who killed my parked car faculty kang g shin grad
play

+ Who Killed My Parked Car? Faculty: Kang G. Shin Grad students: - PowerPoint PPT Presentation

Dec 13, 2023 •230 likes •589 views

+ Who Killed My Parked Car? Faculty: Kang G. Shin Grad students: Kyong-Tak Cho, Arun Ganesan, Daniel Chen, Mert Pese The University of Michigan + Vehicle Cyber Attacks Security Ris ks! Remote Acces s Points In-Vehicle Networks + Vehicle

  1. + Who Killed My Parked Car? � Faculty: Kang G. Shin Grad students: Kyong-Tak Cho, Arun Ganesan, Daniel Chen, Mert Pese The University of Michigan

  2. + Vehicle Cyber Attacks Security Ris ks! Remote Acces s Points In-Vehicle Networks

  3. + Vehicle Cyber Attacks Source: K. Koscher et al , “Experimental Security Analysis of a Modern Automobile”, IEEE S&P’10

  4. + Attacks Possible/Effective on Parked Cars? Integrity/Authenticity/… Availability • Koscher et al. [S&P’10] • • Cho and Shin Checkoway et al. [USENIX Sec’ Ignition 13] [CCS’16] ON • • … Miller et al . [Defcon’13, BlackHat’14, BlackHat’15] • Cho and Shin [USENIX’15, CCS’ 17] Is it even possible/effectiv • … ? ? Ignition ? e to OFF attack a vehicle when its ignition is OFF?

  5. + Waking up ECUs Reference: hollisbrothersauto “Sleep Mode” � Extremely low current (u A) � Can be awakened !!! Reference: Lexus

  6. + CAN Transceivers with Wake-up

  7. + Standardized Wake-up

  8. + Standardized Wake-up

  9. + Battery life… Terminal 30 ECUs’ consumption in Sleep Mode: 3 0mA Max. # days in Sleep Mode: 41 days “ Can an attacker increase this power consumption?”

  10. + Threat Model � An adversary has remote access to CAN bus and can control Telematic Units : These are consider OBD-II devices : Some have exter ed to be the most “vulnerable” one! nal power supply, e.g., battery)

  11. + Two Novel (Immobilization) Attacks � Denial-of- Battery Drai Body contro n l Attack Attack

  12. + Attack 1: Battery Drain Attack • Bus wake-up via simple signal patterns? GOO Zzzz….. Inject CAN D! message! • Fast “standardized” wake-up mechanism nee ded? EVEN BETTER! • How can the attacker drain the vehicle batter y?

  13. + Battery Drain Attack Experiment on 2017 Car Battery Year-model Vehicle Multimeter Laptop

  14. + Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up HSCAN, MSCAN 40mA 12.5 days Change power mode 75mA 8.3 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

  15. + Battery Drain Attack In our 2017 year-model test vehicle, when attemptin g to wake up ECUs

  16. + Battery Drain Attack

  17. + Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 75mA 8.3 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

  18. + Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 75mA 8.3 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

  19. + Battery Drain Attack Drained Max #days with Control Current ignition off* While the ignition is off… (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

  20. + Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

  21. + Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 101.1mA 3.7 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

  22. + Battery Drain Attack Drained Max #days with Control Current ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 101.1mA 3.7 days Open trunk 153.3mA 2.44 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

  23. + Driver-context-based Reverse Engineering � Q. How do we know which message ID to use in order to control such functions? => Driver-Context-Based Reverse Engineering What do people normally do before starting their car ? Probably… 1) Open the door 2) Start the car (change in power mode…) 3) Or perhaps… open the trunk!

  24. + Driver-context-based Reverse Engineering � Q. How do we know which message ID to use in order to control such functions? => Driver-Context-Based Reverse Engineering Compare traffic! [Ignition OFF] [Ignition ON] CAN traffic CAN traffic (~30 msgs) (~60 msgs)

  25. + Battery Drain Attack In other vehicles… 2008–2017 model-year (compact and mid-size) sedans , coupe, crossover, PHEV (Plug-in Hybrid Electric Veh icle), SUVs, truck, and an electric vehicle

  26. + Some Example Vehicles

  27. + Attack 2: Denial-of-Body control Attack RFA BCM “Remote Keyless Entr y (RKE) System”

  28. + CAN Protocol : Error Handling TEC > 127 (or) REC > 1 27 Error Error P Active assive TEC ≤ 127 (and) REC ≤ 127 Reset TEC > 255 (Auto/Manual) Bus Off • Disconnection from bus • Shutdown of entire system

  29. + CAN Protocol : Error Handling ISO 11898 "A node can start the recovery from bus-off state only upon a user request.” � Depends on the Software Config.

