it s easier to br e ak e than to patch
play

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack - PowerPoint PPT Presentation

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari, Stefano Zanero Politecnico di Milano Acknowledgments: Matteo Penco, Michele Carminati, Andrea Palanca, Eric Evenchick, Federico Maggi $whoami Stefano


  1. It’s Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari, Stefano Zanero Politecnico di Milano Acknowledgments: Matteo Penco, Michele Carminati, Andrea Palanca, Eric Evenchick, Federico Maggi

  2. $whoami Stefano Longari is a PhD Stefano Zanero is an student at Politecnico di associate professor at Milano, his research Politecnico di Milano, focuses on automotive on-board and has over 20 years of experience security. in the security field. He has founded a security services company that delivers security assessment services worldwide. 2 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  3. Controller Area Network De-facto standard in the automotive World 3 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  4. Is CAN key to automotive attacks? 4 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  5. What weaknesses are commonly abused? Keyless Engine Body Ignition Control Control Module Module Module CANH 120Ω 120Ω CANL Broadcast Frame Injection Unauthenticated 5 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  6. Can we detect these attacks? 6 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  7. How do automotive IDS work? Industrial secret, however we can make an educated guess at some methods Frequency based ● CAN messages are usually periodic ○ Specification based ● Set rules for the data field of the message ○ Potentially dynamic depending from message history ○ Machine Learning based ● Generally similar to specification based ones ○ Mainly Academic ○ 7 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  8. How to evade an automotive IDS Specification based: Comply with the rules ● Frequency based: Comply with the frequency ● ML based: difgerent forms of mimicry attacks ● 8 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  9. The perfect crime What if we manipulate/substitute a real frame? Specification based: Comply with the rules ● Frequency based: Comply with the frequency ● ML based: difgerent forms of mimicry attacks ● 9 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  10. How could you possibly do that? Keyless Engine Body Ignition Control Control Module Module Module CANH 120Ω 120Ω CANL 10 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  11. CAN specs overview µ controller Engine Body CAN Control Control controller Module Module TXD RXD CAN transceiver CANH 120Ω 120Ω CANL 11 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  12. CAN specs overview Creates data frames to be sent µ controller Engine Body CAN Control Control controller Module Module TXD RXD CAN transceiver CANH 120Ω 120Ω CANL 12 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  13. CAN specs overview µ controller Engine Body Implements CAN specifications CAN Control Control controller - Handles Errors Module Module TXD RXD CAN transceiver CANH 120Ω 120Ω CANL 13 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  14. CAN specs overview µ controller Engine Body CAN Control Control controller Module Module TXD RXD CAN Translates digital bits into transceiver CAN compliant electrical signals CANH 120Ω 120Ω CANL 14 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  15. Data frames 15 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  16. CAN bus values 5V 2,5V 0V 0 1 0 1 1 0 0 1 1 1 0 1 1 0 0 0 16 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  17. Dominant beats recessive - arbitration Loses Arbitration ECU1 Loses Arbitration ECU2 ECU3 Time 17 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  18. CAN error handling µ controller CAN controller TXD RXD CAN transceiver CAN Error Frame Reasons: CANH Transceiver Fail ● 120Ω CRC Computation error ● Channel Noise ● CANL Faulty Device ● ... ● 18 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  19. CAN fault confinement Can send error active flags “000000” ERROR ACTIVE 19 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  20. CAN fault confinement Can send error active flags Can send error passive flags “000000” “111111” counter > 127 ERROR ERROR ACTIVE PASSIVE reset or counter < 128 20 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  21. CAN fault confinement Can send error active flags Can send error passive flags Shuts itself ofg the bus “000000” “111111” counter > 127 counter > 255 ERROR ERROR BUS OFF ACTIVE PASSIVE reset or counter < 128 reset or detect 11 sequential “1” x128 bit times 21 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  22. How do we Exploit this? How do we convince the target ECU to kick itself ofg the network? Keyless Engine Body Ignition Control Control Module Module Module 120Ω 120Ω 22 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  23. How do we Exploit this? µ controller CAN controller TXD RXD CAN transceiver CAN Error Frame CANH 120Ω … For example like this. CANL 0 overwrites 1. 23 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  24. How do we Exploit this? µ controller CAN controller TXD RXD CAN transceiver CAN Error Frame 120Ω The attacker can write that 0 over a 1. We just deleted the packet 24 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  25. Steps 1) Discover the ID of the victim e.g., Reverse engineer the CAN IDs of an identical vehicle 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times 25 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  26. Steps 1) Discover the ID of the victim e.g., read all IDs passing on the bus 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times 26 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  27. Steps 1) Discover the ID of the victim CRC delimiter is “1” by design 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times 27 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  28. Steps 1) Discover the ID of the victim This triggers an error generated by the victim 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times 0 28 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  29. Steps 1) Discover the ID of the victim This kind of error adds +8 to the counter of the victim 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 8x32 = 256 Counter > 127 Counter > 255 Error Error Bus Ofg 5) Repeat 32 consecutive times Active Passive 29 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  30. Proof of Concept Implementation 30 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  31. Testbed Experiment 31 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  32. Proof of Concept Implementation 32 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  33. Alfa Giulietta Exploited 33 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  34. Alfa Giulietta Exploited 34 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  35. Alfa Giulietta Exploited https://is.gd/candos 35 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  36. Is it preventable? - Based on the protocol specs Not really… - Hard to retrieve logs to distinguish between real failures and attacks 36 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  37. Attack scenarios Denial of Service for the sake of Denial of Service e.g. Ransomware Turn On! 120Ω 120Ω Nope! Keyless Engine Ignition Control Module Module 37 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  38. Attack scenarios Detection avoidance for spoofing attacks - Shut down the victim ECU - Send spoofed data 38 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  39. Can we detect the DoS? We can read data from the bus We can detect the attacker once he tries to spoof data after the DoS Keyless Engine Body Ignition Control Control Module Module Module CANH 120Ω 120Ω CANL 39 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  40. We need to study more CAN specs! :( List of rules that change the counters: 40 40 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  41. Not all of them... List of rules that change the counters: 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

Recommend


More recommend