who killed my parked car? - stanford...

+Who Killed My Parked Car?�

Faculty: Kang G. Shin Grad students: Kyong-Tak Cho, Arun Ganesan,

Daniel Chen, Mert Pese

The University of Michigan

+Vehicle Cyber Attacks

Security Risks!

Remote Access Points

In-Vehicle Networks

+Vehicle Cyber Attacks

Source: K. Koscher et al, “Experimental Security Analysis of a Modern Automobile”, IEEE S&P’10

+Attacks Possible/Effective on Parked Cars?

Integrity/Authenticity/… Availability

Ignition ON

Ignition OFF

•  Koscher et al. [S&P’10] •  Checkoway et al. [USENIX Sec’

13] •  Miller et al. [Defcon’13,

BlackHat’14, BlackHat’15] •  Cho and Shin [USENIX’15, CCS’

17] •  …

•  Cho and Shin [CCS’16]

•  …

? ? ? Is it even possible/effectiv

e to attack a vehicle when its

ignition is OFF?

+

“Sleep Mode” !  Extremely low current (u

A) !  Can be awakened !!!

Waking up ECUs

Reference: hollisbrothersauto

Reference: Lexus

+CAN Transceivers with Wake-up

+Standardized Wake-up

+

Terminal 30 ECUs’ consumption in Sleep Mode: 3

0mA

Max. # days in Sleep Mode: 41 days

“Can an attacker increase this

power consumption?”

Battery life…

+Threat Model

OBD-II devices: Some have external power supply, e.g., battery)

Telematic Units: These are considered to be the most “vulnerable” one!

" An adversary has remote access to CAN bus and can

control

+Two Novel (Immobilization) Attacks�

Battery Drain

Attack

Denial-of- Body contro

l Attack

+

Zzzz…..

Attack 1: Battery Drain Attack

Inject CAN message!

•  Bus wake-up via simple signal patterns? GOO

D!

•  Fast “standardized” wake-up mechanism nee

ded? EVEN BETTER!

•  How can the attacker drain the vehicle batter

y?

+Battery Drain Attack

Multimeter

Laptop

Car Battery

Experiment on

2017 Year-model

Vehicle


Control Drained Current

Max #days with ignition off*

(None) 12.2mA 30.7 days

“Parasitic Drain” threshold : 30mA

Wake up HSCAN, MSCAN 40mA 12.5 days

Change power mode 75mA 8.3 days

Unlock/lock driver’s door 100mA 5 days

Open trunk 150mA 3.3 days

* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%


In our 2017 year-model test vehicle, when attemptin

g to wake up ECUs






Wake up ECUs 42.0mA 8.92 days

Change power mode 75mA 8.3 days










Change power mode 74.5mA 5.02 days




While the ignition is off…








Unlock/lock driver’s door 101.1mA 3.7 days










Unlock/lock driver’s door 101.1mA 3.7 days

Open trunk 153.3mA 2.44 days


+

What do people normally do before starting their car

?

Probably…

1) Open the door

2) Start the car (change in power mode…)

3) Or perhaps… open the trunk!

Driver-context-based Reverse Engineering�

Q. How do we know which message ID to use in order to control such functions?

=> Driver-Context-Based Reverse Engineering

+Driver-context-based Reverse Engineering�

Q. How do we know which message ID to use in order to control such functions?

=> Driver-Context-Based Reverse Engineering

[Ignition OFF]

CAN traffic (~30 msgs)

[Ignition ON]

CAN traffic (~60 msgs)

Compare traffic!


In other vehicles…

2008–2017 model-year (compact and mid-size) sedans, coupe, crossover, PHEV (Plug-in Hybrid Electric Vehicle), SUVs, truck, and an electric vehicle

+Some Example Vehicles

+Attack 2: Denial-of-Body control Attack

RFA BCM

“Remote Keyless Entry (RKE) System”

+CAN Protocol : Error Handling

Error Active

Error Passive

Bus Off

TEC > 127 (or) REC > 127

TEC > 255Reset (Auto/Manual)

TEC ≤ 127 (and) REC ≤ 127

•  Disconnection from bus •  Shutdown of entire system

+CAN Protocol : Error Handling

ISO 11898

"A node can start the recovery from

bus-off state only upon a user request.”

! Depends on the Software Config.

+Denial-of-Body control (BoD) Attack "  One simple procedure (of many others…)

1.  Wait for all ECUs to go to sleep after ignition is OFF

2.  Wake up ECUs

3.  Change bit rate (e.g., 500kbps #250 kbps)

"  Consequence

1.  All awakened ECUs on the bus continuously experience and incur errors

2.  All enter the bus-off state, i.e., shut-down

3.  Depending on the software configuration, some ECUs recover from the bus-off state

whereas some don’t…

+Denial-of-Body control (BoD)Attack

In our 2017 year-model test vehicle,

RCM (Remote Control Module) did not recover from the bus-off, i.e., remained shut down

most probably due to its distinct recovery policy configuration (perhaps for anti-theft/engine-immobilizer purposes).

+Denial-of-Body control (BoD)Attack "  Symptoms

1)  Remote key does not work (even attempting with its RFID)

2)  Door cannot be opened

3)  Trunk does not open/close

"  Problems… 1)  Vehicle owners won’t even know what

happened

2)  They cannot even start the car

3)  Maybe, the car has to be towed

4)  Order a new key fob

+Denial-of-Body Attack

The key was with us inside the car!

Not even injecting any msg right now…

+Conclusion

"  Wake-up function is there for the attacker to use which is too easy/simple…

"  Vehicle ECUs can not only be “awakened” but also be “controlled/attacked”, while the ignition is off…

"  State-of-the-art defense schemes do not consider such a possibility

"  Possibility of “immobilizing” or shutting down an ECU “forever(?)”

+

Thank you!

who killed my parked car? - stanford...

Documents