Vulnerabilities, Attacks And Defences For Modern Vehicles

Automotive Cyber SecurityVulnerabilities, attacks and defences for modern vehiclesDario Stabili - Dipartimento di Ingegneria “Enzo Ferrari”Università di Modena e Reggio EmiliaCorso di Sviluppo Software Sicuro, Modena, 27 maggio 2021

Cyber-Physical SystemsThe term cyber-physical systems refers to the tight conjoining of and coordinationbetween computational and physical resources. We envision that thecyber-physical systems of tomorrow will far exceed those of today in terms ofadaptability, autonomy, efficiency, functionality, reliability, safety, and usability. [ ]These capabilities will be realized by deeply embedding computationalintelligence, communication, control, and new mechanisms for sensing, actuation,and adaptation into physical systems with active and reconfigurable components.[US National Science Foundation]

Cyber-Physical SystemsThe term cyber-physical systems refers to the tight conjoining of and coordinationbetween computational and physical resources. We envision that thecyber-physical systems of tomorrow will far exceed those of today in terms ofadaptability, autonomy, efficiency, functionality, reliability, safety, and usability. [ ]These capabilities will be realized by deeply embedding computationalintelligence, communication, control, and new mechanisms for sensing, actuation,and adaptation into physical systems with active and reconfigurable components.[US National Science Foundation]

ADAS LevelsSource: https://synopsis.com

Does your car have.Pre Collision Assist?Brakes aresoftware-controlled

Remote Exploitation of an Unaltered Passenger Vehicle First research paper demonstrating a remote attack on a passenger vehiclePresented at the Black Hat 2015 conferenceAlso known as the “Jeep” hackMiller & Valasek2015 Jeep Cherokee

Miller & Valasek2015 Jeep CherokeeWhy is the “Jeep” hack so famous? First hack demonstrating the vulnerabilities of the vehicle CPSFirst attack to connected vehicles gaining huge media coverage

Miller & Valasek2015 Jeep CherokeeWhy is the “Jeep” hack so famous? First hack demonstrating the vulnerabilities of the vehicle CPSFirst attack to connected vehicles gaining huge media coverageFirst recall campaign for a connected vehicle (more on this later)

Miller & Valasek2015 Jeep CherokeeHow they did it? Following their previous research on vehicle vulnerabilities (Adventures inAutomotive Networks and Control Units, Black Hat 2013) they focused ongaining remote control of a passenger vehicleWhy?

Miller & Valasek2015 Jeep CherokeeHow they did it? Following their previous research on vehicle vulnerabilities (Adventures inAutomotive Networks and Control Units, Black Hat 2013) they focused ongaining remote control of a passenger vehicleWhy? “We were told that our work was not interesting because we were not able to gain access tothe internal network with a completely wireless attack. So here we go”Charlie Miller, Black Hat 2015

Miller & Valasek2015 Jeep CherokeeAttack Steps1.Idea: scanning for open ports exposed by the vehicle Findings:# netstat -n grep LISTENtcp 0 0 *.6010 *.* LISTENtcp 0 0 *.2011 *.* LISTENtcp 0 0 *.6020 *.* LISTENtcp 0 0 *.2021 *.* LISTENtcp 0 0 127.0.0.1.3128 *.* LISTENtcp 0 0 *.51500 *.* LISTENtcp 0 0 *.65200 *.* LISTENtcp 0 0 *.4400 *.* LISTENtcp 0 0 *.6667 *.* xy admin web serverdev-mv2traceHmiGatewayD-BUS session bus

Miller & ValasekD-Bus Services Interprocess communicationsMight require authentication Jeep D-Bus is unauthenticated2015 Jeep Cherokee

Miller & ValasekD-Bus ServicesServices are exported as remotefunction callsThere is an execute function available.2015 Jeep Cherokee

Miller & Valasek2015 Jeep CherokeeD-Bus ServicesServices are exported as remote function callsThere is an execute function available, exposing the following systems:-GPS infoHVACRadio volume and other ones

Miller & ValasekAttack Steps1.D-Bus for accessing the vehicle infos2015 Jeep Cherokee

Miller & Valasek2015 Jeep CherokeeAttack Steps1.2.D-Bus for accessing the vehicle infosIdea: access the internal vehicle network through cellular?

Miller & ValasekCellular Exploitation1.2.IP address of the Jeep is known (DBus)Femto-Cell comms should allow directcommunication with the Jeep2015 Jeep Cherokee

Miller & ValasekCellular Exploitation1.2.IP address of the Jeep is known (DBus)Femto-Cell comms should allow directcommunication with the Jeep Long distance communication from Pittsburghto St. Louis ( 950 km)2015 Jeep Cherokee

Miller & ValasekCellular Exploitation1.2.3.IP address of the Jeep is known (DBus)Femto-Cell comms should allow directcommunication with the JeepIt is possible to extend the attack scope?2015 Jeep Cherokee

Miller & ValasekCellular Exploitation1.2.3.IP address of the Jeep is known (DBus)Femto-Cell comms should allow directcommunication with the JeepIt is possible to extend the attack scope? Scanning for IPs exposing the D-Bus service (on port6667)Sending DBus request for GPS Vehicle Identification Number2015 Jeep Cherokee

