tinfoil attack
play

Tinfoil attack A study on the security threats and weaknesses of - PowerPoint PPT Presentation

Jun 11, 2023 •227 likes •440 views

Tinfoil attack A study on the security threats and weaknesses of GSM-based communication in BMW cars Thijs Houtenbos Jurgen Kloosterman thijs.houtenbos@os3.nl jurgen.kloosterman@os3.nl February 7, 2013 Thijs Houtenbos, Jurgen Kloosterman

  1. Tinfoil attack A study on the security threats and weaknesses of GSM-based communication in BMW cars Thijs Houtenbos Jurgen Kloosterman thijs.houtenbos@os3.nl jurgen.kloosterman@os3.nl February 7, 2013 Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  2. Introduction Evolution of cars Mobile communication eCall What security threats are introduced by connecting cars by means of a GSM-module to the Internet and can weaknesses be identified in the implementation in a 2011 BMW 5 Series? Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  3. Research target Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  4. Background - ConnectedDrive in the Netherlands Convenience Entertainment Safety Google local search News Manual S.O.S call Information request Weather Automatic S.O.S call MyInfo My news Send-to-car Buienradar Country information Office BMW Routes BMW Internet Streetview. Ski sites Snapshots Webcams Table : Overview of ConnectedDrive services Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  5. GSM in a nutshell Network identified by two numbers (MCC/MNC) and a name Pre-shared key between provider and SIM-card for encryption Network dictates all security parameters Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  6. Software used for test network Open-source software from the Osmocom project 1 nanoBTS Radio interface OpenBSC Operator systems OsmoSGSN Data connectivity in the network OpenGGSN Exit point for the data 1 http://osmocom.org/ Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  7. Connectivity in the car Combox responsible for IVI and connectivity Difficult to remove if you are not a BMW mechanic Sticker on one of its sides contains some details we wanted Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  8. Connectivity in the car Initially it was assumed that the provider was Vodafone DE as SIM-number often match the MNC Later the IMSI-number revealed the provider to be T-Mobile The combox supports the 850, 900, 1800 and 1900MHz frequencies with support for GPRS and EDGE network types Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  9. Research - Connection Biggest challenge was to let the car connect to test network Three attempts needed before result: Power (fuses, battery, connector) 1 Block radio spectrum (jammer) 2 Tinfoil (Faraday cage) 3 Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  10. Research - Connection Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  11. Research - Connection Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  12. Research - Traffic inspection Traffic between the combox and manufacturer systems is sent with HTTP through a proxy Basic authentication is used to authenticate to proxy The traffic is compressed to decrease transfer times Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  13. Research - Browser Car browser is Access NetFront User-Agent identifies as Mozilla Firefox 3.5 on Windows 7 X-Forwarded-For header by proxy reveals internal IP-addresses 16-bit range registered with BMW AG, but not advertised on public Internet. Subnet for cars? Setup own proxy on their proxy IP to let the browser connect to Internet via us Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  14. Research - Registration Registration at manufacturer with VIN-number Includes own IP and a port accepting connections Used to remotely activate services? Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  15. Research - Provisioning Provisioning service in the car requests XML-file with settings Contains server addresses with port numbers, usernames, passwords and telephone numbers Special APN name with login details Used by the car to directly connect to the manufacturer? The provisioning information is sent compressed but unencrypted. Signed? Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  16. Research - Provisioning Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  17. Research - Applications News, weather, sports, etc Requested at special server but just HTML Again, no encryption just compression Setup own webserver with edited news feed and redirected proxy requests Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  18. Research - Applications Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  19. Conclusion What security threats are introduced by connecting cars by means of a GSM-module to the Internet and can weaknesses be identified in the implementation in a 2011 BMW 5 Series? The interesting features are not yet available in NL :( Easy to take over network in theory, a lot harder in practice No security found in the current systems, but impact is limited Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  20. Questions Thank for your presence. Are there any questions? Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

Recommend

Security of Near Field Communication: Does My Phone Need A Tinfoil Hat? Thomas Harren University

Security of Near Field Communication: Does My Phone Need A Tinfoil Hat? Thomas Harren University

