automated threat evaluation of automotive diagnostics

Automated Threat Evaluation ofAutomotive Diagnostic ProtocolsNils Weiss <[email protected]>

University of Applied Sciences RegensburgLaboratory for Safe and Secure Systems (LaS3)

September 7, 2021

N. Weiss Automated Threat Evaluation September 7, 2021 1 / 24

mailto:[email protected]

I What can’t be measured can’t be effectively managed!I "Security" can’t be measured, but ...I Attack-Surface can be measuredI Additionally, good metrics and evaluation methods are

necessary.

Goal of this talkIntroduction of a novel metric and an automatedprocess to evaluate the attack surface of AutomotiveDiagnostic Protocols


1. Motivation

How to quantify security?

Application

Transport

Network Access

UDS[11]

OBD[6, 10]

XCP[21] GM-

LAN [1]ISO-TP [8]

CAN [7]

Application

Transport

Network Access

UDS[12]

OBD[10]

XCP[21]

DoIP [9] / HSFZ

IEEE 802.3 [5]

Figure: Automotive diagnostic protocol stack for CAN (left) and IEEE 802.3 (right) based networks. Thesefigures provide an overview of relevant protocols and their location in the automotive diagnostic protocolstack.


2. Introduction

Automotive Diagnostic Protocols

I Supports diagnostic, configuration and updatesI Every service has individual capabilitiesI From limited payloads (RDBI) to arbitrary payloads (TD, RC,

WDBI)I Used in many published attacks for persistent code execution

or triggering of physical actions

Attack Surface MappingUDS, GMLAN Services ⇐⇒ CVE flaw types [2]


3. Information Gathering

Analysis of Diagnostic Protocols

I K. Koscher et al. “Experimental Security Analysis of a Modern Automobile”. In:2010 IEEE Symposium on Security and Privacy. May 2010, pp. 447–462. DOI:10.1109/SP.2010.34

I Stephen Checkoway et al. “Comprehensive Experimental Analyses ofAutomotive Attack Surfaces”. In: Proceedings of the 20th USENIX Conferenceon Security. SEC’11. San Francisco, CA: USENIX Association, 2011, p. 6

I Dr. Charlie Miller and Chris Valasek. Adventures in Automotive Networks andControl Units. DEF CON 21 Hacking Conference. Las Vegas, NV: DEF CON.http://illmatics.com/car_hacking.pdf (accessed 2020-05-27). Aug. 2013

I Dr. Charlie Miller and Chris Valasek. A Survey of Remote Automotive AttackSurfaces. DEF CON 22 Hacking Conference. Las Vegas, NV: DEF CON. Aug.2014



Automotive Security Research / Car-Hacking

https://doi.org/10.1109/SP.2010.34

http://illmatics.com/car_hacking.pdf

I Dr. Charlie Miller and Chris Valasek. Remote Exploitation of an UnalteredPassenger Vehicle. DEF CON 23 Hacking Conference. Las Vegas, NV: DEF CON.Aug. 2015

I Dr. Charlie Miller and Chris Valasek. “Advanced CAN Injection Techniques forVehicle Networks”. In: BlackHat USA. Aug. 2016. URL:http://illmatics.com/can%5C%20message%5C%20injection.pdf

I Yuefeng Du Sen Nie Ling Liu. FREE-FALL: HACKING TESLA FROM WIRELESS TOCAN BUS. https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus-wp.pdf. 2020 (accessed February 14,2020)

I Tencent Keen Security Lab. New Vehicle Security Research by KeenLab:Experimental Security Assessment of BMW Cars.https://keenlab.tencent.com/en/2018/05/22/New-CarHacking-Research-by-KeenLab-Experimental-Security-Assessment-of-BMW-Cars/. 2020 (accessedFebruary 14, 2020)




http://illmatics.com/can%5C%20message%5C%20injection.pdf

I Jan Van den Herrewegen and Flavio D. Garcia. “Beneath the Bonnet: ABreakdown of Diagnostic Security”. In: Computer Security. Vol. 11098.Lecture Notes in Computer Science. Springer International Publishing, 2018,pp. 305–324. ISBN: 978-3-319-99072-9. DOI:10.1007/978-3-319-99073-6_15. URL:http://link.springer.com/10.1007/978-3-319-99073-6_15

I Florian Sommer, Jürgen Dürrwang, and Reiner Kriesten. “Survey andClassification of Automotive Security Attacks”. In: Information 10.4 (Apr.2019), p. 148. ISSN: 2078-2489. DOI: 10.3390/info10040148. URL:http://dx.doi.org/10.3390/info10040148

I Jürgen Dürrwang et al. “Enhancement of Automotive Penetration Testing withThreat Analyses Results”. In: SAE International Journal of TransportationCybersecurity and Privacy 1.2 (Nov. 2018), pp. 91–112. ISSN: 2572-1054. DOI:10.4271/11-01-02-0005

