Connected Car Security Issues:
4 main components-
1- ECU (Electronic Control Unit)
2- CAN Bus (Control Area Network Bus)
3- OBD (Onboard Diagnostics)
4- Infotainment
1. May 22, 2017 Proprietary and Confidential - 1 -
Connected Car Security
IGATE is now a part of Capgemini
Arnab Chattopadhayay, Senior Director
Date: 13th May, 2017
2. May 22, 2017 Proprietary and Confidential - 2 -
Table of Content
A Car Hack
Evolution of Modern Car
Components of a modern car
Automotive security
– Threat Model
Relationship between Safety and Cybersecurity
Secure automotive design
Attack Model
Architectural Issues
Recommendations
3. May 22, 2017 Proprietary and Confidential - 3 -
Chrysler Jeep Hack – Charlie Miller & Chris Valasek
4. May 22, 2017 Proprietary and Confidential - 4 -
Yesterday
5. May 22, 2017 Proprietary and Confidential - 5 -
Today
6. May 22, 2017 Proprietary and Confidential - 6 -
Tomorrow
7. May 22, 2017 Proprietary and Confidential - 7 -
Components of Modern Car
8. May 22, 2017 Proprietary and Confidential - 8 -
List of Car Components
•Accident Recorder
•Active Aerodynamics
•Active Cabin Noise Suppression
•Active Exhaust Noise Suppression
•Active Suspension
•Active Vibration Control
•Active Yaw Control
•Adaptive Cruise Control
•Adaptive Front Lighting
•Airbag Deployment
•Antilock Braking
•Auto-Dimming Mirrors
•Autonomous Emergency Braking
•Battery Management
•Blind Spot Detection
•Cabin Environment Controls
•Communication Systems
•Convertible Top Control
•Cylinder Deactivation
•DSRC
•Driver Alertness Monitoring
•Electronic Power Steering
•Electronic Seat Control
•Electronic Stability Control
•Electronic Throttle Control
•Electronic Toll Collection
•Electronic Valve Timing
•Engine Control
•Entertainment System
•Event Data Recorder
•Head-Up Displays
•Hill Hold Control
•Idle Stop-Start
•Instrument Cluster
•Intelligent Turn Signals
•Interior Lighting
•Lane Departure Warning
•Lane Keeping Assist
•Navigation
•Night Vision Systems
•On-Board Diagnostics
•Parental Controls
•Parking Systems
•Precrash Safety
•Rear-view Camera
•Regenerative Braking
•Remote Keyless Entry
•Security Systems
•Tire Pressure Monitoring
•Traction Control
•Traffic Sign Recognition
•Transmission Control
•Windshield Wiper Control
9. May 22, 2017 Proprietary and Confidential - 9 -
Schematic view of Connected Components
10. May 22, 2017 Proprietary and Confidential - 10 -
Four Main Components
ECU (Electronic Control Unit)
CAN Bus (Control Area Network Bus)
OBD (Onboard Diagnostics)
Infotainment
11. May 22, 2017 Proprietary and Confidential - 11 -
ECU – Overview
Embedded Digital Computer
Runs closed-control-loop
Reads data from sensors (e.g.
