and sealants
• Seems as if none of them were designed to be taken
apart, much less have things recovered from them after
broken
• Getting inside the case is a big challenge
• BGA chips and Data interpretation are also difficult
Goals
• Tear down ECMs, survey the device internals in the
industry
• Develop techniques for investigators to open the devices
• Map and Identify information within the raw data
• Investigate the possibilities of tampering with data
Future Work
• Expand the breadth to encompass more devices and
models
• Add more features and improve the accuracy of the TIB’s
simulated sensors and networks
• Vulnerability analysis of extracted code running on
devices
• Improvements to the forensic extraction techniques
61
How I Learned to Quit
Worrying and Love
Hackers
Car Hacking Is Hot
• “Experimental Security Analysis of a Modern Automobile”
– Koscher et al
• “Comprehensive Security Analyses of Automotive Attack
Surfaces” – Checkoway et al
• “Adventures in Automotive Networks and Control Units”
– Miller & Valasek
2010 – A shot across the bow
• Researchers “fuzzed” an
automotive network
• Locked doors, perma-on,
disabled brakes
• Also did some scary
visual effects
2011 – Twisting the knife
• More complete
exploration of attack
surfaces
• Compromise through
service tools, music
player, Bluetooth, Cellular
• Unauthenticated remote
exploits of automobiles
2011 – Twisting the knife
• More complete
exploration of attack
surfaces
• Compromise through
service tools, music
player, Bluetooth, Cellular
• Unauthenticated remote
exploits of automobiles
• Translation: “This Is
Really Bad”
2013 – Charlie Miller
• Covered attacks possible with network access
• Attacked Prius and Ford Escape
• Controlled brakes, acceleration, and steering
• Also reverse engineered OEM maintenance software
• Obtained passwords, etc.
67
FUD: Fear, Uncertainty, and Doubt
• All this has upset the automotive industry
– …and everyone else
• “We can’t think like the hackers”
• Need to demystify hackers and hacking
Hackers Origin Story
• MIT TMRC, late 60s
• “A person who delights in
having an intimate
understanding of the
internal workings of a
system…” – RFC 1392
• Playful cleverness
• Current usage stems from
too much playfulness
Tools of the Trade
• Black Box Testing
– “Fuzzing”
– Fault injection testing
• Dynamic Analysis
• Static Analysis
Black Box Testing
• Zero knowledge of system internals
• Inject input
– Random
– Semi-random
– Replay
• Observe results
• This can best be explained by an example
• Tools: BeagleBone Black, CANCape
– Total cost ~$100
• Inject random traffic using custom Python script
– Time invested: ~1/2 hour
• Preliminary testing resulted in only slight damage to
vehicle
72
Dynamic Analysis
• Observe system in running state
• Partial knowledge of system
• Software tools
– Debuggers
– Sysinternals
– Developer tools
• Another brief example: a truck maintenance
software file format.
74
75
Static Analysis
• Detailed analysis of static code
• Most complete, safest
– Also incredibly time consuming
• Tools of the trade
– Disassemblers
– Decompilers
• Yet another example involving truck
maintenance software encryption
77
Current Trends
• Vehicles continue to get more networked
Current Trends
• Vehicles continue to get more networked
• What about heavy trucks? Bigger attack surface, more
impact.
Current Trends
• Vehicles continue to get more networked
• What about heavy trucks? Bigger attack surface, more
impact.
• Significant academic interest in vehicle security
– Telematics interfaces
– Smart grid to vehicle communications
– Example: ESCAR
Current Trends
• Vehicles continue to get more networked
• What about heavy trucks? Bigger attack surface, more
impact.
• Significant academic interest in vehicle security
– Telematics interfaces
– Smart grid to vehicle communications
– Example: ESCAR
• OEMs are beginning to take this seriously
Current Trends
• Vehicles continue to get more networked
• What about heavy trucks? Bigger attack surface, more
impact.
• Significant academic interest in vehicle security
– Telematics interfaces
– Smart grid to vehicle communications
– Example: ESCAR
• OEMs are beginning to take this seriously
• SAE J3061 is on the way!