I Nils Weiss and Enrico Pozzobon. From Blackbox to Automotive Ransomware.DEF CON SAFE MODE Hacking Conference. Virtual Conference. 2020. URL:https://www.youtube.com/watch?v=jp4qMNX5Xnc




https://doi.org/10.1007/978-3-319-99073-6_15

http://link.springer.com/10.1007/978-3-319-99073-6_15

https://doi.org/10.3390/info10040148

http://dx.doi.org/10.3390/info10040148

https://doi.org/10.4271/11-01-02-0005

https://www.youtube.com/watch?v=jp4qMNX5Xnc



Mapping Service to possible CVE flaws



Attack Surface Metric

I The presence of a service can indicate specific possible flaws(Attack Surface)

I A metric allows measure the attack surface and to obtaincomparable results between arbitrary ECUs

I Disclaimer: Our mapping is based on published and ownresearch. Attack surfaces may change with new vehiclearchitectures.

I If our approach identifies a possible attack surface, it doesn’tmean, a vulnerability is present.



Summary

This approach ...I ... can guide security engineers and penetration testersI ... measures the possible attack surfaceI ... monitors the possible attack surface over lifetime



Summary

I ECUs contain different "Sessions" or "States"I Example: Bootloader, ApplicationI Each state supports different services

⇒ Different possible attack surfaces⇒ A comprehensive scanner needs to reverse engineer and

modify an ECUs system state during a scan


4. System State Reverse Engineering

Facts



State Modifiers



Scanner Algorithm


5. Test Setup

Architecture


5. Test Setup

Runner-Setup


5. Test Setup

Investigated ECUs


6. Results

Reverse Engineered System State Machines


6. Results

Detection of Bootloader


6. Results

Overview Results

I Our scanner is available on Github (soon in Scapy mainline)I http://www.github.com/secdev/scapyI Our paper with all details of our research is online available:I https://www.researchgate.net/publication/351483528_

Automated_Threat_Evaluation_of_Automotive_Diagnostic_Protocols


7. Hands on

Open-Source Software

http://www.github.com/secdev/scapy

https://www.researchgate.net/publication/351483528_Automated_Threat_Evaluation_of_Automotive_Diagnostic_Protocols




7. Hands on

UDS Scanner


7. Hands on

HSFZ/DoIP Scanner

Thanks

Questions?


8. END

[1] General Motors Worldwide (GMW). General Motors Local Area NetworkEnhanced Diagnostic Test Mode Specification. en. Standard GMW3110.General Motors Worldwide (GMW), 2018.

[2] The MITRE Corporation (MITRE). Vulnerability Type Distributions in CVE –Flaw Terminology.https://cve.mitre.org/docs/vuln-trends/index.html (accessed2020-05-27).

[3] Stephen Checkoway et al. “Comprehensive Experimental Analyses ofAutomotive Attack Surfaces”. In: Proceedings of the 20th USENIXConference on Security. SEC’11. San Francisco, CA: USENIX Association,2011, p. 6.


10. Appendix

References I

https://cve.mitre.org/docs/vuln-trends/index.html

[4] Jürgen Dürrwang et al. “Enhancement of Automotive Penetration Testingwith Threat Analyses Results”. In: SAE International Journal ofTransportation Cybersecurity and Privacy 1.2 (Nov. 2018), pp. 91–112.ISSN: 2572-1054. DOI: 10.4271/11-01-02-0005.

[5] IEEE. IEEE Standard for Ethernet. 2018.[6] ISO Central Secretary. Road vehicles – Communication between vehicle

and external equipment for emissions-related diagnostics – Part 5:Emissions-related diagnostic services. en. Standard ISO 15031-5:2015.Geneva, CH: International Organization for Standardization, 2015. URL:https://www.iso.org/standard/66368.html.


10. Appendix

References II

https://doi.org/10.4271/11-01-02-0005

https://www.iso.org/standard/66368.html

[7] ISO Central Secretary. Road vehicles – Controller area network (CAN) —Part 1: Data link layer and physical signalling. en. Standard ISO11898-1:2015. Geneva, CH: International Organization forStandardization, 2015. URL:https://www.iso.org/standard/63648.html.

[8] ISO Central Secretary. Road vehicles – Diagnostic communication overController Area Network (DoCAN) – Part 2: Transport protocol andnetwork layer services. en. Standard ISO 15765-2:2016. Geneva, CH:International Organization for Standardization, 2016. URL:https://www.iso.org/standard/66574.html.


10. Appendix

References III



[9] ISO Central Secretary. Road vehicles – Diagnostic communication overInternet Protocol (DoIP) — Part 2: Transport protocol and network layerservices. en. Standard ISO 13400-2:2019. Geneva, CH: InternationalOrganization for Standardization, 2019. URL:https://www.iso.org/standard/74785.html.

