Automated Threat Evaluation ofAutomotive Diagnostic ProtocolsNils Weiss <[email protected]>
University of Applied Sciences RegensburgLaboratory for Safe and Secure Systems (LaS3)
September 7, 2021
N. Weiss Automated Threat Evaluation September 7, 2021 1 / 24
I What can’t be measured can’t be effectively managed!I "Security" can’t be measured, but ...I Attack-Surface can be measuredI Additionally, good metrics and evaluation methods are
necessary.
Goal of this talkIntroduction of a novel metric and an automatedprocess to evaluate the attack surface of AutomotiveDiagnostic Protocols
N. Weiss Automated Threat Evaluation September 7, 2021 2 / 24
1. Motivation
How to quantify security?
Application
Transport
Network Access
UDS[11]
OBD[6, 10]
XCP[21] GM-
LAN [1]ISO-TP [8]
CAN [7]
Application
Transport
Network Access
UDS[12]
OBD[10]
XCP[21]
DoIP [9] / HSFZ
IEEE 802.3 [5]
Figure: Automotive diagnostic protocol stack for CAN (left) and IEEE 802.3 (right) based networks. Thesefigures provide an overview of relevant protocols and their location in the automotive diagnostic protocolstack.
N. Weiss Automated Threat Evaluation September 7, 2021 3 / 24
2. Introduction
Automotive Diagnostic Protocols
I Supports diagnostic, configuration and updatesI Every service has individual capabilitiesI From limited payloads (RDBI) to arbitrary payloads (TD, RC,
WDBI)I Used in many published attacks for persistent code execution
or triggering of physical actions
Attack Surface MappingUDS, GMLAN Services ⇐⇒ CVE flaw types [2]
N. Weiss Automated Threat Evaluation September 7, 2021 4 / 24
3. Information Gathering
Analysis of Diagnostic Protocols
I K. Koscher et al. “Experimental Security Analysis of a Modern Automobile”. In:2010 IEEE Symposium on Security and Privacy. May 2010, pp. 447–462. DOI:10.1109/SP.2010.34
I Stephen Checkoway et al. “Comprehensive Experimental Analyses ofAutomotive Attack Surfaces”. In: Proceedings of the 20th USENIX Conferenceon Security. SEC’11. San Francisco, CA: USENIX Association, 2011, p. 6
I Dr. Charlie Miller and Chris Valasek. Adventures in Automotive Networks andControl Units. DEF CON 21 Hacking Conference. Las Vegas, NV: DEF CON.http://illmatics.com/car_hacking.pdf (accessed 2020-05-27). Aug. 2013
I Dr. Charlie Miller and Chris Valasek. A Survey of Remote Automotive AttackSurfaces. DEF CON 22 Hacking Conference. Las Vegas, NV: DEF CON. Aug.2014
N. Weiss Automated Threat Evaluation September 7, 2021 5 / 24
3. Information Gathering
Automotive Security Research / Car-Hacking
I Dr. Charlie Miller and Chris Valasek. Remote Exploitation of an UnalteredPassenger Vehicle. DEF CON 23 Hacking Conference. Las Vegas, NV: DEF CON.Aug. 2015
I Dr. Charlie Miller and Chris Valasek. “Advanced CAN Injection Techniques forVehicle Networks”. In: BlackHat USA. Aug. 2016. URL:http://illmatics.com/can%5C%20message%5C%20injection.pdf
I Yuefeng Du Sen Nie Ling Liu. FREE-FALL: HACKING TESLA FROM WIRELESS TOCAN BUS. https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus-wp.pdf. 2020 (accessed February 14,2020)
I Tencent Keen Security Lab. New Vehicle Security Research by KeenLab:Experimental Security Assessment of BMW Cars.https://keenlab.tencent.com/en/2018/05/22/New-CarHacking-Research-by-KeenLab-Experimental-Security-Assessment-of-BMW-Cars/. 2020 (accessedFebruary 14, 2020)
N. Weiss Automated Threat Evaluation September 7, 2021 6 / 24
3. Information Gathering
Automotive Security Research / Car-Hacking
I Jan Van den Herrewegen and Flavio D. Garcia. “Beneath the Bonnet: ABreakdown of Diagnostic Security”. In: Computer Security. Vol. 11098.Lecture Notes in Computer Science. Springer International Publishing, 2018,pp. 305–324. ISBN: 978-3-319-99072-9. DOI:10.1007/978-3-319-99073-6_15. URL:http://link.springer.com/10.1007/978-3-319-99073-6_15
I Florian Sommer, Jürgen Dürrwang, and Reiner Kriesten. “Survey andClassification of Automotive Security Attacks”. In: Information 10.4 (Apr.2019), p. 148. ISSN: 2078-2489. DOI: 10.3390/info10040148. URL:http://dx.doi.org/10.3390/info10040148
I Jürgen Dürrwang et al. “Enhancement of Automotive Penetration Testing withThreat Analyses Results”. In: SAE International Journal of TransportationCybersecurity and Privacy 1.2 (Nov. 2018), pp. 91–112. ISSN: 2572-1054. DOI:10.4271/11-01-02-0005
I Nils Weiss and Enrico Pozzobon. From Blackbox to Automotive Ransomware.DEF CON SAFE MODE Hacking Conference. Virtual Conference. 2020. URL:https://www.youtube.com/watch?v=jp4qMNX5Xnc
N. Weiss Automated Threat Evaluation September 7, 2021 7 / 24
3. Information Gathering
Automotive Security Research / Car-Hacking
N. Weiss Automated Threat Evaluation September 7, 2021 8 / 24
3. Information Gathering
Mapping Service to possible CVE flaws
N. Weiss Automated Threat Evaluation September 7, 2021 9 / 24
3. Information Gathering
Attack Surface Metric
I The presence of a service can indicate specific possible flaws(Attack Surface)
I A metric allows measure the attack surface and to obtaincomparable results between arbitrary ECUs
I Disclaimer: Our mapping is based on published and ownresearch. Attack surfaces may change with new vehiclearchitectures.
