Gentlemen, Start Your Engines 20120514
•
2 likes•1,048 views
Short overview of the current security status on the automotive telematics security arena. Presented at OWASP Sweden meeting May 14th 2012
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Gentlemen, Start Your Engines 20120514
Similar to Gentlemen, Start Your Engines 20120514 (20)
Recently uploaded
Recently uploaded (20)
Gentlemen, Start Your Engines 20120514
- 1. OWASP Sweden 20120514 Gentlemen, Start your engines Mattias Jidhage
- 2. Omegapoint - Founded in 2001 - 170 consultants - e-Business & Security Falun New York Stockholm Göteborg Kalmar Helsingborg Malmö
- 3. Agenda
- 4. Telematics “integrated use of telecommunications and informatics” ECU = Electronic C BCM=Brake ECU=Engine ontrol CCU=Convenience ontrol ACU=Airbag CC ontrol odule CTM=Central Ciming Module GEM=General Electronic M SCM=Suspension ontrol U odule TCM=Transmission M Module BCM=Body CCTontrol ontrol odule ECM=Engine ontrol CUodule M PCM=Powertrain CC Mnit MUnit CCM=Central ontrol ontrol nit odule ~100 Bosch, Siemens, Delphi..
- 5. Infotainment • Tech fragmentation • Full featured browser – Cost – Torch – Long dev cycle – Netfront • Apps for the car • OS – HTML5 – Blackberry – JavaScript – Windows • App stores – Android – Blackberry App World • Smartphones on – Android Market wheels? – Mbrace?
- 6. Telematics “integrated use of telecommunications and informatics” ECU = Electronic C BCM=Brake ECU=Engine ontrol CCU=Convenience ontrol ACU=Airbag CC ontrol odule CTM=Central Ciming Module GEM=General Electronic M SCM=Suspension ontrol U odule TCM=Transmission M Module BCM=Body CCTontrol ontrol odule ECM=Engine ontrol CUodule M PCM=Powertrain CC Mnit MUnit CCM=Central ontrol ontrol nit odule ~100 Bosch, Siemens, Delphi..
- 7. Telematics “integrated use of telecommunications and informatics” ECU = Electronic C BCM=Brake ECU=Engine ontrol CCU=Convenience ontrol ACU=Airbag CC ontrol odule CTM=Central Ciming Module GEM=General Electronic M SCM=Suspension ontrol U odule TCM=Transmission M Module BCM=Body CCTontrol ontrol odule ECM=Engine ontrol CUodule M PCM=Powertrain CC Mnit MUnit CCM=Central ontrol ontrol nit odule ~100 Bosch, Siemens, Delphi..
- 8. Telematics Potentially less than great security?
- 9. Eh, What's up Doc? • The Car • Transport • Server • Client
- 10. The Car - Research • Experimental Security Analysis of a Modern Automobile – OBD-II • Comprehensive Experimental Analyses of Automotive Attack Surfaces – CD – OBD-II (PassThru) – Bluetooth – GSM
- 11. The Car – Reality • War Texting: Identifying and Interacting with Devices on the Telephone Network – Method for attacking telematics • In general: GSM Baseband + uC Chip • UART -> RE -> Firmware -> Vulnerability – How2 find targets? • FindMe • WhoIs
- 12. The Car – Reality • Put it to the test – Zoombak Tracking Device • Zoombak Scanner • Ask nicely via SMS – Subaru Outback 1998 • after market telematics unit • unlock and start engine • http://youtu.be/bNDv00SGb6w
- 13. Transport - GSM • A5/1 • SRLabs – CCC 2009, BlackHat 2010 – Rainbow tables (100.000 years to 1 month) – Decode voice • 100-300m upstream • 5-35km downstream
- 14. Transport – GPRS/EDGE No encryption • GEA/0 • GEA/1 • GEA/2 • GEA/3 • GEA/4 No users • SRLabs – CCC 2011, Crypto analysis (weak crypto) – Decode GPRS -> Wireshark
- 15. Transport – cell USRP H W
- 16. Server • Car interface – Proprietary protocol • ASN.1 – Touring complete • GPRS, EDGE, SMS and data over voice – “We use a Private APN” • Generic Routing Encapsulation • Node to Node communication • Operator web application • Smartphone interface: REST/JSON
- 17. Client - browser • Web application – no news – move on – there is nothing to see – DriveBy Trojan Download & Install • Starring Windows • Guest appearance by Mac OSX
- 18. Client – smart phone • Few real vulnerability tests performed • iOS – Continous Jailbreak – iOS 5.0.1 - iPhone 4GS and iPad2 – iOS 5.1.x – iPad3 – no public (i0n1c, pod2g) • Android – Rouge apps – Android Market - ‘Bouncer’
- 19. Conclusion • All components are possible targets • Very few has the complete picture • Activity in the security arena • This is going to get worse before it gets better – 2012 models CAN bus is unprotected – New tools arriving every day – Larger attack surface than ever • Use fast shoes
- 20. What’s to come? “Internet of Things” TLA = IoT
- 21. The Future
- 22. The Future • Telematics – M2M – “integrated use of telecommunications and informatics” Insulin pump Prescription medication
- 23. The Future ABB IRB 6640 Industrial robot
- 24. The Future Three Gorges Infrastructure - SCADA – Stuxnet
- 25. The Future Home Metering Unit - SmartGrid 270 000 HMU using ZigBee
- 26. everything is a computer Thank You! @mjidhage mattias.jidhage@owasp.org
- 27. References • http://www.autosec.org/publications.html • http://www.isecpartners.com/storage/docs/presentations/ isec_bh2011_war_texting.pdf • http://events.ccc.de/congress/2009/Fahrplan/ attachments/1519_26C3.Karsten.Nohl.GSM.pdf • https://srlabs.de/blog/wp-content/uploads/ 2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf • http://events.ccc.de/camp/2011/Fahrplan/attachments/ 1868_110810.SRLabs-Camp-GRPS_Intercept.pdf