broadcasting your attack
play

Broadcasting your attack: Security testing DAB radio in cars Andy - PowerPoint PPT Presentation

Sep 20, 2023 •440 likes •790 views

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director Image: computerworld.com.au Agenda Who am I and why am I interested in security testing DAB? Overview of DAB How do we broadcast DAB?

  1. Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director Image: computerworld.com.au

  2. Agenda • Who am I and why am I interested in security testing DAB? • Overview of DAB • How do we broadcast DAB? • DAB attack surface • How did we create a DAB security testing tool? • Demo • Example vulnerabilities • Implications of exploitable DAB protocol bugs 2

  3. Who am I? • Research Director at NCC Group • NCC Group is a global cyber security assurance specialist • Personal interests include wired and wireless interface security, SDR and developing security testing tools – previous examples: • Umap, Frisbee – USB • CECSTeR, EDIDfuzzer – HDMI/VGA • RFTM - RF Testing Methodology 3

  4. Why am I interested in DAB? • Majority of new vehicles are factory fitted with DAB radios • Often head unit (that contains the DAB radio) has some form of connectivity to the CAN bus, which is in turn connected to cyber-physical systems such as braking • Doesn’t appear to have received much attention from security research community • Software Defined Radios getting cheaper 4

  5. Overview of Digital Audio Broadcasting (DAB) • Digital radio technology for broadcasting radio stations • Originated as the European Eureka 147 project • Norwegian Broadcasting Corporation (NRK) launched first DAB channel in June 1995 • Upgraded version called DAB+ released in February 2007 • Benefits over FM are: • Better signal reception quality • Many more data services can be transmitted • Electronic Programme Guide 5 Image: wikimedia.org

  6. Modulation & Transmission • Why was DAB developed? • Multipath interference • What is one of the solutions? • OFDM • The maximum number of modulated carriers in the DAB signal is 1536 • Actually COFDM “Coded” OFDM, as Forward Error Correction used • Modulation scheme is QPSK 6 Images: wikimedia.org, tenettech.com

  7. Modulation & Transmission • Audio signals are digitised & multiplexed together with other data to produce a “bit stream ” • Forward error protection then applied by adding redundant bits to the bit stream • During each consecutive symbol, bits are divided into 1536 pairs • Each pair is differentially encoded with respect to its counterpart for the previous symbol • Each of the 1536 differentially encoded bit-pairs are then used to define the phase of a QPSK carrier • Which together form the spectrum of a 1536-carrier signal • This is the OFDM generation process, and it is repeated symbol-by-symbol 7 Image: ak.picdn.net

  8. Multiplexing • Main Service Channel (MSC) – bulk of the DAB signal • Frames of 55296 bits - known as “Common Interleaved Frames” (CIFs) • Each CIF divided into time-slots in which logical frames of data for individual services are transmitted • Repetitive bursts for each service provide “sub - channels” • Data for each CIF transmitted in 18 consecutive symbol- blocks • First symbol-block in each transmission frame is used for synchronisation • Remaining 3 symbol-blocks at the beginning of the transmission frame are used to carry the Multiplex Configuration Information (MCI), which includes the Fast Information Channel (FIC) • Ancillary channels – for synchronisation & housekeeping 8 Image: media.licdn.com

  9. The (ETI) Ensemble Transport Interface • Standardised output stream from a DAB multiplexer • 2Mbps synchronous data stream • Network adaptation is defined for G.703 lines (E1) • ETI is an ETSI standard: EN 300 799 • ETIsnoop tool available to decode some of the data: • http://wiki.opendigitalradio.org/Etisnoop 9 Image: excellgroup.com

  10. Fast Information Channel (FIC) • FIC required to make receiver respond rapidly to the user when it is first switched on • FIC is divided up into Fast Information Blocks (FIBs) • Each FIB contains a number of Fast Information Groups (FIGs) 10

  11. Fast Information Groups (FIGs) • Each FIG is used for a specific signalling purpose: 11

  12. FIG data field • The FIG data field for each FIG type has the following structure: • Each FIG type has a number of extensions, which provide specific Service Information (SI) configuration functionality 12

