caleb walter. iphone style charger malware channel exploit vehicle can network create covert channel...

Caleb Walter

Covert Channels in Electronic Car Chargers

• iPhone style charger Malware channel

• Exploit Vehicle CAN network

• Create Covert Channel at Public Charging Stations• Custom Arduino CAN EVSE

Basic Concept

• Three Georgia Tech researchers designed charger in 1 week•Normal chargers only contain transformers• This charger contains small computer running Linux

Iphone Malware Charger

• Linux delivers payload when Phone is plugged in

• Must be unlocked by User

• Takes advantage of multiple Apple security flaws

• UDID query to send to apple web Page

• Bypassed App Vetting by hiding Malicious Code using Covert Channel

Iphone Malware Charger (Cont.)

• Development began in 1983 at Robert Bosch GmbH

• Officially Released in 1986 by SAE in Detroit.

• First CAN Chips produced and installed in 1987

• Intel

CAN bus History

• Can 2.0 Designed and released in 1991• Improved CAN Data Link Layer in 2012• CAN FD – ISO 11898-1

• CAN 2.0 included in all OBD II Vehicles

• OBD II mandatory for all cars and trucks sold in the USA since 1996

CAN Bus History

• Controller Area Network• Message Based Protocol for

vehicles• Allows microcontrollers

and devices to communicate without host computer

Vehicle CAN Basics

• CAN Standard Format• 11-bit Header ID for

Manufacturer Proprietary protocols

CAN Format

• SOF – Start of Frame

• Identifier – UID w/ Priority

• RTR – Remote Transmission Request

• IDE – CAN vs. Can Extended

• DLC – Data Length Code (This is the Paylod Location)

• CRC – Cycle Redundancy Check

• ACK – Acknowledge

• EOF – End of Frame

CAN Frame

CAN Bus Network

• Electronic Control Units:• Control various parts of the

vehicles electronics• Engine Control• ABS• Radio• Doors• Reprogrammable for Manufacture

Updates

ECUs

• 8 Bytes available to modify in Data Code Frame• Hide coding within Data Layer through basic Obfuscation Technique• Can pass along payloads or other messages with this 8 byte space

The Covert Channel

•When Vehicle Plugs into charge, various data transmission happen• OBD II ECU to Charging Station Computer• CAN Network messages exchange between Battery ECU and Charger Computer

Charging Handshake for Electronic Cars

• Custom Arduino/Raspberry PI/ BeagleBoard• Plugged into EV Charging station

via Cat5 Communication Port• Injects custom code into EV

Handshake• CAN Controller Libraries for Code• MCP2515• SPI

Hacking the Charger

• Interrupts Handshake ECU process with

• Obfuscates code to prevent Message Anomaly Detection and CRC check

• Transmits message through SAE J1772 Charger Port

Hacking the Charger (Cont)

• Can potentially modify any ECU Controlled system in the car

• Make Radio display custom messages

• Max out Speedo and Tacho even when sitting

• Cut Brakes (Not recommended…)

Extra Fun!

• 8416 Electronic Charging Stations in USA

• Most Charging Stations use the same CAN and ECU checks

• Most also use same charging type and plug type

• 67,295 Electronic Vehicles in the US

• May 2013 Statistics

Potential Outreach

• Firewalls within the CAN Network• Vehicle IPS for CAN Network• Physical Intrusion Detection on EV Charger• CAN Bus update for slack code prevention

Potential Prevention

• Target most popular Charging Stations in US• Implement Arduinos into EV Stations• Infect/Pass communication between as many cars as possible.

Implementation Goal

• http://www.net-security.org/malware_news.php?id=2548

• http://en.wikipedia.org/wiki/CAN_bus#Data_transmission

• http://www.afdc.energy.gov/fuels/electricity_locations.html

• http://www.eia.gov/tools/faqs/faq.cfm?id=93&t=4

Sources