Gentlemen, Start your engines Mattias Jidhage
Gentlemen, Start Your Engines 20120419
Jul 04, 2015
Short overview of the current security status on the automotive telematics security arena. Presented at the ISACA Scandinavian Conference April 23-24th 2012
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Gentlemen, Start your engines
Mattias Jidhage
Omegapoint
- Founded in 2001
- 170 consultants
- e-Business & Security
Göteborg
Malmö
Stockholm
Falun
Kalmar
Helsingborg
New York
Agenda
Telematics “integrated use of telecommunications and informatics”
~100 Bosch, Siemens, Delphi.. CCM=Central Control Module PCM=Powertrain Control Module ECM=Engine Control Module BCM=Body Control Module TCM=Transmission Control Module SCM=Suspension Control Module GEM=General Electronic Module CTM=Central Timing Module ACU=Airbag Control Unit CCU=Convenience Control Unit ECU=Engine Control Unit BCM=Brake Control Module ECU = Electronic Control Unit
Telematics
Potentially less than great security?
Eh, What's up Doc?
• The Car • Transport • Server • Client
The Car - Research
• Experimental Security Analysis of a Modern Automobile – OBD-II
• Comprehensive Experimental Analyses of Automotive Attack Surfaces – CD – OBD-II (PassThru)
– Bluetooth – GSM
The Car – Reality
• War Texting: Identifying and Interacting with Devices on the Telephone Network – Method for attacking telematics
• In general: GSM Baseband + uC Chip • UART -> RE -> Firmware -> Vulnerability
– How2 find targets? • FindMe • WhoIs
The Car – Reality
• Put it to the test – Zoombak Tracking Device
• Zoombak Scanner • Ask nicely via SMS
– Subaru Outback 1998 • after market telematics unit • unlock and start engine • http://youtu.be/bNDv00SGb6w
Transport - GSM
• A5/1
• SRLabs – CCC 2009, BlackHat 2010 – Rainbow tables (100.000 years to 1 month) – Decode voice
• 100-300m upstream • 5-35km downstream
Transport – GPRS/EDGE
• GEA/0 • GEA/1 • GEA/2 • GEA/3 • GEA/4
• SRLabs – CCC 2011, Crypto analysis (weak crypto) – Decode GPRS -> Wireshark
No encryption
No users
Transport – cell
USR
P HW
Server • Car interface
– Proprietary protocol • ASN.1 – Touring complete • GPRS, EDGE, SMS and data over voice
– “We use a Private APN” • Generic Routing Encapsulation • Node to Node communication
• Operator web application • Smartphone interface: REST/JSON
Client - browser
• Web application – no news – move on – there is nothing to see
– DriveBy Trojan Download & Install • Starring Windows • Guest appearance by Mac OSX
Client – smart phone
• Few real vulnerability tests performed • iOS
– Continous Jailbreak – iOS 5.0.1 - iPhone 4GS and iPad2 – iOS 5.1 – iPad3
• Android – Rouge apps – Android Market - ‘Bouncer’
Conclusion • All components are possible targets • Very few has the complete picture • Activity in the security arena • This is going to get worse before it gets
better – 2012 models CAN bus is unprotected – New tools arriving every day – Larger attack surface than ever
• Use fast shoes
What’s to come? • “Internet of Things”
The Future
• Telematics – M2M – “integrated use of telecommunications and
informatics”
The Future
Prescription medication
Insulin pump
The Future
ABB IRB 6640 Industrial robot
The Future
Three Gorges Infrastructure - SCADA – Stuxnet
The Future Home Metering Unit - SmartGrid
270 000 HMU using ZigBee
References • http://www.autosec.org/publications.html • http://www.isecpartners.com/storage/docs/presentations/
isec_bh2011_war_texting.pdf • http://events.ccc.de/congress/2009/Fahrplan/
attachments/1519_26C3.Karsten.Nohl.GSM.pdf • https://srlabs.de/blog/wp-content/uploads/
2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf • http://events.ccc.de/camp/2011/Fahrplan/attachments/
1868_110810.SRLabs-Camp-GRPS_Intercept.pdf
Related Documents
