cyber security in transportation
TRANSCRIPT
Lecturer:
Oren Elimelech
Ministry of Transport & Road Safety Cyber Security Adviser / SecuRegion CISO
CISO, CISM, CISA, CISSP, VCP, MCSE, MCT, A+, CCIE, CCSA
Cyber Security in Transportation
19th August 2015
Oren Elimelech Cyber Security, GRC, ITC, Forensics & Cloud Consultant
•
•
•
•
•
•
•
•
•
•
•
• ISC2 • ISSA • ISACA
• IARM • CSA • OWASP 2
Who are you?... About Myself
• Transportation Cyber Security
• Aviation Attacks
• Public Transport Attack
• Remote Exploitation of a Vehicle and other vegetables
• Q & A
Todays Agenda:
4
• The transportations segment includes many area: • Mass land transportation – Trains, Busses, Trucks etc.
• Aviation transport – Planes, Airports among others.
• Naval transport – Ships, harbors, nav. system etc.
• Traffic & Transit control – signal control, warning lights, road crossing illumination, tunnels and many more
• Vehicle – CAN bus, ECM, ECU, connected vehicles
• Most of the systems used are SCADA systems
• They are used for: power control, emergency ventilation control, alarms, indicators, sensors, fire/intrusion detection, control/signaling, AVL, access control etc.
Transportation Cyber Security
5
• Most of the those system are vulnerable to cyber attacks since most are not totally disconnected
• Some are prone to physical access or even Radio data link or Cellular (Watch Tower, Black Box etc)
• Maintenance, firmware and software upgrades
• And the list gets even longer
• Manifestation Impact – a vulnerability cascading effect reaching other systems & services
• One must ensure the Confidentiality (not necessarily security classified information), the Availability and the Integrity of information in ICT systems
Areas of Compromise
6
• Expanding the scope from focusing only on external hostile threats to miscellaneous general external and internal threats – caused deliberately and accidently, technical failures and natural disasters • For instance: Avionics control system failure in UK
following a software upgrade
• Strong emphasis on supposedly peripheral systems that are not defined as critical national infrastructures • For instance: LOT airline company cyber attack
My Work Objectives & Tasks
7
• On June 21st operations were disrupted at Warsaw Chopin Airport by what LOT Polish Airlines said was a cyberattack on flight-planning computers. 10 LOT flights were canceled and some 15 others were grounded for several hours, affecting roughly 1,400 passengers
LOT Airline Cyber Attack
9
• U.S. aviation regulators and industry officials have begun developing comprehensive cybersecurity protections for aircraft, seeking to cover everything from the largest commercial jetliners to small private planes
LOT Airline Cyber Attack
10
• On July 8th 2015 – United Airlines issued a statement saying it suffered from “a network connectivity issue” – effecting 4,900 flights were impacted by the problem worldwide
United Airline vulnerabilities
11
• On July 15th 2015 – United Airlines gave 1 million miles bug bounty to a security researcher after finding Remote-execute, XSS and CSRF bug in the Airline mobile-app & website enabling private information disclosure and exploits
United Airline vulnerabilities
12
• On August 17th 2015 – United Airlines frequent Flyer App was hacked revealing passengers private information – Yosi Dahan (whitehat hacker)
United Airline vulnerabilities
13
Once in the
system, they
disconnected
signal control
boxes at four
intersections and
locked out
anyone else from
being able to fix
the problem
"So for four days
in this major city,
the traffic lights
would just blink
and go from color
to color"
A large US city
locked in labor
negotiations with
union employees was
hit by two employees
who helped build the
traffic control system
for the organization
in protest of the
proceedings. Even
though the city had
pre-emptively
disabled union
employee access to
systems due to
concerns of potential
sabotage, these two
insiders managed to
gain control of the
system due to a
supervisor previously
sharing his credentials.
