Experimental Security Analysis of a Modern Automobile
2016-03-31 19:35
375 查看
OverView
Modern automotives are no longer mere mechanical devices, they are controled by dozens of digital computers via internal networks. While this transformation has driven major advancements in efficiencyand safety, it has also introduced a range of new potential risks. This paper evaluated these issue on a modern automobile and experimentally demonstrated the fragility of the components.
Background
Digital control, in the form of self-contained embedded systems called Engine Control Unit(ECU), has entered into automobile in 1970s. By dynamically measuring the oxygen present in exhaust fumes,the ECU could then adjust the fuel/oxygen mixture before combustion, thereby improving efficientcy and reducing pollutants. Since then, such system has been integrated into virtually every aspect of a car’s fuctioning and diagnostics, causing the term ECU
to be generalized to Electronic Control Units.
Many features require complex interactions across ECUS. Some early systems used one-off designs and bilateral physical wire connections for such interactions, but this approch does not scale. A combination of time-to-market pressures, wiring overhead, interaction
complexity and economy of pressures has driven manufactures and suppliers to standardize on a few key digital buses, such as CAN. CAN is a typical multiple bus covering different component groups where a high-speed bus interconnects components that generate
real-time telemetry while low-speed bus controls trivial data. While it seems that such buses could be physically isolated, in practice they are “bridged” to support subtle interation requirements. Starting from mid-1990s, automotives manufactures married
more powerful ECUs,providing Unix-like environment, with peripherals. There are many reasons to reconsider the state of vehicular computer security.
There are several methods for an attacker to get the access to automobiles’ internal networks. The first is physical access. Someone can insert a malicious component into a car’s internal network via OBD-II port. A similar entry point is presented by counterfeit
or malicious components entering the vehicle parts supply chain, such as third-party components. The second vector is via numerous wireless interfaces implemented in the modern automobiles. This paper is based on the assumption that an attacker has got the
access to automobiles.
Security of CAN bus
Since 2008, CAN as the communication network has become a standard for in-car network. However, there are some inherent weaklesses.A CAN packet does not include addresses and instead supports a publish-and-subscribe communication model. This feature makes it exposed to the risk of DOS attack and gives attacker some potential opportunities
to communicate with ECMs.l
CAN contains two types of networks, high-speed network for secure and real-time data and low-speed network for normal data. When necessary, a gateway bridge can route delected data between the two buses, which
provides a path for attacker to access secure data from normal space.
CAN packets contain no authenticator field—or even any source identifier field—meaning that any component can indistinguishably send a packet to any other component.
CAN specifies a challenge-response sequence to protect ECUs against certain actions without authorization. But this access control method is so weak that can be easily cracked.
In order to upgrade the fireware of ECMs, manufactures prefer exposing ECUs to reflashing and diagnostic testing. However, it is also well know that attacker can use software updates to inject malicious code
into system.
Attack Methodology
Packet Sniffing and Targeted Probing. This paper used a tool called CARSHARK to observe traffic on the CAN buses in order to determine how ECUs communicate with each other. And then, they can findthe how to control some component in normal world.
Fuzzing. Due to the range of calid CAN packets is rather small, significant damage can be done by simple fuzzing of packets.
Reverse-Engineering. For a small of ECUs they dumped their code via CAN ReadMemory service and used a third-party debugger to explicitly understand how certain hardware features were controlled.
相关文章推荐
- 安装gitk
- Python的函数参数传递:传值?引用?
- 找不到类 android...app.WindowDecorActionBar
- Google Drive Oauth2.0认证流程
- 算法
- codeforces 659B B. Qualifying Contest(水题+sort)
- 最基本LED操作
- 山东省第一届ACM省赛题——Balloons(搜索)
- Bootstrap总结
- Swift、OC混编用到的Bridging-Header.h
- Adb connection Error:远程主机强迫关闭了一个现有的连接
- K60学习笔记四:按键的多种操作
- Cocos2d-JS V3.10 一个小bug提示
- Intent传参
- sql sever2012学习1 数据库与表的删除与创建
- 【POJ 3034】 Whac-a-Mole(DP)
- JavaScript之DOM-5 增加、删除和替换节点(创建节点、插入节点、删除和替换节点)
- nutch-2.1、mysql整合
- HDU3138 Coconuts(最小割)
- leetcode 25 -- Reverse Nodes in k-Group