Security of Near Field Communication: Does My Phone Need A Tinfoil Hat? Thomas Harren University of Minnesota, Morris April 30, 2015 1 / 45 Have you used NFC? Note: The communication standard used in UCard was not verifjed 2 / 45 1 meter

1.56k views • 121 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler Federal Office for Information Security (BSI), Germany Lausanne, September 7, 2009 Outline r Introduction and Motivation r The Attack r Basic attack

514 views • 25 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack Summary : The attack was severe and sophisticated; categorized as a catastrophic attack. It was highly strategic with regard to timing

329 views • 16 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

December 7-8, 2001, Beverly Hills, CA. Corporation, at the Surround 2001 International Conference and Technology Showcase, .E., President of Acoustic Sciences Transcript of a seminar presented by Arthur Noxon P ASCs 5.1 Surround ATTACK Wall

243 views • 6 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com Overview of Talk l Introduction l Background material l Attack class l Example attack l Popular questions l Extensions UCD Vulnerabilities Group l

759 views • 24 slides
Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation! At least two aspects Target payloads Attack origins Future? arenas Attack Payloads Buffer overflow Format strings

535 views • 18 slides
Introduction Attack Graphs Model Creation Analysis of Attack Graphs

Introduction Attack Graphs Model Creation Analysis of Attack Graphs

EVA Evolutionary Vulnerability Analyzer A Framework for Network Analysis and Risk Assessment Dr. Melissa Danforth Department of Computer Science California State University, Bakersfield Introduction Attack Graphs Model Creation

684 views • 50 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab,

The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab,

The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie Mellon University May 20 2013 Old: DDoS Attacks against Single Servers typical attack : floods server with HTTP, UDP, SYN, ICMP packets

613 views • 28 slides
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi Moritz Lipp Berk Sunar Michael Schwarz 2018: Meltdown Attack? 2 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers

1.14k views • 63 slides
Network Structure Grant Schoenebeck, Aaron Snook, Fang-Yi Yu Sybil Attack An attack to

Network Structure Grant Schoenebeck, Aaron Snook, Fang-Yi Yu Sybil Attack An attack to

Sybil Detection Using Latent Network Structure Grant Schoenebeck, Aaron Snook, Fang-Yi Yu Sybil Attack An attack to compromise a recommendation systems by forging identities. Recommendation System How is that restaurant? Bad Good Good

880 views • 29 slides
Protocol Attacks What is a protocol attack? How does it work? Different types of

Protocol Attacks What is a protocol attack? How does it work? Different types of

Outline : Part 1 Introduction Protocol Attacks What is a protocol attack? How does it work? Different types of protocol attack By Sushant Rewaskar Introduction: Types of attacks What is a protocol attack? Buffer overflow

518 views • 13 slides
On Attacking S tatistical S pam Filters Greg Wittel & S . Felix Wu U.C. Davis CEAS 2004

On Attacking S tatistical S pam Filters Greg Wittel & S . Felix Wu U.C. Davis CEAS 2004

On Attacking S tatistical S pam Filters Greg Wittel & S . Felix Wu U.C. Davis CEAS 2004 1 Outline Introduction Attack Classes Testing A New Attack Conclusions & Future 2 Attack Classes Attempted attack

392 views • 21 slides
Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py

Py SPP attack Improving on the attack Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py SPP attack Improving on the attack Py eSTREAM entrant by Eli Biham and Jennifer Seberry Fast in

870 views • 38 slides
Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU

Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU

Template Attack vs. Bayes Classifier Template Attack vs. Bayes Classifier Stjepan Picek 1 Annelie Heuser 2 Sylvain Guilley 2 1 KU Leuven, Belgium 2 TELECOM-ParisTech, Paris, France PROOFS, Santa Barbara August 20, 2016 1 / 32 Template Attack

701 views • 36 slides
Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut fr Telematik, Universitt Karlsruhe (TH), Germany Why Attack Detection still is important Distributed Denial-of-Service problem persists Attack

366 views • 19 slides

More recommend