backdooring a car

47
Alexey Sintsov @asintsov [email protected] DEFCON RUSSIA DC#7812 BACKDOORING A CAR AND OTHER HEADUNIT SECURITY THINGS

Upload: alexey-sintsov

Post on 14-Jul-2015

1.952 views

Category:

Automotive


0 download

TRANSCRIPT

Alexey Sintsov@asintsov

[email protected]

DEFCON RUSSIA DC#7812

BACKDOORING A CAR

AND OTHER HEADUNIT SECURITY THINGS

# Why we are interested?

Let’s do it…

• Navigation for cars

• Maps

• REST API services

• Traffic

• POI

• Even road angle degree

• And more

• RDS traffic data supplier

• Embedded software

• Middleware

• UI Clients

• … and more

• 3D maps for self driving cars

# Why security?

???

• How OUR software can impact on car security?

vs.

• How other components affect our security?

# Backdoor?

???

Backdoor – unauthorized remote access to car’s headunit or other components

It’s what you want to do after exploitation of any vulnerability…

# Backdoor for a car

• Find a reason why you need a backdoor

• Find a way how to deploy a backdoor

• Find a way how to get control

# Backdoor for a car

Reasons• Monetization?

• CC/Banking -- LOW

• BT Mining -- LOW

• Botnet -- LOW

• Thief Auto -- ???

• Targeted attack

• Police/Gov -- HIGH (Legal Backdoor)

• Spying -- ???

• Killing(WTF?) ???

We do not know, HOW to use it and WHY we need it

# Backdoor for a car

Reasons• Monetization?

• CC/Banking -- LOW

• BT Mining -- LOW

• Botnet -- LOW

• Thief Auto -- ???

• Targeted attack

• Police/Gov -- HIGH (Legal Backdoor)

• Spying -- ???

• Killing(WTF?) ???

We do not know, HOW to use it and WHY we need it

# Backdoor for a car

Reasons

Backdoor is unauthorized remote access to HeadUnit:

• You know where is you target

• You can control some elements:

• Light

• Radio

• Door locks

• Navigation routes

• For self driving cars…

• Other – depends of internal network design

- ABS, Engine, etc Easy! Easy!

• CPU usage

• Privacy and valuable data

# Break in

Car Security eq IoT Security?

# Break in

Attack surface – I/O• Wireless components and ECUs

• Long Radio:

• GSM/UMTS

• Radio/RDS

• GPS

• Short Radio:

• WiFi/Bluetooth

• TPMS

• Keyless lock/start

• Radars/Sensors/Cameras

• HeadUnit

• Software components

• WEB Browser

• MP3/etc

• RDS

• Applications/Connected Car services

• etc

• Service/diagnostic ports

• Local I/O

• CAN interfaces on HU

• Ethernet

• etc

• etc

# Break in

Attack surface – I/O• Wireless components and ECUs

• Long Radio:

• GSM/UMTS

• Radio/RDS

• GPS

• Short Radio:

• WiFi/Bluetooth

• TPMS

• Keyless lock/start

• Radars/Sensors/Cameras

• HeadUnit

• Software components

• WEB Browser

• MP3/etc

• RDS

• Applications/Connected Car services

• etc

• Service/diagnostic ports

• Local I/O

• CAN interfaces on HU

• Ethernet

• etc

• etc

Internet services

security

# Break in

Attack surface – I/O• Wireless components and ECUs

• Long Radio:

• GSM/UMTS

• Radio/RDS

• GPS

• Short Radio:

• WiFi/Bluetooth

• TPMS

• Keyless lock/start

• Radars/Sensors/Cameras

• HeadUnit

• Software components

• WEB Browser

• MP3/etc

• RDS

• Applications/Connected Car services

• etc

• Service/diagnostic ports

• Local I/O

• CAN interfaces on HU

• Ethernet

• etc

• etc

… and even data/file format

Internet services

security

Client-side security

# Break in

Attack surface – I/O• Wireless components and ECUs

• Long Radio:

• GSM/UMTS

• Radio/RDS

• GPS

• Short Radio:

• WiFi/Bluetooth

• TPMS

• Keyless lock/start

• Radars/Sensors/Cameras

• HeadUnit

• Software components

• WEB Browser

• MP3/etc

• RDS

• Applications/Connected Car services

• etc

• Service/diagnostic ports

• Local I/O

• CAN interfaces on HU

• Ethernet

• etc

• etc

… and even data/file format

Internet services

security

Client-side security

Spoofing/injection/sniffing and fuzzing

# Break in

Attack surface – I/O• Wireless components and ECUs

• Long Radio:

• GSM/UMTS

• Radio/RDS

• GPS

• Short Radio:

• WiFi/Bluetooth

• TPMS

• Keyless lock/start

• Radars/Sensors/Cameras

• HeadUnit

• Software components

• WEB Browser

• MP3/etc

• RDS

• Applications/Connected Car services

• etc

• Service/diagnostic ports

• Local I/O

• CAN interfaces on HU

• Ethernet

• etc

• etc

Internet services

security

Client-side security… and even data/file format

Spoofing/injection/sniffing and fuzzing

Also for LPE

# Car Security is like…

… MOBILE + SMART GRID/SCADA security

# Car Security is like…

… MOBILE + SMART GRID/SCADA security

… even with AppStore!