Dawn Cappelli,
principal engineer
at CERT
Insiders using authorized access
18
• Two researchers from US: • Charlie Miller
• Chris Valasek
• Work diligently since 2010 on DARPA funding
• VIDEO DEMO
Hacking Chrysler Jeep Remotely
17
• Controller Area Network (CAN)
• Developed by Bosch 1983-86 for automobile in-vehicle network
• Multi-drop, Multi-master serial bus providing communication between controllers, sensor and actuators
• Highly reliable and robust, well proven technology
• Inexpensive
• First car BMW series 8 - 1988
• 100% car since 2008 user CAN bus
CAN Bus Quick Intro
18
• Until CAN Bus – vehicles contained enormous amounts of wiring that was necessary to interconnect all the various electronic components
CAN Bus Quick Intro
19
• CAN Bus reduced wiring in over 2km and weight of over 50kg
CAN Bus Quick Intro
20
• International Standard ISO 11898 • ISO 11898-2 High speed application –1 Mbps
• ISO 11898-3 Low speed application –125 Kbps
• CAN id being used widely in other applications: • Automotive
• Military vehicles
• Industrial machinery
• Medical systems
• Agricultural machinery
• Marine control and navigation
• Elevator control systems
CAN Bus Quick Intro
21
• Network Layered Model
CAN Bus – based on OSI model
22
Partially implemented by higher-
level CAN protocols like
CANopen, CANaerospace,
MilCAN, SAE J1939, ISO 1132
and others
Standard CAN implementation
defines most of the lowest two
layers (physical details often
specified by higher-layer
protocol)
Bypass used without
higher-layer protocols
User Interface
• All messages are broadcast
• Any node is allowed to broadcast a message
• Each message contains an ID that identifies the source or content of a message
• Each receiver decides to process or ignore each message
• Single twisted pair wire terminated on each end
CAN Bus Characteristics
23
• Oscilloscope – Signal levels (Differential signaling)
CAN Bus Characteristics
25
CAN H
CAN L
• Oscilloscope – Signal levels (Differential signaling)
CAN Bus Characteristics
26
Recessive 0 Dominant 0 Recessive 1
• Data Frame • Used to transmit data
• Remote Frame • Used to request data transmission
• Error Frame • Sent by a node that detects an error
• Overload Frame • Sent by a node to request a delay in transmission
CAN Bus Network Frames
27
• Multiple operation sensors
• Alarms & Alerts can be disabled and even used…
CAN Bus Vehicle Platform
28
• CAN Bus can be used to access other vehicle systems
CAN Bus & Other Vehicle Platforms
29
• The Jeep Cherokee was chosen due to the fact that the head unit (Radio) is connected to both CAN buses
Chrysler Jeep 2014
31
• Adaptive Cruise Control (ACC) • assists the driver in keeping the proper distance between
themselves and cars ahead of them
• Forward Collision Warning Plus (FCW+) • prevents the Jeep from colliding with objects in front of it
Cyber Physical Features
32
• Lane Departure Warning (LDW+) • examines the lines on the road (i.e. paint) to detects the Jeep is
leaving the current lane, it will adjust the steering wheel to keep the vehicle in the current lane
Cyber Physical Features
33
• Park Assist System (PAM) • Permits the driver to effortlessly park the car without much driver
interaction in various scenarios, such as parallel parking, backing into a space, etc.
• The PAM technology played a key role in the hack • Enabling to use this PAM to steer an automobile at high speed
with CAN messages alone
Cyber Physical Features
34
• Other vulnerable systems • Tire Pressure Monitoring System (TPMS)
• Passive Anti-Theft System (PATS)
• Bluetooth
• Radio Data System
• WiFi
• GPS
• HVAC (Heating and Air Conditioning)
• Display
• Knobs
Cyber Physical Features
35
• Every piece of technology that interacts with the outside world is a potential entry point
Remote Attack Surface
36
• Many modern automobiles contain a cellular radio, generically referred to as a telematics system, used to connect the vehicle to a cellular network, for example GM’s OnStar. The cellular technology can also be used to retrieve data, such as traffic or weather information
• This is the holy grail of automotive attacks (Long Cellular cover)
• On the Jeep, all of these features are controlled by the Radio, which resides on both the CAN-IHS bus and the CAN-C bus
Telematics / Internet / Apps
37
• The Uconnect system in the Jeep contains the ability to communicate over cellular network using a sierra wireless card for remote connectivity
Telematics / Internet / Apps
38
• The telematics, Internet, radio, and Apps are all bundled into the Harman Uconnect system that comes with the 2014 Jeep Cherokee
Infotainment
39
• The 2014 Jeep Cherokee uses the Uconnect 8.4AN/RA4 radio manufactured by Harman Kardon with the majority of functionality is physically located on a Texas Instruments OMAP-DM3730 system on a chip which is common within automotive systems
• The system uses LUA language: a common powerful, fast, lightweight, embeddable scripting language used in many systems worldwide
Uconnect System
40
• As mentioned earlier, the Uconnect system has the ability to interact with both the outside world, via Wi-Fi, Cellular, and BT and with the CAN bus
• The processor responsible for interacting with the Interior High Speed CAN (CAN-IHS) and the primary CAN-C bus is a Renesas V850
CAN Connectivity
41
• To hack the V850 chip you need the right tools for the job… Which cost the researchers over $6,700 plus having a $1800 per year Tech Authority subscription for being able to buy and updates…
CAN Hacking & Connectivity
42
• Using the wiTECH tools you are able to see the entire network of the vehicle
Chrysler Jeep
43
WiFi Open Ports
44
• Scanning the vehicle exposed WiFi ports reveals many open ports
• With all of these services, there is a good chance a vulnerability would be present that could allow remote exploitation, port 6667 seems interesting
• This port is D-Bus over IP, which is essentially an inter-process communication (IPC) and remote procedure call (RPC) mechanism used for communication between processes
WiFi Open Ports
46
No Password Needed!!!
