Projects:2019s1-105 Hacking CAN Bus

From Projects
Revision as of 22:23, 31 May 2019 by A1685544 (talk | contribs)
Jump to: navigation, search

Utilising a Vehicle Testbed Environment to Develop Deceptive CAN Bus Attacks

Introduction

Modern cars have multiple dedicated computers that control all of the car’s operations, such as the engine, braking, steering and entertainment. These computers are called electronic control units (ECUs) and communicate primarily by a highly vulnerable serial network, the CAN bus protocol.

Cyber security concerns surrounding these vehicles are increasing, particularly with the introduction of Wi-Fi and other wireless vehicle services. Using these wireless services, adversaries can find their way on the CAN bus and gain control of the vehicle. In a different scenario, infiltrating a vehicle and connecting a device to subtly alter a vehicle’s display information, without any overt consequences, may result in an unaware user who, at best, might have a slight suspicion.

The research presented in this paper discusses this type of security threat and the mistrust it can cause. The intent of the research is to assert the usefulness of a testbed environment in exploiting the vulnerabilities of the CAN bus protocol by developing and weaponizing a deceptive man-in-the-middle type attack.

Definitions and Abbreviations

  • CAN - Controller Area Network
  • ECU - Electronic Control Unit
  • MITM - Man-in-the-Middle
  • MOTS - Man-on-the-Side
  • OBD - On Board Diagnostics


Research Questions

  • What are the benefits and limitations of a testbed environment for research in automotive security?
  • How can the vulnerabilities of the CAN bus protocol be exploited in a testbed environment to perform targeted and deceptive attacks?
  • What are the advantages and disadvantages of MOTS compared to MITM attack architectures?


Related Work and Motivation

To be filled...

Objectives

The research aims to:

  • Discover and exploit CAN vulnerabilities to create attacks that are subtle and deceptive
  • Demonstrate and evaluate the attacks’ abilities to deceive or financially burden the victim
  • Implement these MITM and MOTS attack architectures on the testbed
  • Evaluate the vulnerabilities, threat scenarios and defence mechanisms
  • Highlight the usefulness of the testbed environment in developing CAN bus attacks


The extended objectives are to:

  • Create an attack framework for the implementation of the research on other vehicle models and manufacturers
  • Weaponise the attack in a small standalone hardware form factor


Method

The research objectives will be achieved through the following method.

1. Identify the CAN message IDs associated with a vehicle dashboard function by reverse engineering the CAN bus message dumps collected from real-world data.
2. Create a systematic set of experiments to determine effective use of the CAN message in a deceptive attack.
3. Implement and demonstrate the attack in MOTS and MITM architectures in the testbed environment.
4. Create a device capable of executing all of the attacks by connecting:
a. To the OBD-II port for the MOTS architecture
b. Between the dashboard and wiring loom for MITM architecture


Current and Expected Results

The testbed used in this research was created by former honours students of the University of Adelaide in 2018 and consists of four main ECUs and a dashboard from a 2016 Mazda2 [9]. By playing back real CAN data onto the testbed, gathered from logging CAN communications while driving, the CAN message ID that related to the dashboard’s odometer reading was identified. This is an undocumented finding that was used to develop a targeted MOTS attack by increasing the odometer.
To develop a MITM attack, the real-time message handling architecture presented in [8] shall be used. The aim will be to incorporate speedometer and dashboard indicator attacks in both architectures and develop frameworks for attacking vehicles of other manufacturers. The results will be verified in a more realistic environment using two devices: one to transmit simulated driving messages and the other to read and send malicious messages. A potential complication is how the simulated driving messages will be competing on the CAN bus with the malicious injected messages.


References

[1] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage, “Experimental security analysis of a modern automobile“, 2010 IEEE Symposium on Security and Privacy, 2010, pp. 447–462.
[2] R. Currie, “Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering”, 2017, [Online]. Available: https://www.sans.org/reading-room/whitepapers/threats/paper/37825
[3] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, T. Kohno, “Comprehensive experimental analyses of automotive attack surfaces,” Proceedings of the 20th USENIX Conference on Security, ser. SEC’11. Berkeley, CA, USA: USENIX Association, 2011, pp. 6-6.
[4] C. Miller and C. Valasek, “Remote Exploitation of an Unaltered Passenger Vehicle”, 2015, [Online]. Available: http://illmatics.com/Remote%20Car%20Hacking.pdf
[5] A. Hazem and H.A.H. Fahmy, “LCAP - A Lightweight CAN Authentication Protocol for Securing In-Vehicle Networks”, 2012, [Online]. Available: http://eece.cu.edu.eg/~hfahmy/publish/escar2012.pdf
[6] A.I. Radu and F.D. Garcia, “LeiA: A Lightweight Authentication Protocol for CAN”, in Proc. Int. Conf. Eur. Symp. Res. Comput. Security, 2016, pp. 283–300.
[7] B. Boldt, “Automotive Security in a CAN”, 2017, [Online]. Available: https://www.electronicdesign.com/automotive/automotive-security-can
[8] A. Lebrun and J.C. Demay, “CANSPY: a Platform for Auditing CAN Devices”, 2017, [Online]. Available: https://www.blackhat.com/docs/us-16/materials/us-16-Demay-CANSPY-A-Platorm-For-Auditing-CAN-Devices-wp.pdf
[9] L. Oliveira, M. Pfeiffer, T. Taziva, A. Frishling, B. Cooney, D. Coscia and M. Sorell, “The challenges of building a testbed environment for security and vulnerability analysis of internal communication networks in vehicles,” 4th Interdisciplinary Cyber Research Workshop, 2018.



Project Team

Student Researchers

Stefan Smiljanic

Charlie Tran


Project Supervisors

Dr. Matthew Sorell

Aaron Frishling (DSTG)

Bradley Cooney (DSTG)

Daniel Coscia (DSTG)