2. Bogdan-Ioan Şuta
• System manager at AtoS IT Solutions and
Services
• Former Embedded C developer at Hella
Romania
• Graduated Master in Automotive Embedded
Software from "Politehnica" University of
Timisoara
• Interested in computers, cars and anything in
between
4. In vehicle networks
• Used for information sharing between ECUs
(Electronic Control Unit)
• Reduce the number of wires needed inside a
vehicle between ECUs
• Come in many forms:
– By medium: two-wire, one-wire, optical, wireless
– By protocol: Ethernet, CAN, LIN, FlexRay, MOST, K
Line etc.
7. Controller Area Network
•
•
•
•
•
Developed by Robert Bosch GmbH in 1983
Designed for electrically noisy environments
Baud rates of up to 1Mb/s
Broadcast type network
Frames composed of (minimalistic):
– ID field – used for arbitration – either 11 or 24 bits
long
– Data Field – actual transported data - up to 8 bytes
– CRC Field – for error correction – 15 bits
9. Hacking vehicle networks
• MIT did it:
– Comprehensive Experimental
Analyses of Automotive Attack
Surfaces http://youtu.be/bHfOziIwXic
• Blogs made tutorials for it:
– Hack a day http://hackaday.com/2013/10/21/can
-hacking-introductions/
• Individuals also tried their luck:
– http://secuduino.blogspot.ro/2011/04
/grupo-volkswagen-can-confort.html
10. Hacking vehicle networks
• Various hardware is available to do it:
– The OpenXC Platform http://openxcplatform.com/
– Arduino shields are available http://www.skpang.co.uk/catalog/arduinocanbus-shield-with-usd-card-holder-p-706.html
– Custom – any microcontroller with a CAN
controller with an CAN transceiver will work
12. Proposition
• Connect to the CAN bus
• Identify messages being transmitted on the
bus
• Perform spoofing and flood attacks
• Do not get into diagnostic based attacks
(change odometer, disable immobilizer)
13. Setup
•
•
•
•
•
VW Passat 2001
Breadboard
mBed LPC 1768 development board
2x Microchip MCP 2551 CAN tranceivers
PC with TerraTerm used for communicating with
the mBed
• mBed programmed for CAN monitoring, flooding
and spoofing
• First connection attempt:
– Male OBD-II connector connected to the
diagnostic port of the CAR
• Second attempt:
– Twisted pair of conductors from a CAT-5 cable
connected at the back of the VW Climatronic
20. Second attempt: SUCCESS
• A few tries and some info from:
http://secuduino.blogspot.ro/2011/04/grupovolkswagen-can-confort.html
• Connected to Convenience CAN
• Baud rate of 100kb/s
• Communication established
21. A bit of sniffing…
• Found CAN messages from
– Door locks
– Electric windows
• Position of window
• Status of button (pressed, not pressed)
– Instruments backlighting value
– Lots of other data that I couldn’t find a correlation
26. Security issues
• No authentication of nodes
• Messages are not scrambled
• Security by obscurity
27. Counter measures
• Researched and developed by many universities and
companies:
– Efficient Protocols For Secure Broadcast In Controller Area
Networks - http://www.aut.upt.ro/~bgroza/Papers/CANSec.pdf
– LiBrA-CAN: Lightweight Broadcast Authentication for
Controller Area Networks http://www.aut.upt.ro/~bgroza/Papers/LIBRA.pdf
– Broadcast Authentication in a Low Speed Controller Area
Network http://www.aut.upt.ro/~bgroza/Papers/CANAut.pdf
– Low cost multicast network authentication for embedded
control systems http://128.2.129.29/research/publications/2012/CMUECE-2012-011.pdf
– Many more
29. Conclusions
• Hacking vehicle networks is EASY
• Through trial and error much information can
be obtained -> security by obscurity is not
sufficient
• With great power comes great responsibility
– Getting information from the vehicle bus can
enhance use of the vehicle
– People with bad intentions can cause damages
and injuries