I If our approach identifies a possible attack surface, it doesn’tmean, a vulnerability is present.
N. Weiss Automated Threat Evaluation September 7, 2021 10 / 24
3. Information Gathering
Summary
This approach ...I ... can guide security engineers and penetration testersI ... measures the possible attack surfaceI ... monitors the possible attack surface over lifetime
N. Weiss Automated Threat Evaluation September 7, 2021 11 / 24
3. Information Gathering
Summary
I ECUs contain different "Sessions" or "States"I Example: Bootloader, ApplicationI Each state supports different services
⇒ Different possible attack surfaces⇒ A comprehensive scanner needs to reverse engineer and
modify an ECUs system state during a scan
N. Weiss Automated Threat Evaluation September 7, 2021 12 / 24
4. System State Reverse Engineering
Facts
N. Weiss Automated Threat Evaluation September 7, 2021 13 / 24
4. System State Reverse Engineering
State Modifiers
N. Weiss Automated Threat Evaluation September 7, 2021 14 / 24
4. System State Reverse Engineering
Scanner Algorithm
N. Weiss Automated Threat Evaluation September 7, 2021 18 / 24
6. Results
Reverse Engineered System State Machines
I Our scanner is available on Github (soon in Scapy mainline)I http://www.github.com/secdev/scapyI Our paper with all details of our research is online available:I https://www.researchgate.net/publication/351483528_
Automated_Threat_Evaluation_of_Automotive_Diagnostic_Protocols
N. Weiss Automated Threat Evaluation September 7, 2021 21 / 24
7. Hands on
Open-Source Software
[1] General Motors Worldwide (GMW). General Motors Local Area NetworkEnhanced Diagnostic Test Mode Specification. en. Standard GMW3110.General Motors Worldwide (GMW), 2018.
[2] The MITRE Corporation (MITRE). Vulnerability Type Distributions in CVE –Flaw Terminology.https://cve.mitre.org/docs/vuln-trends/index.html (accessed2020-05-27).
[3] Stephen Checkoway et al. “Comprehensive Experimental Analyses ofAutomotive Attack Surfaces”. In: Proceedings of the 20th USENIXConference on Security. SEC’11. San Francisco, CA: USENIX Association,2011, p. 6.
N. Weiss Automated Threat Evaluation September 7, 2021 1 / 9
10. Appendix
References I
[4] Jürgen Dürrwang et al. “Enhancement of Automotive Penetration Testingwith Threat Analyses Results”. In: SAE International Journal ofTransportation Cybersecurity and Privacy 1.2 (Nov. 2018), pp. 91–112.ISSN: 2572-1054. DOI: 10.4271/11-01-02-0005.
[5] IEEE. IEEE Standard for Ethernet. 2018.[6] ISO Central Secretary. Road vehicles – Communication between vehicle
and external equipment for emissions-related diagnostics – Part 5:Emissions-related diagnostic services. en. Standard ISO 15031-5:2015.Geneva, CH: International Organization for Standardization, 2015. URL:https://www.iso.org/standard/66368.html.
N. Weiss Automated Threat Evaluation September 7, 2021 2 / 9
10. Appendix
References II
[7] ISO Central Secretary. Road vehicles – Controller area network (CAN) —Part 1: Data link layer and physical signalling. en. Standard ISO11898-1:2015. Geneva, CH: International Organization forStandardization, 2015. URL:https://www.iso.org/standard/63648.html.
[8] ISO Central Secretary. Road vehicles – Diagnostic communication overController Area Network (DoCAN) – Part 2: Transport protocol andnetwork layer services. en. Standard ISO 15765-2:2016. Geneva, CH:International Organization for Standardization, 2016. URL:https://www.iso.org/standard/66574.html.
