![Page 1: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/1.jpg)
CANDY: haCking infotAiNment AnDroid sYstems
Gianpiero CostantinoIlaria Matteucci
https://youtu.be/aw0d-IoGD7E
![Page 2: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/2.jpg)
Introduction
2
Vehicles are Cyber-Physical System (CPS): ➡ Parking sensors ➡ Infotainment system ➡ Wireless connectivity ➡ Lane assistant
Safety-critical system are being exposed to security issues:
➡ Connectivity is the key enabler
![Page 3: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/3.jpg)
Attack surface
3
Local Vs Remote
![Page 4: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/4.jpg)
Attack on Jeep Cherokee
4
Remote Exploitation of an Unaltered Passenger Vehicle. C.Miller and C. Valasek, BlackHat 2015
![Page 5: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/5.jpg)
CANDY
5
Hacking CAN bus vehicle communications by remotely injecting a Trojan-horse on the Android In-
Vehicle Infotainment system
![Page 6: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/6.jpg)
Running the attack: the target device
6
Bosion Android Radio with Android 4.4 KitKat
Installed on a Volkswagen Golf 1.6 TDI
Connected to the CAN bus network through a CAN bus-decoder
The radio is connected to the Internet through a 3G dongle
![Page 7: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/7.jpg)
Attack Work-flow
7
GenuineAPP
MaliciousAPP
apktool
Smalicode
Smalicode
apktool
CodeInjection
Trojan-horseAPP
apktool
- Adding Permissions- Adding Services
Manifestmanipulation
Trojan-horseAPP
signing
SocialEngineering
Victim
I. Remotely accessing the In-Vehicle Infotainment system II. Recording driver’s voice III. Taking photos and grabbing vehicle’s trajectories IV. Collecting information spread on the CAN bus
In collaboration with Antonio La Marra (IIT-CNR)
![Page 8: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/8.jpg)
Photos from parking-camera
8
![Page 9: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/9.jpg)
Vehicle’s trajectories
9
![Page 10: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/10.jpg)
Stealing CAN bus information
10
Genuine CAN bus APP
CodeInjection
Trojan-horseAPP
VictimAttacker
MaliciousCAN bus APP
Overriding CAN bus APP
Stealing CAN bus information
Water temperature Seat belt attached or not Handbrake pulled or not
Car doors status Remaining fuel
Voltage of the battery Engine rpm Car speed
Air conditioning system status Distance from an obstacle
The attacker downloads and modifies the original APP to store the CAN bus information on files that later on can be downloaded
![Page 11: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/11.jpg)
CAN bus data
11
![Page 12: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/12.jpg)
Our research directions
Studying vulnerabilities: ➡ (Can level) Analyzing and learning CAN messages ➡ (Firmware level) Studying the firmware’s code
Security for vehicles: ➡ adding security properties to the CAN protocol ➡ studying drivers’ attitude in V2V and V2X Infrastructure
12
![Page 13: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/13.jpg)
Penetration Testing @CAN level
➡ Receiving and analyzing CAN messages by connecting ECUs to PCs via USBtin
➡ Learning the messages’ content using reverse engineering technique (or brute-force attack)
➡ Sending incorrect messages to alter the behavior of the vehicle (Man in the Middle)
13
![Page 14: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/14.jpg)
Penetration Testing @Firmware level
14
![Page 15: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/15.jpg)
Our lab
15
![Page 16: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/16.jpg)
The CAN bus as is
16
CAN bus is the communication protocol within ECUs of vehicles:
➡ Max data-message length is 64bit
➡ !Authentication and !Integrity and !Confidentiality
11010110101010010101001010100101010
![Page 17: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/17.jpg)
101010010101010 110110μ τ
Model based Design: CIA solution
17
Turning CAN messages into Security by Design format
C
Confidentiality, Integrity and Authentication
![Page 18: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/18.jpg)
Future Work
Working on a way to send messages on the CAN bus network from the IVI Android.
To give more impact to CANDY and to point out the vulnerabilities of the CAN protocol
Working on a Security-by-Design framework compatible with automotive standards.
To the security of ICT systems in vehicles as well as optimize the trade-off between security and safety aspects in the automotive domain.
18
11010110101010010101001010100101010
![Page 19: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/19.jpg)
Thank you!
![Page 20: CANDY haCking infotAiNment AnDroid sYstems · Hacking CAN bus vehicle communications by ... Running the attack: the target device 6 Bosion Android Radio with Android 4.4 KitKat Installed](https://reader030.vdocument.in/reader030/viewer/2022040703/5ec958ed7ee52a368666b67b/html5/thumbnails/20.jpg)
CANDY: haCking infotAiNment AnDroid sYstems
20