  30. + Denial-of-Body control (BoD) Attack � One simple procedure (of many others…) 1. Wait for all ECUs to go to sleep after ignition is OFF 2. Wake up ECUs 3. Change bit rate (e.g., 500kbps � 250 kbps) � Consequence 1. All awakened ECUs on the bus continuously experience and incur errors 2. All enter the bus-off state, i.e., shut-down 3. Depending on the software configuration, some ECUs recover from the bus-off state whereas some don’t …

  31. + Denial-of-Body control (BoD)Attack In our 2017 year-model test vehicle, RCM (Remote Control Module) did not recov er from the bus-off, i.e., remained shut down most probably due to its distinct recovery polic y configuration (perhaps for anti-theft/engine-i mmobilizer purposes).

  32. + Denial-of-Body control (BoD)Attack � Symptoms Remote key does not work 1) (even attempting with its RFID) Door cannot be opened 2) Trunk does not open/close 3) � Problems… Vehicle owners won’t even know what 1) happened They cannot even start the car 2) Maybe, the car has to be towed 3) Order a new key fob 4)

  33. + Denial-of-Body Attack Not even injecting any msg right no w… The key was with us inside the c ar!

  34. + Conclusion � Wake-up function is there for the attacker to use which is too easy/simple… � Vehicle ECUs can not only be “awakened” but also be “controlled/attacked”, while the ignition is off… � State-of-the-art defense schemes do not consider such a possibility � Possibility of “immobilizing” or shutting down an ECU “forever(?)”

  35. + Thank you!

Recommend

VIDEN VIDEN At Attacker Identification on In-Vehicle Networks Kyong-Tak Cho and Kang G. Shin

VIDEN VIDEN At Attacker Identification on In-Vehicle Networks Kyong-Tak Cho and Kang G. Shin

VIDEN VIDEN At Attacker Identification on In-Vehicle Networks Kyong-Tak Cho and Kang G. Shin Presented by Alokparna Bandyopadhyay Fall 2018, Wayne State University Overview Introduction CAN Message Transmission System and Threat

849 views • 31 slides
Hani Jamjoom MICHIGAN E M M Chun-Ting Chou M M Kang G. Shin M M M M NGINE M

Hani Jamjoom MICHIGAN E M M Chun-Ting Chou M M Kang G. Shin M M M M NGINE M

M M M M M The Impact of Concurrency Gains M M M on the Analysis and Control M M M of Multi-threaded Internet Services M M Hani Jamjoom MICHIGAN E M M Chun-Ting Chou M M Kang G. Shin M M M M NGINE M Electrical

647 views • 23 slides
Continuous Authentication for Voice Assistants Huan Feng * , Kassem Fawaz * , and Kang G. Shin

Continuous Authentication for Voice Assistants Huan Feng * , Kassem Fawaz * , and Kang G. Shin

Continuous Authentication for Voice Assistants Huan Feng * , Kassem Fawaz * , and Kang G. Shin Presented by Anousheh and Omer Overview Introduction/Existing Solutions and Novelty Human Speech Model System and Threat Models

703 views • 41 slides
Location Privacy Protection For Smartphone Users Thanks to Kassem Fawaz and Kang G Shin

Location Privacy Protection For Smartphone Users Thanks to Kassem Fawaz and Kang G Shin

Location Privacy Protection For Smartphone Users Thanks to Kassem Fawaz and Kang G Shin Presented By Sam Ostoich and Erin Geoghan Introduction Problem Threats Related Works Design Philosophy Design Implementation

276 views • 24 slides
PriBots Conversational Privacy with Chatbots Hamza Harkous 1 , Kassem Fawaz 2 , Kang. G. Shin 2 ,

PriBots Conversational Privacy with Chatbots Hamza Harkous 1 , Kassem Fawaz 2 , Kang. G. Shin 2 ,

PriBots Conversational Privacy with Chatbots Hamza Harkous 1 , Kassem Fawaz 2 , Kang. G. Shin 2 , Karl Aberer 1 1 EPFL; 2 University of Michigan Workshop on the Future of Privacy Notices and Indicators, SOUPS 2016 Privacy Notice: Current State 2

708 views • 50 slides
Generation of strong electric fields in an ice film capacitor Sunghwan Shin, Youngsoon Kim,

Generation of strong electric fields in an ice film capacitor Sunghwan Shin, Youngsoon Kim,

Generation of strong electric fields in an ice film capacitor Sunghwan Shin, Youngsoon Kim, Eui-seong Moon, Du Hyeong Lee, Hani Kang, Heon Kang Department of Chemistry, Seoul National University, 1 Gwanak-ro, Seoul 151-747, South Korea THE

