attacking and defending autos via obd-ii from escar asia
TRANSCRIPT
![Page 1: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/1.jpg)
Attacking and Defending Autos Via OBD-II
Dale Peterson, Digital Bond, Inc. [email protected]
@digitalbond
![Page 2: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/2.jpg)
Industrial Control Systems
![Page 3: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/3.jpg)
Monitor and Control A Process
• Sensors measure temperature, current, speed, flow, …
• Actuators turn things on/off, heat/cool, mix, control flow, …
• Some are controlled by humans/operators • Others maintain steady state or goal • Additional safety systems prevent really bad
things from happening • Sound familiar?
![Page 4: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/4.jpg)
Let’s Learn From Industrial Control System (ICS) Security Struggles
and Save Decades of Insecurity in the Auto Industry
![Page 5: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/5.jpg)
ICS Access = Compromise
• If an attacker can gain access to almost any SCADA, DCS or other type of ICS – He can cause components to crash – He can control the process – He can change the process (Stuxnet) – He can sometimes change the Safety System (Stuxnet)
![Page 6: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/6.jpg)
ICS Protocols – Insecure By Design
![Page 7: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/7.jpg)
Secure By Design
• Product goes through a Security Development Lifecycle (SDL) – Microsoft and others provide resources on this
• Threat Model determines required security controls • Software coding practices • Fuzz testing • Independent 3rd Party Testing
• Well understood but takes years & effort
![Page 8: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/8.jpg)
Insecure By Design
Insecure By Design is not simply the lack of
Secure By Design. It is much worse!!!
Insecure By Design provides the attacker with everything he would want as a documented feature. There is no need to find a bug or
vulnerability.
![Page 9: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/9.jpg)
Insecure By Design
“The pro’s don’t bother with vulnerabilities when attacking ICS. They use documented features of
protocols and products.”
Ralph Langner of Stuxnet fame
![Page 10: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/10.jpg)
Charlie Miller / Chris Valasek 2014
• Connected to a control system and … • Were able to monitor and control, no surprise • Incredibly impressive reverse engineering • Completely unnecessary, many in this room have
this knowledge • The Safety question?
– Chuck Yeager or child jumping off roof? – Marie Curie or blindly mixing chemicals to see what
happens?
![Page 11: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/11.jpg)
No Authentication
• No source or data authentication • Access = Compromise
– Modbus TCP – EtherNet/IP – S7, DNP3, PROFINET, CC, HART, OPC Classic – Proprietary Protocols
– And CANBus
![Page 12: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/12.jpg)
Security Perimeter is Key
• Bad guys will succeed if they get in • Require effective security perimeter to keep
them out • ICS History
– Connected directly to corporate networks – Some connected to the Internet – Anytime, anywhere remote access for in house
support, 3rd party support, convenience or curiosity
![Page 13: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/13.jpg)
Access To Insecure By Design Car?
• Access = Compromise, so how can an attacker access the CANBus? Many ways are being found.
• Corey Thuen in Digital Bond Labs looked at insurance use of OBD-II port
• Specifically the Progressive Snapshot dongle
• Could this comms network, Snapshot device, or Progressive site be used to attack cars?
![Page 14: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/14.jpg)
ICS Comparison
1. Access = Compromise? ICS and auto 2. Little or no thought about security in embedded
components
![Page 15: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/15.jpg)
Search S4 Basecamp Video
![Page 16: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/16.jpg)
Snapshot Dongle
![Page 17: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/17.jpg)
Analysis Environment
![Page 18: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/18.jpg)
Communication – No Security
• No encryption, no authentication, no firmware signing or other security
• Attacker has unrestricted access to device if he can get to it over the cellular network or from a Progressive network
![Page 19: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/19.jpg)
![Page 20: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/20.jpg)
Software Quality
• Did not follow even the most basic secure coding practices
• Lots of strcopy and other banned functions – Lead to overflows and other security issues
• Lacking input validation, bad behavior when fuzzed
![Page 21: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/21.jpg)
Snapshot Summary
• Little or no thought to security in development by vendor (Xirgotech) or Progressive … it’s a little embedded device
• Deployed units can never be trusted • Likely some improvements has taken place in
backend servers at Progressive which is very important – Compromising Progressive Servers could allow access
and control to 2,000,000+ vehicles
![Page 22: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/22.jpg)
ICS Comparison
1. Access = Compromise? ICS and auto 2. Little or no thought about security in embedded
components? ICS and auto 3. Push historical data out?