temperature, tyre pressure, engine rev,
windows movement sensor)
– Example: Gather data from different sensors
the ECU looks up values in table and
performs long mathematical equations to
calculate best spark time or determine fuel
injector opening time
Types of ECU
– ECM – Engine Control Module
– EBCM – Electronic Break Control Module
– PCM - Powertrain Control Module
– VCM – Vehicle Control Module
– BCM – Body Control Module
32-bit 40-MHz Processor
Average code size: 1 MB
12. May 22, 2017 Proprietary and Confidential - 12 -
ECU – Functional Block
Power supply – digital and analog (power for analog sensors)
MPU – Flash and RAM
Communication Link (e.g. CAN Bus link)
Discrete Inputs – On/Off switch type
Frequency Inputs – encoder type signals (e.g. crank or vehicle speed)
Analog Inputs – feedback signals from sensor
Switch output – On/Off switch type
PWM Outputs – variable frequency and duty cycle (e.g. injector,
ignition)
Frequency Outputs – constant duty cycle (e.g. stepper motor)
13. May 22, 2017 Proprietary and Confidential - 13 -
Example Function of ECU
At high speed circuit, drivers has to throttle more, rather
than applying gradually full throttle. The accelerator will
be set so that only a small movement will result in full
engine acceleration
– Read data captured by ADC on the Channel on which Accelerator
Pedal is connected
– Using the data, look-up the value from a multi-dimensional map
which contains the Engine RPM as another input
– Take output value from the map, multiply by correction factor
– The output is the Torque to be generated by the engine
– Repeat this sequence every 20 milliseconds
14. May 22, 2017 Proprietary and Confidential - 14 -
CAN Bus
Multi-master serial bus
Connects ECU
Complexity of nodes can vary
– Simple I/O device
– Embedded computer with a CAN
interface
– Gateway to USB or Ethernet port
Nodes are connected through
two wire bus with 120 Ohm
termination
CAN-Hi
– 5V when transmitting 0
CAN-Low
– 0V when transmitting 0
Message broadcast to all
Nodes
– Nodes are expected to
ignore message that are not
addressed to them
Frame does not include
source address
15. May 22, 2017 Proprietary and Confidential - 15 -
CAN Protocol Frame
16. May 22, 2017 Proprietary and Confidential - 16 -
OBD-II
Diagnostics Connector
SAE J1962
– Type A and Type B – both female pin
– 16 pin (2 x 8)
– D-shaped
Type A connector is used for
vehicle that use 12V supply voltage
Type B connector is used for
vehicle that use 24V supply voltage
17. May 22, 2017 Proprietary and Confidential - 17 -
Main Hackable Attack Surface
Success of of hacking
car depends on:
– Remote attack surfaces
– Cyber-physical features
– In-Vehicle network
architecture
20% models (2014-
2015) from different
manufacturers are
vulnerable to more
than seven categories
of remote attack
From research by Miller and Valasek
18. May 22, 2017 Proprietary and Confidential - 18 -
Relationship between Car Safety and Cyber Security
Strong relationship between automotive safety and cyber
security
SAE J3061 – Cyber Security Guidebook for Cyber-Physical
Vehicle Systems
System Safety is concerned with protecting against harm
to life, property and environment
System Cybersecurity aims to prevent financial,
operational, privacy and safety loses
– All safety critical systems are security critical but there could be
systems e.g. Infotainment that are security critical but not safety
critical
19. May 22, 2017 Proprietary and Confidential - 19 -
Cyber Security Threat Model – Threat Agents
Researchers and Hobbyists
– Universities, government labs, defense labs. Motivations are usually positive to study and conduct research
Pranksters and Hacktivists
– Takes opportunity to demonstrate their skills or promote their cause but with negative outcomes for the product
owners and manufacturers
Owners and Operators
– Many car hacking tools exists with owners and often they want to hack their own vehicles to improve
performance, to bypass restriction set by manufacturers or regulators or disable components to obfuscate their
fraudulent actions
Organized crime
– Has always been a threat to vehicles. Main motivation is financial gain. DoS, malware, ransomware
– Cyber crime-as-a-service !
Nation States
– Not easy to determine motivation
– Industrial espionage, surveillance, economic and physical warfare
– Intervention to assist national manufacturers against foreign competitions
– Tracking and audio monitoring of high-value objects
Transportation Infrastructure
– Next-gen car V2V communication
– Security and safety issue can occur through attacks and misbehavior of the surrounding infrastructure
Example: manipulation of traffic light confusing smart cars causing accidents
20. May 22, 2017 Proprietary and Confidential - 20 -
Cyber Security Threat Model
One-to-many connected
ECUs on same CAN Bus as
the OBD-II Port
The ability to control the
ECU results in attacker
getting control of the
vehicle
Assume, OBD-II device can
be compromised
Determine the attack
proximity and
vulnerability
Classify vulnerabilities
using Microsoft STRIDE
and SAE SPFO Impact
model the potential areas of vulnerability and particular types of threats that may take
e of those vulnerabilities.
ying types of vehicle bus architecture and varying types of OBD-II devices, we use a
d diagram (Figure 4) to present potential connections in the vehicle. Each ECU in Figure 4
s the one or many connected ECUs on the same bus as the OBD-II port. The ability to control
esults in attacker control of that vehicle’s function.