[10] ISO Central Secretary. Road vehicles – Implementation of World-WideHarmonized On-Board Diagnostics (WWH-OBD) communicationrequirements – Part 3: Common message dictionary. en. Standard ISO27145-3:2012. Geneva, CH: International Organization forStandardization, 2012. URL:https://www.iso.org/standard/46277.html.


10. Appendix

References IV



[11] ISO Central Secretary. Road vehicles – Unified diagnostic services (UDS) –Part 3: Unified diagnostic services on CAN implementation (UDSonCAN).en. Standard ISO 14229-3:2012. Geneva, CH: International Organizationfor Standardization, 2012. URL:https://www.iso.org/standard/55284.html.

[12] ISO Central Secretary. Road vehicles – Unified diagnostic services (UDS) –Part 5: Unified diagnostic services on Internet Protocol implementation(UDSonIP). en. Standard ISO 14229-5:2013. Geneva, CH: InternationalOrganization for Standardization, 2013. URL:https://www.iso.org/standard/55287.html.

[13] K. Koscher et al. “Experimental Security Analysis of a ModernAutomobile”. In: 2010 IEEE Symposium on Security and Privacy. May2010, pp. 447–462. DOI: 10.1109/SP.2010.34.


10. Appendix

References V



https://doi.org/10.1109/SP.2010.34

[14] Tencent Keen Security Lab. New Vehicle Security Research by KeenLab:Experimental Security Assessment of BMW Cars.https://keenlab.tencent.com/en/2018/05/22/New-CarHacking-Research-by-KeenLab-Experimental-Security-Assessment-of-BMW-Cars/. 2020(accessed February 14, 2020).

[15] Dr. Charlie Miller and Chris Valasek. A Survey of Remote AutomotiveAttack Surfaces. DEF CON 22 Hacking Conference. Las Vegas, NV: DEFCON. Aug. 2014.

[16] Dr. Charlie Miller and Chris Valasek. “Advanced CAN Injection Techniquesfor Vehicle Networks”. In: BlackHat USA. Aug. 2016. URL:http://illmatics.com/can%5C%20message%5C%20injection.pdf.


10. Appendix

References VI

http://illmatics.com/can%5C%20message%5C%20injection.pdf

[17] Dr. Charlie Miller and Chris Valasek. Adventures in Automotive Networksand Control Units. DEF CON 21 Hacking Conference. Las Vegas, NV: DEFCON. http://illmatics.com/car_hacking.pdf (accessed 2020-05-27).Aug. 2013.

[18] Dr. Charlie Miller and Chris Valasek. Remote Exploitation of an UnalteredPassenger Vehicle. DEF CON 23 Hacking Conference. Las Vegas, NV: DEFCON. Aug. 2015.

[19] Yuefeng Du Sen Nie Ling Liu. FREE-FALL: HACKING TESLA FROM WIRELESSTO CAN BUS. https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus-wp.pdf. 2020(accessed February 14, 2020).


10. Appendix

References VII

http://illmatics.com/car_hacking.pdf

[20] Florian Sommer, Jürgen Dürrwang, and Reiner Kriesten. “Survey andClassification of Automotive Security Attacks”. In: Information 10.4 (Apr.2019), p. 148. ISSN: 2078-2489. DOI: 10.3390/info10040148. URL:http://dx.doi.org/10.3390/info10040148.

[21] Association for Standardization of Automation and Measuring Systems.The Universal Measurement and Calibration Protocol Family. en.Standard ASAM MCD-1 XCP. Germany, DE: Association forStandardization of Automation and Measuring Systems, 2003. URL:https://www.asam.net/standards/detail/mcd-1-xcp/.


10. Appendix

References VIII

https://doi.org/10.3390/info10040148

http://dx.doi.org/10.3390/info10040148

https://www.asam.net/standards/detail/mcd-1-xcp/

[22] Jan Van den Herrewegen and Flavio D. Garcia. “Beneath the Bonnet: ABreakdown of Diagnostic Security”. In: Computer Security. Vol. 11098.Lecture Notes in Computer Science. Springer International Publishing,2018, pp. 305–324. ISBN: 978-3-319-99072-9. DOI:10.1007/978-3-319-99073-6_15. URL:http://link.springer.com/10.1007/978-3-319-99073-6_15.

[23] Nils Weiss and Enrico Pozzobon. From Blackbox to AutomotiveRansomware. DEF CON SAFE MODE Hacking Conference. VirtualConference. 2020. URL:https://www.youtube.com/watch?v=jp4qMNX5Xnc.


10. Appendix

References IX

https://doi.org/10.1007/978-3-319-99073-6_15

http://link.springer.com/10.1007/978-3-319-99073-6_15

https://www.youtube.com/watch?v=jp4qMNX5Xnc

automated threat evaluation of automotive diagnostics

Documents