293 views • 15 slides
GRAD dcor TM Grad Decor Grad Decor is an online marketplace where people can design their

GRAD dcor TM Grad Decor Grad Decor is an online marketplace where people can design their

GRAD dcor TM Grad Decor Grad Decor is an online marketplace where people can design their own Grad Decal. A Grad Decal is a high quality vinyl product sized perfectly to accommodate a standard graduation cap. On the Grad Decor website you

365 views • 12 slides
Systems S.D. May 10-24 3-11-10 Midterm Presentation Dan Congreve Jay Eggenberger Kang Kang

Systems S.D. May 10-24 3-11-10 Midterm Presentation Dan Congreve Jay Eggenberger Kang Kang

Solar Cells for Total Energy Systems S.D. May 10-24 3-11-10 Midterm Presentation Dan Congreve Jay Eggenberger Kang Kang Madeline Oglesby Kyle Veugeler Faculty Advisor: Dr. Vikram Dalal Project Plan Senior design project Fabricate

400 views • 9 slides
Fingerprinting ECUs for Vehicle Intrusion Detection Kyong-Tak Cho, Kang G. Shin, University of

Fingerprinting ECUs for Vehicle Intrusion Detection Kyong-Tak Cho, Kang G. Shin, University of

Fingerprinting ECUs for Vehicle Intrusion Detection Kyong-Tak Cho, Kang G. Shin, University of Michigan Fingerprinting ECUs for Vehicle Intrusion Detection Kyong-Tak Cho, Kang G. Shin, University of Michigan How To Tell if Your Car is h4xd

291 views • 15 slides
Oscar Lizardi 943 casualties (221 killed, 722 wounded) 13 law enforcement killed 20 law

Oscar Lizardi 943 casualties (221 killed, 722 wounded) 13 law enforcement killed 20 law

Preparation is the key to success Oscar Lizardi 943 casualties (221 killed, 722 wounded) 13 law enforcement killed 20 law enforcement wounded 20 mass killings 50 shooters 13 committed suicide 11 killed by

427 views • 27 slides
Novel techniques for ground to space quantum channels IQC @ 2019: 31 faculty 157 Grad students

Novel techniques for ground to space quantum channels IQC @ 2019: 31 faculty 157 Grad students

7/31/20 Novel techniques for ground to space quantum channels IQC @ 2019: 31 faculty 157 Grad students 57 Postdoc 1800+ publications $600M+ funding Thomas Jennewein 13 spin-offs Institute for Quantum Computing & Department of Physics

391 views • 9 slides
Statewide Health Information Network for NY (SHIN-NY) Overview Elizabeth Amato VP, SHIN-NY

Statewide Health Information Network for NY (SHIN-NY) Overview Elizabeth Amato VP, SHIN-NY

Statewide Health Information Network for NY (SHIN-NY) Overview Elizabeth Amato VP, SHIN-NY Programs The SHIN-NY in a Nutshell A secure network for sharing electronic clinical records The SHIN-NY consists of regional RHIOs (also known as

340 views • 19 slides
Faculty Advisor: Dr. Vikram Dalal Kyle Veugeler, Dan Congereve, Jay Eggenberger, Madeline

Faculty Advisor: Dr. Vikram Dalal Kyle Veugeler, Dan Congereve, Jay Eggenberger, Madeline

Faculty Advisor: Dr. Vikram Dalal Kyle Veugeler, Dan Congereve, Jay Eggenberger, Madeline Oglesby, Kang Kang sdmay1042@iastate.edu Department of Electrical and Computer Engineering Iowa State University Ames, IA Abstract A solar total

257 views • 8 slides
Welcome to Tucker Middle School Curriculum Night September 15 th , 2016 Min J. Kang

Welcome to Tucker Middle School Curriculum Night September 15 th , 2016 Min J. Kang

Welcome to Tucker Middle School Curriculum Night September 15 th , 2016 Min J. Kang Orchestra and Interim Band Director 6 th /7 th /8 th Grade 2016-2017 Tucker Middle School A little bit about Ms. Kang Ms. Kang has been a faculty of

188 views • 7 slides
Battambang Province, Cambodia Prof. Dr. Kang Kroesna, Dean of Faculty of Veterinary Medicine,

Battambang Province, Cambodia Prof. Dr. Kang Kroesna, Dean of Faculty of Veterinary Medicine,

Pig feed ingredients and feed cost in Kampong Thom, Siem Reap, and Battambang Province, Cambodia Prof. Dr. Kang Kroesna, Dean of Faculty of Veterinary Medicine, RUA, Cambodia Dr. Joel DeRouchey, Swine Nutritionist, Kansas State University