Generic OBD-II Device Threat Model Diagram
by analyzing the impacts of various attacks assuming the OBD-II device can be
ised and an attacker can execute arbitrary code. Although each attack is the same, the impact
on the capabilities of the device (e.g., how far away the attacker needs to be). Once the attack
y and vulnerability are defined, the vulnerability is classified using Microsoft’s STRIDE
ECU A ECU B ECU C
Aftermarket OBD-II Device
OBD-II Port
21. May 22, 2017 Proprietary and Confidential - 21 -
Cyber Security Threat Model
SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 6
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright
notice for non-US Government use and distribution.
technique (Microsoft, 2005). We also use the Society of Automotive Engineers (SAE) safety, privacy,
financial, and operational impact to define how a vulnerability may affect a vehicle (Ward, et al.,
2013). (Both STRIDE and the SAE techniques are described in Appendix D.)
Table 2: Vulnerability Impact on the Device and the Vehicle
Vulnerability ECU
Affected
Comments Vulnerability Impact
(STRIDE)
Impact (Ward, et al.,
2013)
Hardcoded
credentials
None X S0 S0 S0 S0
Arbitrary
command
injection
OBD-
connected
buses
X S0 S3 S0 S0
Vulnerability ECU
Affected
Comments VulnerabilityImpact
(STRIDE)
Impact (Ward, et al.,
2013)
Arbitrary CAN
injection
OBD-
connected
buses
Full device compromise
(See Table 3 for
complete impact.)
X X X X X X
22. May 22, 2017 Proprietary and Confidential - 22 -
Cyber Security Threat Model
Table 3: Vulnerability Impact on Vehicle with Complete Device Compromise by Proximity
Vulnerability ECU
Affected
Proximity Vulnerability Impact
(STRIDE)
Impact (Ward, et al.,
2013)
S T R I D E S P F O
Compromise of
OBD-II device
OBD-
connected
buses
Physical X X X X X X S1 S1 S2 S2
Compromise of
OBD-II device
OBD-
connected
buses
Short range (Bluetooth) X X X X X X S2 S2 S3 S3
Compromise of
OBD-II device
OBD-
connected
buses
Long range
(Wi-Fi)
X X X X X X S2 S2 S3 S3
Compromise of
OBD-II device
OBD-
connected
buses
Anywhere (cellular) X X X X X X S4 S4 S4 S4
23. May 22, 2017 Proprietary and Confidential - 23 -
Anatomy of Chrysler Jeep Cherokee Hack
Head Unit is connected to both CAN Buses
Targeted to compromise Radio to get access to ECU
connected to CAN-IHS and CAN-C
Radio receives GPS, AM/FM and Satellite Radio signal
Radio unit – Harman Uconnect system
Uconnect runs QNX
Uconnect system has Wifi
Wifi password was compromised
Performed port scan and identify D-Bus service
Exploited D-Bus vulnerability execute expoit as root
Jailbreak Uconnect
Uconnect payload – LUA Script
Uconnect communicates with CAN Buses using
V850E/FJ3
The test OMAP chip can only read from CAN not send
Reverse engineer firmware of OMAP
Re-program by uploading code via USB that will allow
V850 to send command to CAN
Then use CAN commands to do malicious activities
– Jamming steering, slow down accelerator response
Network Architecture
The architecture of the 2014 Jeep Cherokee was very intriguing to us due to the fact that
(Radio) is connected to both CAN buses that are implemented in the vehicle.
Figure: 2014 Jeep Cherokee architecture diagram
We speculated that if the Radio could be compromised, then we would have access to EC
CAN-IHS and CAN-C networks, meaning that messages could be sent to all ECUs that cont
attributes of the vehicle. You’ll see later in this paper that our remote compromise of the
not directly lead to access to the CAN buses and further exploitation stages were necessa
being said, there are no CAN bus architectural restrictions, such as the steering being on a
separate bus. If we can send messages from the head unit, we should be able to send the
ECU on the CAN bus.
