Projects:2018s1-105 Cyber security - Car Hacking
Contents
- 1 The Challenges of Building a Universal CAN Bus Emulation Testbed Environment for Security and Vulnerability Analysis of Internal Networks in Vehicles:
- 2 Introduction
- 3 Research Question
- 4 Previous Work
- 5 Objectives
- 6 Method
- 7 Current and Expected Results
- 8 Challenges / Risks / Mitigations
- 9 Extended Objectives and Future Work
- 10 References
The Challenges of Building a Universal CAN Bus Emulation Testbed Environment for Security and Vulnerability Analysis of Internal Networks in Vehicles:
Introduction
Since 1991, the CAN Bus protocol has become the most commonly used diagnostic and data transfer system in vehicular systems. These include car networks, marine applications and push-bicycles with electronic gear-shifting. The lack of built in security and the very nature of the CAN bus protocol in an ever evolving digital world presents problems for manufacturers, consumers and other stakeholders as digital security becomes more relevant. Hence it is quickly becoming beneficial to be able to easily test CAN equipped systems.
Testing a CAN bus in a real-world environment can be dangerous and costly as it generally involves working with a vehicle. A well laid out testbed is safer, more portable and removes the limit of working exclusively with one vehicle.
This project intends to investigate the security issues of modern vehicles by designing and developing a testbed which will be able to accurately simulate a motor vehicle. The testbed allows us to verify and demonstrate attacks and vulnerabilities and discuss defence mechanisms. By adding virtualised components to the testbed, the project can evolve into a highly flexible testbed which can motivate new cyber research or be extended to work with other vehicles.
Research Question
How can a testbed facilitate simpler investigation of vehicular security make attacks and new research on car security more accessible? How will a virtual and physical testbed environment help to improve security? A flexible tabletop solution with plug-and-play functionality will allow for nodes to be added without complication. A portable testbed allows the vehicle environment to be simulated without needing the entire vehicle. The testbed will also eliminate the financial risk related with tests on a full vehicle.
Previous Work
Previous work such as [1] and \cite{Checkoway_Comprehensive_Exp} have used an entire vehicle as their testing environment and have used specific methods in order to execute their attack. [2] Connects to the CAN bus via a laptop through the OBD-II port or have organised rewriting firmware on a vehicle component, and \cite{Checkoway_Comprehensive_Exp} uses the CD player, Bluetooth and cellular interfaces as attack vectors. There are other well known attacks such as \cite{JeepHack} that demonstrate the ability to hack a full vehicle.
Objectives
The primary objective of the project is to build and use a vehicle testbed and demonstrate proven CAN bus and vehicle attacks on the testbed.
Reaching this objective will allow us to begin investigation into attacks on commercial vehicle control systems and internal networks and learn about attack vectors in modern vehicles and the security implications of these attacks. Recent work on full vehicle attacks date back to 2011, aside from the Jeep hack \cite{JeepHack}, through a specific firmware vulnerability back in 2015. With our testbed vehicle only dating back to 2016, we will confirm if attacks from 2011 are still relevant or whether manufacturers have acted on the discovered vulnerabilities in their vehicles. We will also consider refining the testbed by creating a modular system that can be adapted for use in any vehicle. We can expand this further to allow for nodes to be added in a plug-and-play style to allow for more in-depth analysis of the CAN Bus and other networks.
For example, once we learn how the basic system operates, we could attach a Bluetooth module to the testbed, learn the Bluetooth protocol and demonstrate a simple Bluetooth instruction injection attack.
The testbed aims to make vehicle security research more accessible to other applications which can allow developments to happen faster.
The project lends itself to objectives; including compiling a list of detection methods for the attack vectors on the CAN platform in the vehicle hacking context. With the ability to detect an attack taking place on the CAN bus. This will enable for further research to be conducted using the testbed with a focus on defence measures and implications, as outlined in Future Work.
Method
We intend to build a simulated car in a workbench environment to research automotive security concepts. We aim to achieve our objectives through the following means:
- Scope out an appropriate minimum level of table-top vehicle functionality to enable research and demonstration of these attacks.
- Include devices that would be appropriate to have to simulate a real vehicle's operation (ECUs and sensors) as well as actuators and components to provide interactive and visible capabilities (dash gauges, door locks, pedals/levers)
- Scope out the potential avenues through which common attacks may be performed against vehicles
- Design an appropriate configuration for deploying and interacting with the testbed
- Neat/well presented, but with the ability to change over components and tap into communications.