902 views • 50 slides
Crellvm: Verified Credible Compilation for LLVM Seoul National University (Korea) Jeehoon Kang*

Crellvm: Verified Credible Compilation for LLVM Seoul National University (Korea) Jeehoon Kang*

Crellvm: Verified Credible Compilation for LLVM Seoul National University (Korea) Jeehoon Kang* Yoonseung Kim * Youngju Song* Juneyoung Lee Sanghoon Park Mark Dongyeon Shin Yonghyun Kim Sungkeun Cho Joonwon Choi (MIT) Chung-Kil

978 views • 95 slides
Developi loping ng Proficiency roficiency in in Gr Grad ade e 6 Common on Core re St

Developi loping ng Proficiency roficiency in in Gr Grad ade e 6 Common on Core re St

Developi loping ng Proficiency roficiency in in Gr Grad ade e 6 Common on Core re St Stat atisti istics cs By Kristen en Kent nt & Eb Ebon ony y Hitch ch Faculty ty Mentor: or: Dr. Randa dall ll Groth oth Salisbur

465 views • 15 slides
Authorship in nursing science. Dr Stephen J. OConnor, PhD., MSc., Grad Dip Onc., BSc(Hons),

Authorship in nursing science. Dr Stephen J. OConnor, PhD., MSc., Grad Dip Onc., BSc(Hons),

Authorship in nursing science. Dr Stephen J. OConnor, PhD., MSc., Grad Dip Onc., BSc(Hons), FHEA, RN., Reader, Faculty of Health and Wellbeing, Canterbury Christ Church University. Gr e aus Canterbury! The England Centre for Practice

313 views • 19 slides
DNA Use in Human Identification Forensic cases -- matching suspect with evidence Paternity

DNA Use in Human Identification Forensic cases -- matching suspect with evidence Paternity

The development of reduced size Y chromosomal STR for genotyping of degraded DNA Myung Jin Park a , Hwan Young Lee a , Ji-Eun Yoo a , Ukhee Chung a , Seung-Chul Kang b , Kyoung-Jin Shin a,b , Jong-Hoon Choi a,b , Woo-Ick Yang a,b , Sang-Ho Cho

462 views • 10 slides
* Tim Chapman University of Ulster * Background * Over 3500 people killed in the conflict 1968

* Tim Chapman University of Ulster * Background * Over 3500 people killed in the conflict 1968

* Tim Chapman University of Ulster * Background * Over 3500 people killed in the conflict 1968 1998 * 966 killed by loyalists * Sentenced Loyalist prisoners in one wing; * Loyalist violence was a defensive reaction to the threat that the IRA

645 views • 35 slides
And Recreation Managment On Tuesday( June 4, 2013) my Stress test is a running exercise grad

And Recreation Managment On Tuesday( June 4, 2013) my Stress test is a running exercise grad

Faculty of Kinesiology And Recreation Managment On Tuesday( June 4, 2013) my Stress test is a running exercise grad student Wagner and I bused that consists of a minute and a down to the Bannatyne campus at half intervals and every level

337 views • 9 slides
Porting Tizen to Odroid-U3 & Tizen Training Course Dongkun Shin Embedded Software Lab.,

Porting Tizen to Odroid-U3 & Tizen Training Course Dongkun Shin Embedded Software Lab.,

1 50 Porting Tizen to Odroid-U3 & Tizen Training Course Dongkun Shin Embedded Software Lab., Sungkyunkwan Univ. dongkun.shin@gmail.com, http://nyx.skku.ac.kr KOREA LINUX Dongkun Shin (dongkun.shin@gmail.com) FORUM 2014 Tizen Reference

866 views • 50 slides
Crocus Plains Regional Secondary School FINAL GRAD MEETING Friday, June 26

Crocus Plains Regional Secondary School FINAL GRAD MEETING Friday, June 26

Crocus Plains Regional Secondary School FINAL GRAD MEETING Friday, June 26 Westman Place Date of Convocation Grad Applica+on PAST DUE!!! Grad gowns will be ordered the end

477 views • 21 slides
Grad 2021 Mr. Phipps (M to Z & International Students) Ms. Jesson (A to L)

Grad 2021 Mr. Phipps (M to Z & International Students) Ms. Jesson (A to L)

Grad 2021 Mr. Phipps (M to Z & International Students) Ms. Jesson (A to L) Graduation Requirements Grad List Grade 12 Timeline Applying for Post-Secondary Agenda Student Transcripts Service Scholarships &

779 views • 22 slides

More recommend