Upload
mattias-jidhage
View
349
Download
1
Embed Size (px)
DESCRIPTION
Short overview of the current security status on the automotive telematics security arena. Presented at the ISACA Scandinavian Conference April 23-24th 2012
Citation preview
Gentlemen, Start your engines
Mattias Jidhage
Omegapoint
- Founded in 2001
- 170 consultants
- e-Business & Security
Göteborg
Malmö
Stockholm
Falun
Kalmar
Helsingborg
New York
Agenda
Telematics “integrated use of telecommunications and informatics”
~100 Bosch, Siemens, Delphi.. CCM=Central Control Module PCM=Powertrain Control Module ECM=Engine Control Module BCM=Body Control Module TCM=Transmission Control Module SCM=Suspension Control Module GEM=General Electronic Module CTM=Central Timing Module ACU=Airbag Control Unit CCU=Convenience Control Unit ECU=Engine Control Unit BCM=Brake Control Module ECU = Electronic Control Unit
Telematics
Potentially less than great security?
Eh, What's up Doc?
• The Car • Transport • Server • Client
The Car - Research
• Experimental Security Analysis of a Modern Automobile – OBD-II
• Comprehensive Experimental Analyses of Automotive Attack Surfaces – CD – OBD-II (PassThru)
– Bluetooth – GSM
The Car – Reality
• War Texting: Identifying and Interacting with Devices on the Telephone Network – Method for attacking telematics
• In general: GSM Baseband + uC Chip • UART -> RE -> Firmware -> Vulnerability
– How2 find targets? • FindMe • WhoIs
The Car – Reality
• Put it to the test – Zoombak Tracking Device
• Zoombak Scanner • Ask nicely via SMS
– Subaru Outback 1998 • after market telematics unit • unlock and start engine • http://youtu.be/bNDv00SGb6w
Transport - GSM
• A5/1
• SRLabs – CCC 2009, BlackHat 2010 – Rainbow tables (100.000 years to 1 month) – Decode voice
• 100-300m upstream • 5-35km downstream
Transport – GPRS/EDGE
• GEA/0 • GEA/1 • GEA/2 • GEA/3 • GEA/4
• SRLabs – CCC 2011, Crypto analysis (weak crypto) – Decode GPRS -> Wireshark
No encryption
No users
Transport – cell
USR
P HW
Server • Car interface
– Proprietary protocol • ASN.1 – Touring complete • GPRS, EDGE, SMS and data over voice
– “We use a Private APN” • Generic Routing Encapsulation • Node to Node communication
• Operator web application • Smartphone interface: REST/JSON
Client - browser
• Web application – no news – move on – there is nothing to see
– DriveBy Trojan Download & Install • Starring Windows • Guest appearance by Mac OSX
Client – smart phone
• Few real vulnerability tests performed • iOS
– Continous Jailbreak – iOS 5.0.1 - iPhone 4GS and iPad2 – iOS 5.1 – iPad3
• Android – Rouge apps – Android Market - ‘Bouncer’
Conclusion • All components are possible targets • Very few has the complete picture • Activity in the security arena • This is going to get worse before it gets
better – 2012 models CAN bus is unprotected – New tools arriving every day – Larger attack surface than ever
• Use fast shoes
What’s to come? • “Internet of Things”
The Future
• Telematics – M2M – “integrated use of telecommunications and
informatics”
The Future
Prescription medication
Insulin pump
The Future
ABB IRB 6640 Industrial robot
The Future
Three Gorges Infrastructure - SCADA – Stuxnet
The Future Home Metering Unit - SmartGrid
270 000 HMU using ZigBee
References • http://www.autosec.org/publications.html • http://www.isecpartners.com/storage/docs/presentations/
isec_bh2011_war_texting.pdf • http://events.ccc.de/congress/2009/Fahrplan/
attachments/1519_26C3.Karsten.Nohl.GSM.pdf • https://srlabs.de/blog/wp-content/uploads/
2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf • http://events.ccc.de/camp/2011/Fahrplan/attachments/
1868_110810.SRLabs-Camp-GRPS_Intercept.pdf