- Reasonably representative of how the components are configured/connected in real systems
- Demonstrate operation of testbed as a functional, simulated vehicle operating as intended. This will be done by demonstrating existing and new attacks.
- Demonstrate previously researched attacks on the testbed to verify the state of security in our vehicle.
- Develop techniques to detect attacks after exposing vulnerabilities based on demonstrated attacks.
Current and Expected Results
We have acquired core components of a common 2016 mass production car. Using wiring diagrams from the vehicle manufacturer, we were able to identify communication wires and relay switch inputs which power the testbed and allow it to function as if still in a vehicle.
We expect to be able to construct a testbed with plug and play functionality. The testbed will use common connections assigned to inputs common to most vehicle components (such as power, the CAN bus, etc). We expect to demonstrate previously established attacks using the testbed with a focus on the CAN bus framework and analyse end-user impact. Examples include attacks that affect the performance or control of a vehicle with minimal physical interaction. This should allow us to replicate the results achieved by previous research in an environment which is more accessible and easier to control.
Challenges / Risks / Mitigations
Connector and loom standardisation}; To implement a "plug-and-play" format for the testbed, we will standardise the connections to essential input/output ports from different components to an agreed pin layout on a common connector.
Simulating sensors, actuators, relays and other inputs and outputs; Certain vehicle components require signals from sensors in order to function correctly. A prototyping device, such as a Raspberry Pi or Arduino will simulate behaviour of these sensor components, thereby making the overall testbed more compact and flexible. Extensive testing will be required to ensure the accuracy of the simulated signals.
The need for CAN bus monitoring and the ability to inject commands onto the bus; We need to have software to facilitate reading the CAN bus and diagnostics elements of the car. Ideally this can be addressed through the OBD-II port with a Raspberry Pi or computer software through USB.
Ensuring we do not 'brick' the ECU or other components during code injection; Previous articles such as \cite{FuzzyHacks} and \cite{Checkoway_Comprehensive_Exp} have accidentally "bricked" the ECUs in their test environments on attempt at code injection or reflashing of the ECU. Given our tight budget, extra caution will be taken to ensure the ECU(s) are not accidentally "bricked".
Taking the lessons learned and applying to forensic, security, pentesting and other applications; With lessons learned about the architecture of internal car networks, we will have knowledge that can push us into other areas. These include forensics, where victims of car hacking could be identified. Whatever information we can find that is stored in non-volatile memory could also be incredibly useful in the forensic department \cite{Sorell_Apple_Watch}. Many deaths caused on roads could be investigated with better hindsight as to what components were communicating in the internal vehicle network at the time.
In future applications, we expect to be able to conduct extensive pentesting on the testbed. Many cars now include various external inputs which can potentially be vulnerable to attack. There are a plethora of potential attack vectors that have been introduced rapidly through new technology in cars into the market in the last few years.
Car security very much relies on limited knowledge of the broad public, just as personal computers were once “secure by obscurity”. With people becoming more familiar with cyber security in connected applications, solutions from emerging threats will need to be implemented in vehicles before lives are put at risk.