![Page 23: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/23.jpg)
GE Power Plant Turbine Monitoring
• 1800+ Turbines in 60+ countries from GE Atlanta – Useful efficiency and preventive maintenance info
![Page 24: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/24.jpg)
GE Power Plant Turbine Monitoring
• Communications from Atlanta includes firewalls, encryption, two-factor authentication, background checks, secure facility and more
• From that location in Atlanta they can access (and control) 1800+ turbines in 60+ countries
• A HUGE target and … • Control is not necessary, all GE needs is the data
– Sound familiar to insurance companies?
![Page 25: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/25.jpg)
Implement Least Privilege
• Only allow what is required • Some solutions for GE and OBD-II
– Unidirectional (one-way) gateway, data can be sent from the car out, but no comms allowed to the car
– Limited functionality, allow reads / data access but no control commands
– Have the equivalent of a historian on the vehicle that the OBD-II can access
• Evaluate the residual risk
![Page 26: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/26.jpg)
ICS and Vehicle Risk Comparison
• End unit compromise – Much greater for critical infrastructure ICS – Widespread blackout, lack of gas, environmental
damage, death – Vehicle compromise could be tragic, but limited
• Greater risk to vehicles is compromise of concentrated remote access with control capability – Benefits are greater in vehicles, but make sure your
risk management includes cyber
![Page 27: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/27.jpg)
ICS Comparison
1. Access = Compromise? ICS and auto 2. Little or no thought about security in embedded
components? ICS and auto 3. Push historical data out? ICS today / auto future? 4. Control / Safety segregation
![Page 28: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/28.jpg)
Safety Integrated Systems (SIS)
• Prevent really bad things from happening, automatically, all the time, even when the control system fails, no human interaction
• Problem: If control system can communicate with the SIS a cyber attack can compromise both – Stuxnet Protection system to prevent overpressure
• Problem: Control Systems often want sensor data from the safety system
![Page 29: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/29.jpg)
Increasingly Common Solution
• Install an ICS firewall that only allows read requests from ICS to SIS – ICS can’t write to SIS, can’t change logic, load
firmware or do anything but read points
• Solution for cars … restrict communications between modules – Focus on protecting modules with most critical control – Focus on limiting access from modules with remote
access – Much faster solution than developing secure CAN
![Page 30: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/30.jpg)
Develop Secure CAN or Replace with Secure Protocol
Don’t fall for the “this will take a decade” like the ICS world did!
![Page 31: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/31.jpg)
Digital Bond CANBus Tools
• Digital Bond Labs tools are on GitHub – https://github.com/digitalbond/
• canbus-utils for analyzing CANBus traffic • canbus-beaglebone for low-cost testing platform • canbus-protector includes some proof of concept
fixes discussed in this session
![Page 32: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/32.jpg)
Digital Bond
• S4xJapan … November 6th in Tokyo • S4x16 … January 12-14 in Miami Beach • Focused control system security company • Consulting
– Dedicated ICS security team since 2003
• Labs – Find new vulnerabilities and attack techniques
• Contact: Dale Peterson, [email protected] @digitalbond on twitter
![Page 33: Attacking and Defending Autos Via OBD-II from escar Asia](https://reader031.vdocument.in/reader031/viewer/2022030315/587c373a1a28aba0118b7f93/html5/thumbnails/33.jpg)
Questions