Backdooring a car
-
Upload
alexey-sintsov -
Category
Automotive
-
view
1.951 -
download
0
Transcript of Backdooring a car
Alexey Sintsov@asintsov
DEFCON RUSSIA DC#7812
BACKDOORING A CAR
AND OTHER HEADUNIT SECURITY THINGS
# Why we are interested?
Let’s do it…
• Navigation for cars
• Maps
• REST API services
• Traffic
• POI
• Even road angle degree
• And more
• RDS traffic data supplier
• Embedded software
• Middleware
• UI Clients
• … and more
• 3D maps for self driving cars
# Why security?
???
• How OUR software can impact on car security?
vs.
• How other components affect our security?
# Backdoor?
???
Backdoor – unauthorized remote access to car’s headunit or other components
It’s what you want to do after exploitation of any vulnerability…
# Backdoor for a car
• Find a reason why you need a backdoor
• Find a way how to deploy a backdoor
• Find a way how to get control
# Backdoor for a car
Reasons• Monetization?
• CC/Banking -- LOW
• BT Mining -- LOW
• Botnet -- LOW
• Thief Auto -- ???
• Targeted attack
• Police/Gov -- HIGH (Legal Backdoor)
• Spying -- ???
• Killing(WTF?) ???
We do not know, HOW to use it and WHY we need it
# Backdoor for a car
Reasons• Monetization?
• CC/Banking -- LOW
• BT Mining -- LOW
• Botnet -- LOW
• Thief Auto -- ???
• Targeted attack
• Police/Gov -- HIGH (Legal Backdoor)
• Spying -- ???
• Killing(WTF?) ???
We do not know, HOW to use it and WHY we need it
# Backdoor for a car
Reasons
Backdoor is unauthorized remote access to HeadUnit:
• You know where is you target
• You can control some elements:
• Light
• Radio
• Door locks
• Navigation routes
• For self driving cars…
• Other – depends of internal network design
- ABS, Engine, etc Easy! Easy!
• CPU usage
• Privacy and valuable data
# Break in
Attack surface – I/O• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
# Break in
Attack surface – I/O• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
Internet services
security
# Break in
Attack surface – I/O• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
… and even data/file format
Internet services
security
Client-side security
# Break in
Attack surface – I/O• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
… and even data/file format
Internet services
security
Client-side security
Spoofing/injection/sniffing and fuzzing
# Break in
Attack surface – I/O• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
Internet services
security
Client-side security… and even data/file format
Spoofing/injection/sniffing and fuzzing
Also for LPE
# Break in
Simple backdoor?• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
# Break in
Designed RA?• Wireless components and ECUs
• Long Radio:
• GSM/UMTS
• Radio/RDS
• GPS
• Short Radio:
• WiFi/Bluetooth
• TPMS
• Keyless lock/start
• Radars/Sensors/Cameras
• HeadUnit
• Software components
• WEB Browser
• MP3/etc
• RDS
• Applications/Connected Car services
• etc
• Service/diagnostic ports
• Local I/O
• CAN interfaces on HU
• Ethernet
• etc
• etc
# With one rule them all…
HARMAN
One platform, different software…
• ARM/Tegra
• QNX OS
DEP? ASLR?
Canaries?
- Yes and NO
# Deploy a backdoor (as a binary)
Other vectors
• Vulnerabilities in software update mechanism
• Importing files from USB/SD
• Browser Client-Side RCE bugs
• Other components RCE bugs (RDS and etc)
# Deploy a backdoor (as a binary)
Tasks
• Penetration vector
• RCE bugs and etc
• Find a RW place on the HU
• Update services re-usage
• Bad mounted memory
• LPE bugs
• Find a way for auto-run
• How to change cron (or etc) jobs?
• DLL/SO Hijacking
• Find a way how to connect to C&C via Internet
• Local VPN configs/keys
• Route table
• Proxy settings
# Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
# Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
# Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
• Car2Car, wireless (Worm)
# Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
• Car2Car, wireless (Worm)
• Infected files for import? (File
infection)
# Car WORM??
Is it possible?
• All HU in one network
segment? (Worm)
• If you hack the Internet
Proxy? (Spreading)
• If you hack ConnectedCar
API Server? (Spreading)
• Car2Car, wireless (Worm)
• Infected files for import? (File
infection)
Ahh… Comeon!
# LPE
Tasks
• Bugs in local service
• From user to root
• From HU to ECU
• Bugs in ECU
• Local services usage
• ECU control normal usage – sending commands
(like SomeIP)
# Hardening
Defense
• No RW places for backdoor
• Processes list and configs control and integrity
• Encrypted storages (key chains) *
• Local network segmentation
• HU does not need access to some components
• Update mechanism/design for software (good example - BMW)
• 3rd party developers – need to know what they are doing*
# Security market
Defense
• IPS for CAN
• Trusted and hardened HU/OS
• Encryption for CAN/ECU/internal traffic
• IPS for internal wireless/network
• moarrr …
• AV for car?
….
# Future
Targets for future researches• Remote exploits for Browser and car’s APPs
• Including attacks on ConnectedCar design/implementation
• …and Car2Car design and implementation… and etc
• Malware/Backdoor prototype and demo
• File infection and file format exploits (USB/SD card)
• Wireless radio exploits (short/long radio vectors)
• LPE exploits -from HU to ECU, from ECU to HU, from user to root)
• Self driving car spoofing and manipulation
• Fake signs
• Radar/LIDAR data spoofing
• All possible mixes 8)
# Future
Targets for future researches• Remote exploits for Browser and car’s APPs
• Including attacks on ConnectedCar design/implementation
• …and Car2Car design and implementation… and etc
• Malware/Backdoor prototype and demo
• File infection and file format exploits (USB/SD card)
• Wireless radio exploits (short/long radio vectors)
• LPE exploits -from HU to ECU, from ECU to HU, from user to root)
• Self driving car spoofing and manipulation
• Fake signs
• Radar/LIDAR data spoofing
• All possible mixes 8)
And even more… it’s a BIG
area and a lot of things can
happened 8)