who killed my parked car? - stanford...
TRANSCRIPT
![Page 1: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/1.jpg)
+Who Killed My Parked Car?�
Faculty: Kang G. Shin Grad students: Kyong-Tak Cho, Arun Ganesan,
Daniel Chen, Mert Pese
The University of Michigan
![Page 2: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/2.jpg)
+Vehicle Cyber Attacks
Security Risks!
Remote Access Points
In-Vehicle Networks
![Page 3: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/3.jpg)
+Vehicle Cyber Attacks
Source: K. Koscher et al, “Experimental Security Analysis of a Modern Automobile”, IEEE S&P’10
![Page 4: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/4.jpg)
+Attacks Possible/Effective on Parked Cars?
Integrity/Authenticity/… Availability
Ignition ON
Ignition OFF
• Koscher et al. [S&P’10] • Checkoway et al. [USENIX Sec’
13] • Miller et al. [Defcon’13,
BlackHat’14, BlackHat’15] • Cho and Shin [USENIX’15, CCS’
17] • …
• Cho and Shin [CCS’16]
• …
? ? ? Is it even possible/effectiv
e to attack a vehicle when its
ignition is OFF?
![Page 5: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/5.jpg)
+
“Sleep Mode” ! Extremely low current (u
A) ! Can be awakened !!!
Waking up ECUs
Reference: hollisbrothersauto
Reference: Lexus
![Page 6: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/6.jpg)
+CAN Transceivers with Wake-up
![Page 7: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/7.jpg)
+Standardized Wake-up
![Page 8: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/8.jpg)
+Standardized Wake-up
![Page 9: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/9.jpg)
+
Terminal 30 ECUs’ consumption in Sleep Mode: 3
0mA
Max. # days in Sleep Mode: 41 days
“Can an attacker increase this
power consumption?”
Battery life…
![Page 10: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/10.jpg)
+Threat Model
OBD-II devices: Some have external power supply, e.g., battery)
Telematic Units: These are considered to be the most “vulnerable” one!
" An adversary has remote access to CAN bus and can
control
![Page 11: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/11.jpg)
+Two Novel (Immobilization) Attacks�
Battery Drain
Attack
Denial-of- Body contro
l Attack
![Page 12: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/12.jpg)
+
Zzzz…..
Attack 1: Battery Drain Attack
Inject CAN message!
• Bus wake-up via simple signal patterns? GOO
D!
• Fast “standardized” wake-up mechanism nee
ded? EVEN BETTER!
• How can the attacker drain the vehicle batter
y?
![Page 13: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/13.jpg)
+Battery Drain Attack
Multimeter
Laptop
Car Battery
Experiment on
2017 Year-model
Vehicle
![Page 14: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/14.jpg)
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up HSCAN, MSCAN 40mA 12.5 days
Change power mode 75mA 8.3 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
![Page 15: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/15.jpg)
+Battery Drain Attack
In our 2017 year-model test vehicle, when attemptin
g to wake up ECUs
![Page 16: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/16.jpg)
+Battery Drain Attack
![Page 17: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/17.jpg)
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 75mA 8.3 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
![Page 18: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/18.jpg)
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 75mA 8.3 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
![Page 19: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/19.jpg)
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 74.5mA 5.02 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
While the ignition is off…
![Page 20: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/20.jpg)
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 74.5mA 5.02 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
![Page 21: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/21.jpg)
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 74.5mA 5.02 days
Unlock/lock driver’s door 101.1mA 3.7 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
![Page 22: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/22.jpg)
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 74.5mA 5.02 days
Unlock/lock driver’s door 101.1mA 3.7 days
Open trunk 153.3mA 2.44 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
![Page 23: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/23.jpg)
+
What do people normally do before starting their car
?
Probably…
1) Open the door
2) Start the car (change in power mode…)
3) Or perhaps… open the trunk!
Driver-context-based Reverse Engineering�
Q. How do we know which message ID to use in order to control such functions?
=> Driver-Context-Based Reverse Engineering
![Page 24: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/24.jpg)
+Driver-context-based Reverse Engineering�
Q. How do we know which message ID to use in order to control such functions?
=> Driver-Context-Based Reverse Engineering
[Ignition OFF]
CAN traffic (~30 msgs)
[Ignition ON]
CAN traffic (~60 msgs)
Compare traffic!
![Page 25: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/25.jpg)
+Battery Drain Attack
In other vehicles…
2008–2017 model-year (compact and mid-size) sedans, coupe, crossover, PHEV (Plug-in Hybrid Electric Vehicle), SUVs, truck, and an electric vehicle
![Page 26: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/26.jpg)
+Some Example Vehicles
![Page 27: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/27.jpg)
+Attack 2: Denial-of-Body control Attack
RFA BCM
“Remote Keyless Entry (RKE) System”
![Page 28: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/28.jpg)
+CAN Protocol : Error Handling
Error Active
Error Passive
Bus Off
TEC > 127 (or) REC > 127
TEC > 255Reset (Auto/Manual)
TEC ≤ 127 (and) REC ≤ 127
• Disconnection from bus • Shutdown of entire system
![Page 29: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/29.jpg)
+CAN Protocol : Error Handling
ISO 11898
"A node can start the recovery from
bus-off state only upon a user request.”
! Depends on the Software Config.
![Page 30: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/30.jpg)
+Denial-of-Body control (BoD) Attack " One simple procedure (of many others…)
1. Wait for all ECUs to go to sleep after ignition is OFF
2. Wake up ECUs
3. Change bit rate (e.g., 500kbps #250 kbps)
" Consequence
1. All awakened ECUs on the bus continuously experience and incur errors
2. All enter the bus-off state, i.e., shut-down
3. Depending on the software configuration, some ECUs recover from the bus-off state
whereas some don’t…
![Page 31: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/31.jpg)
+Denial-of-Body control (BoD)Attack
In our 2017 year-model test vehicle,
RCM (Remote Control Module) did not recover from the bus-off, i.e., remained shut down
most probably due to its distinct recovery policy configuration (perhaps for anti-theft/engine-immobilizer purposes).
![Page 32: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/32.jpg)
+Denial-of-Body control (BoD)Attack " Symptoms
1) Remote key does not work (even attempting with its RFID)
2) Door cannot be opened
3) Trunk does not open/close
" Problems… 1) Vehicle owners won’t even know what
happened
2) They cannot even start the car
3) Maybe, the car has to be towed
4) Order a new key fob
![Page 33: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/33.jpg)
+Denial-of-Body Attack
The key was with us inside the car!
Not even injecting any msg right now…
![Page 34: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/34.jpg)
+Conclusion
" Wake-up function is there for the attacker to use which is too easy/simple…
" Vehicle ECUs can not only be “awakened” but also be “controlled/attacked”, while the ignition is off…
" State-of-the-art defense schemes do not consider such a possibility
" Possibility of “immobilizing” or shutting down an ECU “forever(?)”
![Page 35: Who Killed My Parked Car? - Stanford Universityiot.stanford.edu/nsf-final/slides/sitp-nsf-final-parked.pdfWho Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho,](https://reader034.vdocuments.net/reader034/viewer/2022050115/5f4bfc8bab80685cc23e09c8/html5/thumbnails/35.jpg)
+
Thank you!