Gentlemen, Start your engines

Mattias Jidhage

OWASP Sweden 20120514

Omegapoint

- Founded in 2001

- 170 consultants

- e-Business & Security

Göteborg

Malmö

Stockholm

Falun

Kalmar

Helsingborg

New York

Agenda

Telematics “integrated use of telecommunications and informatics”

~100  Bosch,  Siemens,  Delphi..  CCM=Central  Control  Module  PCM=Powertrain  Control  Module  ECM=Engine  Control  Module  BCM=Body  Control  Module  TCM=Transmission  Control  Module  SCM=Suspension  Control  Module  GEM=General  Electronic  Module  CTM=Central  Timing  Module  ACU=Airbag  Control  Unit  CCU=Convenience  Control  Unit  ECU=Engine  Control  Unit  BCM=Brake  Control  Module  ECU  =  Electronic  Control  Unit

Infotainment •  Tech fragmentation

–  Cost –  Long dev cycle

•  Apps for the car –  HTML5 –  JavaScript

•  App stores –  Blackberry App World –  Android Market –  Mbrace?

•  Full featured browser –  Torch –  Netfront

•  OS –  Blackberry –  Windows –  Android

•  Smartphones on wheels?

Telematics “integrated use of telecommunications and informatics”

~100  Bosch,  Siemens,  Delphi..  CCM=Central  Control  Module  PCM=Powertrain  Control  Module  ECM=Engine  Control  Module  BCM=Body  Control  Module  TCM=Transmission  Control  Module  SCM=Suspension  Control  Module  GEM=General  Electronic  Module  CTM=Central  Timing  Module  ACU=Airbag  Control  Unit  CCU=Convenience  Control  Unit  ECU=Engine  Control  Unit  BCM=Brake  Control  Module  ECU  =  Electronic  Control  Unit

Telematics “integrated use of telecommunications and informatics”

~100  Bosch,  Siemens,  Delphi..  CCM=Central  Control  Module  PCM=Powertrain  Control  Module  ECM=Engine  Control  Module  BCM=Body  Control  Module  TCM=Transmission  Control  Module  SCM=Suspension  Control  Module  GEM=General  Electronic  Module  CTM=Central  Timing  Module  ACU=Airbag  Control  Unit  CCU=Convenience  Control  Unit  ECU=Engine  Control  Unit  BCM=Brake  Control  Module  ECU  =  Electronic  Control  Unit

Telematics

Potentially less than great security?

Eh, What's up Doc?

•  The Car •  Transport •  Server •  Client

The Car - Research

•  Experimental Security Analysis of a Modern Automobile – OBD-II

•  Comprehensive Experimental Analyses of Automotive Attack Surfaces – CD – OBD-II (PassThru)

– Bluetooth – GSM

The Car – Reality

•  War Texting: Identifying and Interacting with Devices on the Telephone Network – Method for attacking telematics

•  In general: GSM Baseband + uC Chip •  UART -> RE -> Firmware -> Vulnerability

– How2 find targets? •  FindMe •  WhoIs

The Car – Reality

•  Put it to the test – Zoombak Tracking Device

•  Zoombak Scanner •  Ask nicely via SMS

– Subaru Outback 1998 •  after market telematics unit •  unlock and start engine •  http://youtu.be/bNDv00SGb6w

Transport - GSM

•  A5/1

•  SRLabs – CCC 2009, BlackHat 2010 – Rainbow tables (100.000 years to 1 month) – Decode voice

•  100-300m upstream •  5-35km downstream

Transport – GPRS/EDGE

•  GEA/0 •  GEA/1 •  GEA/2 •  GEA/3 •  GEA/4

•  SRLabs – CCC 2011, Crypto analysis (weak crypto) – Decode GPRS -> Wireshark

No encryption

No users

Transport – cell

USR

P HW

Server •  Car interface

– Proprietary protocol •  ASN.1 – Touring complete •  GPRS, EDGE, SMS and data over voice

–  “We use a Private APN” •  Generic Routing Encapsulation •  Node to Node communication

•  Operator web application •  Smartphone interface: REST/JSON

Client - browser

•  Web application – no news – move on –  there is nothing to see

– DriveBy Trojan Download & Install •  Starring Windows •  Guest appearance by Mac OSX

Client – smart phone

•  Few real vulnerability tests performed •  iOS

– Continous Jailbreak –  iOS 5.0.1 - iPhone 4GS and iPad2 –  iOS 5.1.x – iPad3 – no public (i0n1c, pod2g)

•  Android – Rouge apps – Android Market - ‘Bouncer’

Conclusion •  All components are possible targets •  Very few has the complete picture •  Activity in the security arena •  This is going to get worse before it gets

better – 2012 models CAN bus is unprotected – New tools arriving every day – Larger attack surface than ever

•  Use fast shoes

What’s to come? “Internet of Things”

TLA = IoT

The Future

•  Telematics – M2M –  “integrated use of telecommunications and

informatics”

The Future

Prescription medication

Insulin pump

The Future

ABB IRB 6640 Industrial robot

The Future

Three Gorges Infrastructure - SCADA – Stuxnet

The Future Home Metering Unit - SmartGrid

270 000 HMU using ZigBee

Thank You! @mjidhage mattias.jidhage@owasp.org

everything is a computer

References •  http://www.autosec.org/publications.html •  http://www.isecpartners.com/storage/docs/presentations/

isec_bh2011_war_texting.pdf •  http://events.ccc.de/congress/2009/Fahrplan/

attachments/1519_26C3.Karsten.Nohl.GSM.pdf •  https://srlabs.de/blog/wp-content/uploads/

2010/07/100729.Breaking.GSM_.Privacy.BlackHat1.pdf •  http://events.ccc.de/camp/2011/Fahrplan/attachments/

1868_110810.SRLabs-Camp-GRPS_Intercept.pdf