Miller & Valasek2015 Jeep CherokeeCellular ExploitationAffected vehicles1.2.3.IP address of the Jeep is known (DBus)Femto-Cell comms should allow directcommunication with the JeepIt is possible to extend the attack scope? Scanning for IPs exposing the D-Bus service (on port6667)Sending DBus request for GPS Vehicle Identification 20142014201520152015Dodge ViperRAM 1500RAM 2500RAM 3500RAM Chassis 5500Dodge DurangoDodge ViperJeep CherokeeJeep Grand CherokeeRam 1500RAM 2500RAM 3500RAM Chassis 5500Chrysler 200Jeep CherokeeJeep Grand Cherokee

Miller & Valasek2015 Jeep CherokeeCellular ExploitationAffected vehicles1.2.3.IP address of the Jeep is known (DBus)Femto-Cell comms should allow directcommunication with the JeepIt is possible to extend the attack scope? estimate of a minimum of 1.4 Million vehiclesexposing the same vulnerabilities only in the 2014201520152015Dodge ViperRAM 1500RAM 2500RAM 3500RAM Chassis 5500Dodge DurangoDodge ViperJeep CherokeeJeep Grand CherokeeRam 1500RAM 2500RAM 3500RAM Chassis 5500Chrysler 200Jeep CherokeeJeep Grand Cherokee

Miller & Valasek2015 Jeep CherokeeAttack Steps (ordered)1.2.Using cellular network to access the vehicle remotelyD-Bus for accessing the vehicle infos

Miller & Valasek2015 Jeep CherokeeAttack Steps1.2.Using cellular network to access the vehicle remotelyD-Bus for accessing the vehicle infos It is possible to send messages to the internalnetwork?

Miller & Valasek2015 Jeep CherokeeAttack Steps1.2.Using cellular network to access the vehicle remotelyD-Bus for accessing the vehicle infos It is possible to send messages to the internalnetwork?Unfortunately, not

Miller & Valasek2015 Jeep CherokeeAttack Steps1.2.3.Using cellular network to access the vehicle remotelyD-Bus for accessing the vehicle infosInstall malicious firmware on the V850 to bypass the Infotainment isolation

Miller & Valasek2015 Jeep CherokeeUpdating the V850 firmware V850 firmware is NOT signedNo code signing mechanism presentReverse engineering of firmware v14.05.3 with a modified version that allowsto send CAN messages from the OMAP segmentFirmware can be installed without physical access (FOTA support)

Miller & Valasek2015 Jeep CherokeeAttack Steps1.2.3.4.Find the IP of the vehicle (combination of radio access DBus services)Get code running on the OMAP chipReflash the v850 firmware, reboot (backdoor installed)Send messagesResult?

Miller & Valasek2015 Jeep CherokeeAttack Steps1.2.3.4.Find the IP of the vehicle (combination of radio access DBus services)Get code running on the OMAP chipReflash the v850 firmware, reboot (backdoor installed)Send messagesResult? l-jeep-highway/

Miller & Valasek2015 Jeep CherokeeMore info ps://youtu.be/MAcHkASmXEc

Solutions

Miller & Valasek2015 Jeep CherokeeWhy is the “Jeep” hack so famous? First hack demonstrating the vulnerabilities of the vehicle CPSFirst attack to connected vehicles gaining huge media coverageFirst recall campaign for a connected vehicle (more on this later)

Miller & ValasekWhy is the “Jeep” hack so famous? First recall campaign for aconnected vehicle2015 Jeep Cherokee

What we do

Playing with the CAN busTesting CAN vulnerabilities on a real vehicle (my personal old vehicle) Three classes of attacks: Denial of ServiceECU SpoofingAttacks to safety-relevant systems (e.g. cruise control) of another vehicle

Denial of Service

ECU Spoofing

ACS @ UniMoRe We are a security-oriented research group Our scope is not to demonstrate the vulnerabilities of connected vehicles with fancy attacksHowever, discovering novel attacks and solutions is something we aim toAcademic lecture focusing on ACS: https://weblab.ing.unimore.it/acs/Instructor: Mirco MarchettiAssistant: Dario Stabili

Thesis

Thesis Proposals - Reverse EngineeringReverse Engineering of a VW Polo Instrument Cluster Wired connection (back pinout available on the internet)First objective: being able to control the IC with CAN messagesAfter: ?

Thesis Proposals - Intrusion DetectionImplementation of state-of-the-art IDS for CAN bus Many IDS available in literature sources: IEEEXplore, Google Scholar, arXiv, etc.Objective: Implement different IDS and compare them on the samedatasetDesign novel IDS based on the limitations of the currentstate-of-the-art

Thesis Proposals - Dataset collectionCollect and generate attacks on CAN datasets Many attacks available in literature sources: IEEEXplore, Google Scholar, arXiv, etc.Objective: Create a dataset composed by both clean and infected tracesby logging CAN traces with our loggerSimulate and test attacks on the CAN bus

Thesis Proposals - Infotainment forensicsForensic analysis of an Infotainment unit Starting point: dump of an iVe We have an image of a Mercedes Class C,might consider gathering moreObjective: Analyze the memory content looking forsensitive informations(phone numbers, GPS coords, etc)Automate the whole process using a mix of techniquesExtract the Mercedes application from the memory (if any)

Q&A

2014 Dodge Durango 2014 Dodge Viper 2014 Jeep Cherokee 2014 Jeep Grand Cherokee 2014 Ram 1500 2014 RAM 2500 2014 RAM 3500 2014 RAM Chassis 5500 2015 Chrysler 200 2015 Jeep Cherokee 2015 Jeep Grand Cherokee. Miller & Valasek 2015 Jeep Cherokee Cellular Exploitation 1. IP address of the Jeep is known (DBus) 2. Femto-Cell comms should allow direct