N. Weiss Automated Threat Evaluation September 7, 2021 3 / 9
10. Appendix
References III
[9] ISO Central Secretary. Road vehicles – Diagnostic communication overInternet Protocol (DoIP) — Part 2: Transport protocol and network layerservices. en. Standard ISO 13400-2:2019. Geneva, CH: InternationalOrganization for Standardization, 2019. URL:https://www.iso.org/standard/74785.html.
[10] ISO Central Secretary. Road vehicles – Implementation of World-WideHarmonized On-Board Diagnostics (WWH-OBD) communicationrequirements – Part 3: Common message dictionary. en. Standard ISO27145-3:2012. Geneva, CH: International Organization forStandardization, 2012. URL:https://www.iso.org/standard/46277.html.
N. Weiss Automated Threat Evaluation September 7, 2021 4 / 9
10. Appendix
References IV
[11] ISO Central Secretary. Road vehicles – Unified diagnostic services (UDS) –Part 3: Unified diagnostic services on CAN implementation (UDSonCAN).en. Standard ISO 14229-3:2012. Geneva, CH: International Organizationfor Standardization, 2012. URL:https://www.iso.org/standard/55284.html.
[12] ISO Central Secretary. Road vehicles – Unified diagnostic services (UDS) –Part 5: Unified diagnostic services on Internet Protocol implementation(UDSonIP). en. Standard ISO 14229-5:2013. Geneva, CH: InternationalOrganization for Standardization, 2013. URL:https://www.iso.org/standard/55287.html.
[13] K. Koscher et al. “Experimental Security Analysis of a ModernAutomobile”. In: 2010 IEEE Symposium on Security and Privacy. May2010, pp. 447–462. DOI: 10.1109/SP.2010.34.
N. Weiss Automated Threat Evaluation September 7, 2021 5 / 9
10. Appendix
References V
[14] Tencent Keen Security Lab. New Vehicle Security Research by KeenLab:Experimental Security Assessment of BMW Cars.https://keenlab.tencent.com/en/2018/05/22/New-CarHacking-Research-by-KeenLab-Experimental-Security-Assessment-of-BMW-Cars/. 2020(accessed February 14, 2020).
[15] Dr. Charlie Miller and Chris Valasek. A Survey of Remote AutomotiveAttack Surfaces. DEF CON 22 Hacking Conference. Las Vegas, NV: DEFCON. Aug. 2014.
[16] Dr. Charlie Miller and Chris Valasek. “Advanced CAN Injection Techniquesfor Vehicle Networks”. In: BlackHat USA. Aug. 2016. URL:http://illmatics.com/can%5C%20message%5C%20injection.pdf.
N. Weiss Automated Threat Evaluation September 7, 2021 6 / 9
10. Appendix
References VI
[17] Dr. Charlie Miller and Chris Valasek. Adventures in Automotive Networksand Control Units. DEF CON 21 Hacking Conference. Las Vegas, NV: DEFCON. http://illmatics.com/car_hacking.pdf (accessed 2020-05-27).Aug. 2013.
[18] Dr. Charlie Miller and Chris Valasek. Remote Exploitation of an UnalteredPassenger Vehicle. DEF CON 23 Hacking Conference. Las Vegas, NV: DEFCON. Aug. 2015.
[19] Yuefeng Du Sen Nie Ling Liu. FREE-FALL: HACKING TESLA FROM WIRELESSTO CAN BUS. https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus-wp.pdf. 2020(accessed February 14, 2020).
N. Weiss Automated Threat Evaluation September 7, 2021 7 / 9
10. Appendix
References VII
[20] Florian Sommer, Jürgen Dürrwang, and Reiner Kriesten. “Survey andClassification of Automotive Security Attacks”. In: Information 10.4 (Apr.2019), p. 148. ISSN: 2078-2489. DOI: 10.3390/info10040148. URL:http://dx.doi.org/10.3390/info10040148.
[21] Association for Standardization of Automation and Measuring Systems.The Universal Measurement and Calibration Protocol Family. en.Standard ASAM MCD-1 XCP. Germany, DE: Association forStandardization of Automation and Measuring Systems, 2003. URL:https://www.asam.net/standards/detail/mcd-1-xcp/.
N. Weiss Automated Threat Evaluation September 7, 2021 8 / 9
10. Appendix
References VIII
[22] Jan Van den Herrewegen and Flavio D. Garcia. “Beneath the Bonnet: ABreakdown of Diagnostic Security”. In: Computer Security. Vol. 11098.Lecture Notes in Computer Science. Springer International Publishing,2018, pp. 305–324. ISBN: 978-3-319-99072-9. DOI:10.1007/978-3-319-99073-6_15. URL:http://link.springer.com/10.1007/978-3-319-99073-6_15.
[23] Nils Weiss and Enrico Pozzobon. From Blackbox to AutomotiveRansomware. DEF CON SAFE MODE Hacking Conference. VirtualConference. 2020. URL:https://www.youtube.com/watch?v=jp4qMNX5Xnc.
N. Weiss Automated Threat Evaluation September 7, 2021 9 / 9
10. Appendix
References IX