DefCamp 2013 - In vehicle CAN network security

In vehicle CAN network security

An overview

Bogdan-Ioan Şuta

• System manager at AtoS IT Solutions and Services

• Former Embedded C developer at Hella Romania

• Graduated Master in Automotive Embedded Software from "Politehnica" University of Timisoara

• Interested in computers, cars and anything in between

IN VEHICLE NETWORKSOverview

In vehicle networks

• Used for information sharing between ECUs (Electronic Control Unit)

• Reduce the number of wires needed inside a vehicle between ECUs

• Come in many forms:– By medium: two-wire, one-wire, optical, wireless– By protocol: Ethernet, CAN, LIN, FlexRay, MOST, K

Line etc.

In vehicle networks

CONTROLLER AREA NETWORKOverview

Controller Area Network

• Developed by Robert Bosch GmbH in 1983• Designed for electrically noisy environments• Baud rates of up to 1Mb/s• Broadcast type network• Frames composed of (minimalistic):– ID field – used for arbitration – either 11 or 24 bits

long– Data Field – actual transported data - up to 8 bytes – CRC Field – for error correction – 15 bits

HACKING VEHICLE NETWORKS

Hacking vehicle networks• MIT did it:– Comprehensive Experimental Analyses

of Automotive Attack Surfaces - http://youtu.be/bHfOziIwXic

• Blogs made tutorials for it:– Hack a day -

http://hackaday.com/2013/10/21/can-hacking-introductions/

• Individuals also tried their luck:– http://

secuduino.blogspot.ro/2011/04/grupo-volkswagen-can-confort.html

Hacking vehicle networks

• Various hardware is available to do it:– The OpenXC Platform -

http://openxcplatform.com/– Arduino shields are available -

http://www.skpang.co.uk/catalog/arduino-canbus-shield-with-usd-card-holder-p-706.html

– Custom – any microcontroller with a CAN controller with an CAN transceiver will work

MY ATTEMPTSAt hacking the CAN bus

Proposition

• Connect to the CAN bus• Identify messages being transmitted on the

bus• Perform spoofing and flood attacks• Do not get into diagnostic based attacks

(change odometer, disable immobilizer)

Setup• VW Passat 2001• Breadboard• mBed LPC 1768 development board• 2x Microchip MCP 2551 CAN tranceivers• PC with TerraTerm used for communicating with

the mBed• mBed programmed for CAN monitoring,

flooding and spoofing• First connection attempt:

– Male OBD-II connector connected to the diagnostic port of the CAR

• Second attempt:– Twisted pair of conductors from a CAT-5 cable

connected at the back of the VW Climatronic

FIRST ATTEMPTUsing OBD connector

OBD Cable

First attempt: FAILED

• Communication was not possible• Subject car does not have CAN on the OBD-II

Connector• Only K line was present

SECOND ATTEMPTDirect connection

Connection to car

Second attempt: SUCCESS

• A few tries and some info from: http://secuduino.blogspot.ro/2011/04/grupo-volkswagen-can-confort.html

• Connected to Convenience CAN• Baud rate of 100kb/s• Communication established

A bit of sniffing…

• Found CAN messages from– Door locks– Electric windows• Position of window• Status of button (pressed, not pressed)

– Instruments backlighting value– Lots of other data that I couldn’t find a correlation

Some spoofing…

• Sending commands that would originate from the Body Control Module

VIDEO Power windows

And some flooding

• Sending a very high priority CAN message on the network continuously

• Using hardware interrupts so no delays occur

VIDEOCar door locks

Security issues

• No authentication of nodes• Messages are not scrambled• Security by obscurity

Counter measures• Researched and developed by many universities and

companies:– Efficient Protocols For Secure Broadcast In Controller Area

Networks - http://www.aut.upt.ro/~bgroza/Papers/CAN-Sec.pdf

– LiBrA-CAN: Lightweight Broadcast Authentication for Controller Area Networks - http://www.aut.upt.ro/~bgroza/Papers/LIBRA.pdf

– Broadcast Authentication in a Low Speed Controller Area Network - http://www.aut.upt.ro/~bgroza/Papers/CANAut.pdf

– Low cost multicast network authentication for embedded control systems - http://128.2.129.29/research/publications/2012/CMU-ECE-2012-011.pdf

– Many more

CONCLUSIONS

Conclusions

• Hacking vehicle networks is EASY• Through trial and error much information can

be obtained -> security by obscurity is not sufficient

• With great power comes great responsibility– Getting information from the vehicle bus can

enhance use of the vehicle– People with bad intentions can cause damages

and injuries

Contributors

• Ioan Dubar• Alexandru Leipnik• Bogdan Groza• Alexandru George Andrei• My parents

Thank you.