Embed Size (px)
Citation preview
Vehicle penetration testing
An overview
Why pen-test a car?
Prepared by JSOF3
Prepared by JSOF4
Has a car ever been hacked?
Prepared by JSOF5
Has a car ever been hacked?
Prepared by JSOF6
Has a car ever been hacked?
Prepared by JSOF7
Has a car ever been hacked?
Prepared by JSOF8
Goals Gain close-range wireless or wired access to any part of the car – for example: instrument cluster, windshields
Gain remote access from any location
Affect safety-critical systems like powertrain (low/high speed)
Prepared by JSOF9
1
2
3
What’s in a car “Datacenter on wheels”
100+ controllers, 100+ Mloc
Different architectures
Different OS• Qnx, linux, mac..• Real-time operating systems
Different protocols • Ethernet, CAN, etc..
Prepared by JSOF10
Prepared by JSOF11
What’s in a car
Prepared by JSOF12
What’s in a car
Prepared by JSOF13
What’s in a car
Prepared by JSOF14
What’s in a car
Prepared by JSOF15
What’s in a car
Let’s pen-test Infiltrate – “Remote Code Execution”
Lateral movement –”Elevation of Privilege”
(first learn & tool-up)
Prepared by JSOF16
1
2
1 Infiltrate
Prepared by JSOF30
Attack surface analysis
Prepared by JSOF31
Content parsingBluetoothDisk-on-keyWIFI APUSB
aftermarket[phy]
TPMSWireless keyOtherADAS (vision*)Chargingv2x
CellularGPSWIFI - clientRF Radio
Infiltrate
InfotainmentTelematics OBDII OTHER
Attack surface analysis
Infiltrate
Prepared by JSOF32
Content parsingBluetoothDisk-on-keyWIFI APUSB
aftermarket[phy]
TPMSWireless keyOtherADAS (vision*)Chargingv2x
CellularGPSWIFI - clientRF Radio
InfotainmentTelematics OBDII OTHER
Get in Analyze attack surface for vulnerabilities• Infotainment has been popular and vulnerable
configuration or implementation vulnerabilities• Including memory corruptions issues
Existing vulnerabilities (1-day)• Components don’t have regular updates
• General use OS and components
• 3rd party application
Prepared by JSOF33
Infiltrate
Prepared by JSOF34
Get inInfiltrate
2 Lateral movement
Prepared by JSOF35
Lateral movement
Exploiting the infotainment system is helpful• GPS & info gathering
• Eavesdropping
• Disturbance
But – not dangerous in a modern car
We want to get to the powertrain
Prepared by JSOF36
Lateral movement
GatewayIn order to affect the powertrain we need to overcome the gateway
Prepared by JSOF37
Lateral movement
FirewallThe gateway is effectively a firewall
We need to over-take, or bypass it
Prepared by JSOF38
Lateral movement
optionsFind a vulnerability in one of the components
Specific messages will pass between domains
Many protocols are too simple
Need to find more complex protocols • That will bypass the gateway
• Or are handled in the gateway
Prepared by JSOF39
Lateral movement
VulnerabilityCandidates
Gateway proprietary mechanisms & flaws
Transport layers protocols like ISO-TP
Diagnostic protocols like UDS or KWP2000
Proprietary application-level protocols
Software update (OTA/local)
Prepared by JSOF40
Lateral movement
Prepared by JSOF41
Gateway
Lateral movement
Prepared by JSOF44
What can be done
Defense-in-depth
Secure by design
Treat connected components as compromised by default
Better tools for security auditing
Be open to pen-testing & hacking
Prepared by JSOF45
Physical outcome
Prepared by JSOF47