• Using DFeet (wiTECH tool) to interact with the D-Bus service on the Jeep for methods to start ‘com.harman.service.SoftwareUpdate’ service
D-Bus Software Update
47
• Inserting a USB with a valid ISO to the Uconnect begins the updating process
Jailbreak Uconnect
48
• So a new compromised Firmware enables to remotely control the vehicle.
• Even an unsigned firmware can be used to update the system from the head unit
• The problem is that the system is only designed to perform the upgrade from a USB
• This is a big complication for an attacker, since we want to flash the V850 (OMAP chip) without a USB stick…
Software Firmware Upgrade
49
• Port 6667 IRC, is bound to all interfaces, therefore D-Bus communications can be performed against the Jeep over the cellular network!
Cellular Exploitation – Remote Update
50
• Was used to enable the vehicle to connect to the hacker – using a miniature cell tower (provided to customers with bad reception in their residence). The device can also be used to intercept cellular traffic and modified to an attacker’s specifications
Femtocell
51
• Scanning port 6667 from a Sprint device on the IP addresses 21.0.0.0/8 and 25.0.0.0/8. Anything that responds is a vulnerable Uconnect system
Scanning for vulnerable vehicles
52
• The D-Bus service on port 6667 running on the Uconnect system in susceptible to command injection vulnerabilities
• Utilizing the ‘NavTrailService’ where code is implemented in ‘/service/platform/nav/navTrailService.lua’
• Unbelievable the service includes ‘execute’ method which is designed to execute arbitrary shell commands!!!
Gaining Code Execution
53
• Running arbitrary code on the head unit (OMAP chip) within the Uconnect system enables running various LUA scripts that can be used to affect the vehicle
• This gives the hackers the possibility to remotely control the 2014 Jeep Cherokee – even when a person is inside the vehicle
Uconnect Attack Payloads
54
• Identify target
• Exploit the OMAP chip of the head unit
• Control the Uconnect System
• Flash the v850 with modified firmware remotely
• Perform cyber physical actions
Summary - The entire exploit chain
55
19: לדוגמא -תוצר סמל •
האודי: לדוגמא -שם תוצר •
10 -קוד דגם •
4LB0EL -דגם תאור•
שטח-פנאי -המרכב •
Q7 -כינוי •
4163 -נפח מנוע •
3065 -משקל כולל •
173 -גובה •
-רמת גימור •
350 -כוחות סוס •
5 -מספר דלתות •
יש -מזגן •
6 -מספר כריות אוויר •
יש - ABSמערכת •
יש -הילוכים אוטומטיים •
- בגאזחלון •
2007 -שנה •
Free Data available in Israel from 2008
56
7 -אגרה קבוצת •
06-0526 -הוראות רישום •
3 -כ רשומים "סה•
3 -רשומים פעילים •
4X4 -הנעה •
יש -הגה כוח •
4 -חלונות חשמל •
יש -גלגלי מגנזיום •
בנזין -סוג דלק •
-ארגז •
יש -בקרת יציבות •
-היברידי •
7 -מספר מושבים •
-כושר גרירה •
-קבוצת זיהום •
-תקינה •
-סטיה מנתיב בקרת •
-ניטור מרחק מלפנים •
-זיהוי בשטח מת •
-בקרת שיוט אדפטיבית •
-רגל הולגיזיהוי •
-מערכת עזר לבלימה •
- רוורסמצלמת •
-חיישני לחץ אוויר בצמיגים •
-חיישני חגורות •
-ניקוד בטיחות •
-בטיחותי איבזוררמת •
-תאורה אוטומטית •
שליטה אוטומטית באורות • -הגבוהים
-זיהוי מצב התקרבות מסוכנת •
-זיהוי תמרורי תנועה •
-/briefings.html#remote15-www.blackhat.com/ushttps://
vehicle-passenger-unaltered-an-of-exploitation
http://illmatics.com/Remote%20Car%20Hacking.pdf
57
Further Reading