Extended Objectives and Future Work
The testbed created aims to be robust and open-ended to allow for extensions to be implemented in later years. Future investigations and additions could include;
- Simulation of the vehicle in cyber ranges
- Adding new components to the existing modelled vehicle
- Learning signalling interfaces between devices for debugging or forensic purposes
- Reconfiguring the design by replacing components that could
- Change the make of the vehicle (from a sedan to a SUV from the same manufacturer)
- Update the car from a 2015 model to a 2020 model for example
- Emulate a different car (from a Toyota to a Mercedes for example)
- Extend the testbed, adding components that can detect and potentially protect against a variety of theoretical and practical attacks
References
@INPROCEEDINGS{Koscher2010Exp,
author={K. Koscher and A. Czeskis and F. Roesner and S. Patel and T. Kohno and S. Checkoway and D. McCoy and B. Kantor and D. Anderson and H. Shacham and S. Savage}, booktitle={2010 IEEE Symposium on Security and Privacy}, title={Experimental Security Analysis of a Modern Automobile}, year={2010}, volume={}, number={}, pages={447-462}, keywords={Automobiles;Automotive engineering;Computer networks;Computerized monitoring;Control systems;Pervasive computing;Roads;Safety;Security;Testing;Automobiles;communication standards;communication system security;computer security;data buses}, doi={10.1109/SP.2010.34}, ISSN={1081-6011}, month={May},}
@article{JeepHack,
title={HACKERS REMOTELY KILL A JEEP ON THE HIGHWAY—WITH ME IN IT}, author={Y GREENBERG}, year={2015}, url={https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/},
}
@article{Damodaran_CyberRange,
author = {Damodaran, Suresh K. and Couretas, Jerry M.}, title = {Cyber Modeling \&\#38; Simulation for Cyber-range Events}, booktitle = {Proceedings of the Conference on Summer Computer Simulation}, series = {SummerSim '15}, year = {2015}, isbn = {978-1-5108-1059-4}, location = {Chicago, Illinois}, pages = {1--8}, numpages = {8}, url = {http://dl.acm.org/citation.cfm?id=2874916.2874983}, acmid = {2874983}, publisher = {Society for Computer Simulation International}, address = {San Diego, CA, USA}, keywords = {cyber range, cyber range event, logical range, modeling, simulation, training},
}
@INPROCEEDINGS{5613581,
author={L. Pridmore and P. Lardieri and R. Hollister}, booktitle={2010 IEEE AUTOTESTCON}, title={National Cyber Range (NCR) automated test tools: Implications and application to network-centric support tools}, year={2010}, volume={}, number={}, pages={1-4}, doi={10.1109/AUTEST.2010.5613581}, ISSN={1088-7725}, month={Sept}, url={http://ieeexplore.ieee.org/abstract/document/5613581/},
}
@INPROCEEDINGS{6956748,
author={B. Ferguson and A. Tall and D. Olsen}, booktitle={2014 IEEE Military Communications Conference}, title={National Cyber Range Overview}, year={2014}, volume={}, number={}, pages={123-128}, doi={10.1109/MILCOM.2014.27}, ISSN={2155-7578}, month={Oct}, url={http://ieeexplore.ieee.org/abstract/document/6956748/},
}
@inproceedings{Checkoway_Comprehensive_Exp,
author = {Checkoway, Stephen and McCoy, Damon and Kantor, Brian and Anderson, Danny and Shacham, Hovav and Savage, Stefan and Koscher, Karl and Czeskis, Alexei and Roesner, Franziska and Kohno, Tadayoshi}, title = {Comprehensive Experimental Analyses of Automotive Attack Surfaces}, booktitle = {Proceedings of the 20th USENIX Conference on Security}, series = {SEC'11}, year = {2011}, location = {San Francisco, CA}, pages = {6--6}, numpages = {1}, url = {http://dl.acm.org/citation.cfm?id=2028067.2028073}, acmid = {2028073}, publisher = {USENIX Association}, address = {Berkeley, CA, USA},
}
@electronic{Sorell_Apple_Watch,
author = {Rebecca Opie},
title = {Smartwatch data helped police make arrest in Adelaide murder case, court hears}, date = {29/3/2018, 5:47pm}, month = {March}, year = {2018}, accessed = {31/3/2018}, url = {http://www.abc.net.au/news/2018-03-29/smart-watch-data-helps-police-find-suspect- in-murder-case-court/9602832},
}
@inproceedings{FuzzyHacks ,
language = {English}, copyright = {Compilation and indexing terms, Copyright 2018 Elsevier Inc.}, copyright = {Compendex}, title = {Car hacking identification through fuzzy logic algorithms}, journal = {IEEE International Conference on Fuzzy Systems}, author = {Martinelli, Fabio and Mercaldo, Francesco and Nardone, Vittoria and Santone, Antonella}, year = {2017}, issn = {10987584}, address = {Naples, Italy}, key = {Fuzzy logic}, keywords = {Computer crime;Control system synthesis;Fuzzy sets;Fuzzy systems;Network security;Personal computing;Vehicles;}, note = {Controller area network;Cyber-attacks;De facto standard;Electronic control units;Fuzzy algorithms;Fuzzy logic algorithms;In-vehicle networks;Security features;}, URL = {http://dx.doi.org/10.1109/FUZZ-IEEE.2017.8015464},
}
@electronic{BMW3mins,
author = {JAMES TITCOMB}, year = {2012}, date = {7 July}, title = {Alarming moment thieves silently steal BMW by programming a blank key that cost just £70 in new crime trend sweeping Britain}, URL = {http://www.dailymail.co.uk/news/article-2169857/Alarming-moment-thieves-silently-steal-BMW-programming-blank-key-cost-just-70.html},
}