24. May 22, 2017 Proprietary and Confidential - 24 -
Potential Risks
Safety-Critical Risks
– Driver Distractions (e.g. volume, wipers)
– Engine Shutoff or Degradation
– Steering Changes (autonomous vehicles)
Less Safety-Critical Vehicle Specific Risks
– Theft of the car or contents
– Enabling physical crime against occupants
– Insurance or lease fraud
– Eavesdropping on occupants
– Theft of information (e.g. personal profile, phone list)
– Vector for attacking mobile devices in the car
– Theft of PII
– Tracking the vehicles location
25. May 22, 2017 Proprietary and Confidential - 25 -
Key Vulnerabilities Found in Car
Insecure firmware updates and downloads
Hardcoded or non-existent Bluetooth PIN
Weak WPA2 password
Hardcoded credentials
Internet-enabled administration interface
26. May 22, 2017 Proprietary and Confidential - 26 -
Some Important Attack Vectors
Arbitrarily modify firmware
Maliciously update remote firmware
Lock/unlock doors
Turn on/off vehicle
Affect vehicle GPS tracking, speed, heading and
altitude
Read the car’s internal data – temperature, fuel
levels, diagnostic trouble codes etc.
Inject arbitrary CAN packet
27. May 22, 2017 Proprietary and Confidential - 27 -
Common Architecture Issues
The Primary Processor
– Simple processor
– Convert External Network Protocol to CAN and vice versa
– Logic is implemented in upstream systems
– Do not include any security e.g. authentication, command validation
External Network Interface
– Due to no filtering at device and OBD-II port, security is completely
dependent on perimeter i.e. external network interface
– External network interface security strength varies
WPA2 with not strong password
Easy to guess BT PIN
Widely shared BT PIN
Undocumented features
Insecure Firmware upgrades
28. May 22, 2017 Proprietary and Confidential - 28 -
Recommendations
Hardware Security
– Secure Boot and
software attestation
function
– TPM
– Tamper Protection
– Cryptographic
Acceleration
– Active Memory
Protection
– Device Identity Directly
on Device
Intel EPID, PUF
Software Security
– Secure Boot
– Partitioned OS
– Authentication
– Enforcement of
approved and
appropriate behavior
– Secure SDL
29. May 22, 2017 Proprietary and Confidential - 29 -
Recommendations
Network Security
– Message and Device
Authentication
– Identify and enforce
predictably holistic
behavior
– Access Controls
Cloud Security
– Secure authenticated
channel to cloud
– Remote monitoring of
vehicle
– Threat intelligence
exchange
– OTA updates
– Credential
management
30. May 22, 2017 Proprietary and Confidential - 30 -
Recommendations
Supply-chain Security
– Authorized distribution channel
– Track and trace
– Continuity of supply
31. May 22, 2017 Proprietary and Confidential - 31 -
Recommendations
ISO/IEC
– 9797-1, 11889
ISO/IEC 9797-1: Security techniques – Message
Authentication Codes
ISO/IEC 11889: Trusted Platform Module
ISO 12207: Systems and software engineering –
Software life cycle processes
ISO 15408: Evaluation criteria for IT security
ISO 26262: Functional safety for road vehicles
ISO 27001: Information Security Management
System
ISO 27002: Code of Practice – Security
ISO 27018: Code of Practice – Handling PII / SPI
(Privacy)
ISO 27034: Application security techniques
ISO 29101: Privacy architecture frameworks
ISO 29119: Software testing standard
IEC 62443: Industrial Network and System
Security
SAE J2945: Dedicated Short Range
Communication (DSRC) Minimum
Performance Requirements.
SAE J3061: Cybersecurity Guidebook for
Cyber-Physical Vehicle Systems.
SAE J3101: Requirements for Hardware-
Protected Security for Ground Vehicle
Applications.
E-safety Vehicle Intrusion Protected
Applications (EVITA)
Trusted Platform Module
Secure Hardware Extensions (SHE): From
the German OEM consortium Hersteller
Initiative Software (HIS), these on-chip
extensions provide a set of cryptographic
services to the application layer and isolate
the keys.
32. May 22, 2017 Proprietary and Confidential - 32 -
THANK YOU