+ Who Killed My Parked Car? � Faculty: Kang G. Shin Grad students: Kyong-Tak Cho, Arun Ganesan, Daniel Chen, Mert Pese The University of Michigan
+ Vehicle Cyber Attacks Security Ris ks! Remote Acces s Points In-Vehicle Networks
+ Vehicle Cyber Attacks Source: K. Koscher et al , “Experimental Security Analysis of a Modern Automobile”, IEEE S&P’10
+ Attacks Possible/Effective on Parked Cars? Integrity/Authenticity/… Availability • Koscher et al. [S&P’10] • • Cho and Shin Checkoway et al. [USENIX Sec’ Ignition 13] [CCS’16] ON • • … Miller et al . [Defcon’13, BlackHat’14, BlackHat’15] • Cho and Shin [USENIX’15, CCS’ 17] Is it even possible/effectiv • … ? ? Ignition ? e to OFF attack a vehicle when its ignition is OFF?
+ Waking up ECUs Reference: hollisbrothersauto “Sleep Mode” � Extremely low current (u A) � Can be awakened !!! Reference: Lexus
+ CAN Transceivers with Wake-up
+ Standardized Wake-up
+ Standardized Wake-up
+ Battery life… Terminal 30 ECUs’ consumption in Sleep Mode: 3 0mA Max. # days in Sleep Mode: 41 days “ Can an attacker increase this power consumption?”
+ Threat Model � An adversary has remote access to CAN bus and can control Telematic Units : These are consider OBD-II devices : Some have exter ed to be the most “vulnerable” one! nal power supply, e.g., battery)
+ Two Novel (Immobilization) Attacks � Denial-of- Battery Drai Body contro n l Attack Attack
+ Attack 1: Battery Drain Attack • Bus wake-up via simple signal patterns? GOO Zzzz….. Inject CAN D! message! • Fast “standardized” wake-up mechanism nee ded? EVEN BETTER! • How can the attacker drain the vehicle batter y?
+ Battery Drain Attack Experiment on 2017 Car Battery Year-model Vehicle Multimeter Laptop
+ Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up HSCAN, MSCAN 40mA 12.5 days Change power mode 75mA 8.3 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%
+ Battery Drain Attack In our 2017 year-model test vehicle, when attemptin g to wake up ECUs
+ Battery Drain Attack
+ Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 75mA 8.3 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%
+ Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 75mA 8.3 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%
+ Battery Drain Attack Drained Max #days with Control Current ignition off* While the ignition is off… (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%
+ Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%
+ Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 101.1mA 3.7 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%
+ Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 101.1mA 3.7 days Open trunk 153.3mA 2.44 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%
+ Driver-context-based Reverse Engineering � Q. How do we know which message ID to use in order to control such functions? => Driver-Context-Based Reverse Engineering What do people normally do before starting their car ? Probably… 1) Open the door 2) Start the car (change in power mode…) 3) Or perhaps… open the trunk!
+ Driver-context-based Reverse Engineering � Q. How do we know which message ID to use in order to control such functions? => Driver-Context-Based Reverse Engineering Compare traffic! [Ignition OFF] [Ignition ON] CAN traffic CAN traffic (~30 msgs) (~60 msgs)
+ Battery Drain Attack In other vehicles… 2008–2017 model-year (compact and mid-size) sedans , coupe, crossover, PHEV (Plug-in Hybrid Electric Veh icle), SUVs, truck, and an electric vehicle
+ Some Example Vehicles
+ Attack 2: Denial-of-Body control Attack RFA BCM “Remote Keyless Entr y (RKE) System”
+ CAN Protocol : Error Handling TEC > 127 (or) REC > 1 27 Error Error P Active assive TEC ≤ 127 (and) REC ≤ 127 Reset TEC > 255 (Auto/Manual) Bus Off • Disconnection from bus • Shutdown of entire system
+ CAN Protocol : Error Handling ISO 11898 "A node can start the recovery from bus-off state only upon a user request.” � Depends on the Software Config.
+ Denial-of-Body control (BoD) Attack � One simple procedure (of many others…) 1. Wait for all ECUs to go to sleep after ignition is OFF 2. Wake up ECUs 3. Change bit rate (e.g., 500kbps � 250 kbps) � Consequence 1. All awakened ECUs on the bus continuously experience and incur errors 2. All enter the bus-off state, i.e., shut-down 3. Depending on the software configuration, some ECUs recover from the bus-off state whereas some don’t …
+ Denial-of-Body control (BoD)Attack In our 2017 year-model test vehicle, RCM (Remote Control Module) did not recov er from the bus-off, i.e., remained shut down most probably due to its distinct recovery polic y configuration (perhaps for anti-theft/engine-i mmobilizer purposes).
+ Denial-of-Body control (BoD)Attack � Symptoms Remote key does not work 1) (even attempting with its RFID) Door cannot be opened 2) Trunk does not open/close 3) � Problems… Vehicle owners won’t even know what 1) happened They cannot even start the car 2) Maybe, the car has to be towed 3) Order a new key fob 4)
+ Denial-of-Body Attack Not even injecting any msg right no w… The key was with us inside the c ar!
+ Conclusion � Wake-up function is there for the attacker to use which is too easy/simple… � Vehicle ECUs can not only be “awakened” but also be “controlled/attacked”, while the ignition is off… � State-of-the-art defense schemes do not consider such a possibility � Possibility of “immobilizing” or shutting down an ECU “forever(?)”
+ Thank you!
Recommend
More recommend