5. 5
Smith, Craig. (2016) The Car Hacker’s Handbook, A Guide for
the Penetration Tester. San Francisco, CA: No Starch Press
TheVehicleNetwork
Least Trusted
Most Trusted
Automobile systems
How they are connected
ECU
CAN-BUS
The Jeep Hack – myth vs reality
Tools to try at home
What is the connected vehicle
Several ways today to examine a vehicle for potential exploitation
41B Industrial Internet of Things (IIoT) forecasted by 2020
Cars today are “mini computers” that have several electrical components that need faster protocols for communication
Critical car communication like RPM, braking is on the high-speed line, things like door locks, climate control are on lower speed lines
What is the connected vehicle
Several ways today to examine a vehicle for potential exploitation
Infotainment/Nav Console is a primary entry point for auto communications. Cellular and wi-fi components have a direct line into the vehicle.
OBDII is mandated in the USA for Vehicles 1996 and newer
OBDII is for Emission Related Diagnostics
EOBD is mandated on 2001 and newer (petrol) and 2004 and newer (diesel).
OBDII Connector Example:
over 25 up to 100 controllers
Main Controller (MCU)
Inputs (Switch and Analog)
Outputs (Motors and lights)
Connected to share info
Contains Memory:
Volatile
Non-Volatile
Power Supply (12V -> 3.3V or 5V)
CAN packets, this is the traffic that
Arbitration ID identifies the device trying to communicate
Non-diag packets are the ones the car uses to perform functions
A lot of noise once connected, use arbitration ID’s to filter them out
Differs by manufacturer.
Originally began by infiltrating the vehicle using the built-in wireless connection. Playing around, they found a public IP on one of the interfaces.
Every car that has U Connect installed, operates on the Sprint network for it’s communication. Each vehicle has an IP address on the Sprint network. From scanning the range, port 6667 was open.
Able to access the vehicle internally, in order to get to the BUS to read the CAN messages (from the wireless “untrust” direction), had to get past the ECU, able to reverse engineer the firmware for it to accept their custom CAN messages.
Governance:
Define executive oversight for product security, Functionally align the organization to address vehicle cybersecurity, with defined roles and
responsibilities across the organization.
Risk Management: Establish a risk-management process, ensure it is adhered to at every stage of the vehicle life-cycle
Security by Design: Establish safe coding guidelines and ensure they are adhered to at every stage, identify trust boundaries, protect at every level.
Threat Detection and Response: Test, Test, Test, respond to results,
Incident Response: Respond and fix
Training and awareness:
If the ISAC’s are treating the automobile like a connected system, security vendors need to figure out how to protect it.
Now that we know automobiles are vulnerable and are becoming more connected not just to the consumer, but to each other.
Endpoint space, there is a need for a lightweight end-point solution that is capable of running on the automobile.
Something that would only allow trusted access via the OBD and/or the cellular/wifi interface, also monitor firmware uploads and re-writes from trusted sources. Only allow it from the manufacturer, must be tethered to the service unit