# Break in

Simple backdoor?• Wireless components and ECUs

• Long Radio:

• GSM/UMTS

• Radio/RDS

• GPS

• Short Radio:

• WiFi/Bluetooth

• TPMS

• Keyless lock/start

• Radars/Sensors/Cameras

• HeadUnit

• Software components

• WEB Browser

• MP3/etc

• RDS

• Applications/Connected Car services

• etc

• Service/diagnostic ports

• Local I/O

• CAN interfaces on HU

• Ethernet

• etc

• etc

# Simple backdoor?

# Break in

Designed RA?• Wireless components and ECUs

• Long Radio:

• GSM/UMTS

• Radio/RDS

• GPS

• Short Radio:

• WiFi/Bluetooth

• TPMS

• Keyless lock/start

• Radars/Sensors/Cameras

• HeadUnit

• Software components

• WEB Browser

• MP3/etc

• RDS

• Applications/Connected Car services

• etc

• Service/diagnostic ports

• Local I/O

• CAN interfaces on HU

• Ethernet

• etc

• etc

# Designed RA?

# BMW MiTM

# BMW MiTM

# BMW MiTM

Can we do the same without MiTM?

- No, we can’t…

© TRUE HARDCORE WHITE-HAT GUYS

# Automotive industry

# Automotive industry

Same story with

software… ;)

# More hacks…

Just use online search…

# Big world

One platform, different software…

• Windows

• QNX OS

• Linux

DEP? ASLR?

# With one rule them all…

WINDOWS

One platform, different software…

# With one rule them all…

HARMAN

One platform, different software…

# With one rule them all…

HARMAN

One platform, different software…

• ARM/Tegra

• QNX OS

DEP? ASLR?

Canaries?

- Yes and NO

# With one rule them all…

HARMAN

# HARMAN

Toyota

# Deploy a backdoor (as a binary)

Other vectors

• Vulnerabilities in software update mechanism

• Importing files from USB/SD

• Browser Client-Side RCE bugs

• Other components RCE bugs (RDS and etc)

# Deploy a backdoor (as a binary)

Tasks

• Penetration vector

• RCE bugs and etc

• Find a RW place on the HU

• Update services re-usage

• Bad mounted memory

• LPE bugs

• Find a way for auto-run

• How to change cron (or etc) jobs?

• DLL/SO Hijacking

• Find a way how to connect to C&C via Internet

• Local VPN configs/keys

• Route table

• Proxy settings

# Car WORM??

Is it possible?

# Car WORM??

Is it possible?

• All HU in one network

segment? (Worm)

# Car WORM??

Is it possible?

• All HU in one network

segment? (Worm)

• If you hack the Internet

Proxy? (Spreading)

# Car WORM??

Is it possible?

• All HU in one network

segment? (Worm)

• If you hack the Internet

Proxy? (Spreading)

• If you hack ConnectedCar

API Server? (Spreading)

# Car WORM??

Is it possible?

• All HU in one network

segment? (Worm)

• If you hack the Internet

Proxy? (Spreading)

• If you hack ConnectedCar

API Server? (Spreading)

• Car2Car, wireless (Worm)

# Car WORM??

Is it possible?

• All HU in one network

segment? (Worm)

• If you hack the Internet

Proxy? (Spreading)

• If you hack ConnectedCar

API Server? (Spreading)

• Car2Car, wireless (Worm)

• Infected files for import? (File

infection)

# Car WORM??

Is it possible?

• All HU in one network

segment? (Worm)

• If you hack the Internet

Proxy? (Spreading)

• If you hack ConnectedCar

API Server? (Spreading)

• Car2Car, wireless (Worm)

• Infected files for import? (File

infection)

Ahh… Comeon!

# LPE

Tasks

• Bugs in local service

• From user to root

• From HU to ECU

• Bugs in ECU

• Local services usage

• ECU control normal usage – sending commands

(like SomeIP)

# Hardening

Defense

• No RW places for backdoor

• Processes list and configs control and integrity

• Encrypted storages (key chains) *

• Local network segmentation

• HU does not need access to some components

• Update mechanism/design for software (good example - BMW)

• 3rd party developers – need to know what they are doing*

# Security market

Defense

• IPS for CAN

• Trusted and hardened HU/OS

• Encryption for CAN/ECU/internal traffic

• IPS for internal wireless/network

• moarrr …

• AV for car?

….

# Future

Targets for future researches• Remote exploits for Browser and car’s APPs

• Including attacks on ConnectedCar design/implementation

• …and Car2Car design and implementation… and etc

• Malware/Backdoor prototype and demo

• File infection and file format exploits (USB/SD card)

• Wireless radio exploits (short/long radio vectors)

• LPE exploits -from HU to ECU, from ECU to HU, from user to root)

• Self driving car spoofing and manipulation

• Fake signs

• Radar/LIDAR data spoofing

• All possible mixes 8)

# Future

Targets for future researches• Remote exploits for Browser and car’s APPs

• Including attacks on ConnectedCar design/implementation

• …and Car2Car design and implementation… and etc

• Malware/Backdoor prototype and demo

• File infection and file format exploits (USB/SD card)

• Wireless radio exploits (short/long radio vectors)

• LPE exploits -from HU to ECU, from ECU to HU, from user to root)

• Self driving car spoofing and manipulation

• Fake signs

• Radar/LIDAR data spoofing

• All possible mixes 8)

And even more… it’s a BIG

area and a lot of things can

happened 8)

#FIN

[email protected] @asintsov