  13. Service Information features - example FIGs Service Information (SI) features are signalled using extensions of FIG types 0 & 1: • FIG 0/6 - Service linking information • FIG 0/13 - User application information • FIG 0/18 - Announcement support • FIG 0/21 - Frequency Information • FIG 0/22 - Transmitter Identification Information (TII) database • FIG 1/0 – Ensemble label • FIG 1/5 - Data service label 13

  14. FIG 0/13 - User application information • FIG 0/13 signals the type of data sent over DAB – interesting … 14

  15. Programme Associated Data (PAD) • Each DAB audio frame contains bytes which may carry Programme Associated Data • PAD is information which is synchronous to the audio • An example of PAD data is DLS (Dynamic Label Segment) which is often used to display the name of the song playing 15

  16. Ok, enough of the DAB theory… 16

  17. Simple DAB transmitter Ensemble Transport Audio Interface (ETI) Multiplexer Modulator Software Data Multimedia Defined Object Transfer (MOT) encoder Radio 17

  18. How do we broadcast DAB? Here’s why we don’t need to understand the radio part of the protocol… • Open source DAB transmitter from http://www.opendigitalradio.org/ • odr-dabmux – allows DAB ensembles to be created • odr-dabmod – uses DAB modulation schemes for use with an SDR • fdk-aac-dabplus - includes support for DAB MOT Slideshow & DLS • USRP B200 SDR • Legal considerations 18 Images: www.ettus.com, opendigitalradio.org

  19. DAB attack surface • The underlying DAB transport protocols & interfaces e.g: • FIG data within the ETI (Ensemble Transport Interface) • MOT (Multimedia Object Transfer) • The HMI (Head unit rendering of DLS and DAB labels) • The media formats that are processed by the receiver e.g: • Audio • Images • Video • Apps processing Java/IP/raw data 19 Image: pngimg.com

  20. How did we create a DAB security testing tool? • The tool mot-encoder is bundled with fdk-aac-dabplus • mot-encoder enables DLS & slideshow protocols to be added to DAB Program Associated Data (PAD) within an Ensemble • DLS (text) & slideshow (JPEG/PNG) can then be fuzzed via a FIFO being consumed by mot-encoder • The mot-encoder tool was modified to enable an external process (via a TCP socket) to man-in-the-middle the MOT protocol header & data • The multiplexer ODR-DabMux was modified to enable the FIG data to be manipulated (again via a TCP socket) 20

  21. The DABble fuzzer • Current DABble capabilities: • Fuzz DLS via a FIFO • Fuzz JPEG & PNG via a FIFO • Fuzz MOT protocol via modified version of mot-encoder • Fuzz the Ensemble data via modified version of ODR- DabMux • Planned capabilities: • Fuzz the other protocols being sent over DAB (Video/IP/Java etc.) • Implement some of the other FIGs that are currently not supported by ODR-DabMux 21

  22. The DABble fuzzer 22

  23. The DABble fuzzer Ensemble Audio Transport Multiplexer Modulator Interface (ETI) TCP socket Multimedia DLS Software Object FIFO Defined Transfer SLS (MOT) Radio encoder FIFO TCP socket DABble Fuzzer 23

  24. 24 Image: thegapmedia.com

  25. Some example DAB vulnerabilities 25

  26. FIG 0/13 – MOT Slideshow (SLS) • JPEGs & PNGs are rendered by the receiver in the vehicle head unit • Vulnerability in the image parsing library results in code execution 26

  27. FIG 1/0 – Ensemble label and PAD data • Ensemble name & DLS information is rendered by the HMI on the head unit & any arbitrary text can be sent. • Buffer overflows unlikely, as there is a fixed maximum size • Format string bugs possible • Ensemble information sometime stored in a local database – SQL injection • Head units increasingly connected to the Internet - XSS 27

  28. Databases of information • FIG 0/6 - Service linking information • Where DAB broadcasts have local services • FIG 0/22 - Transmitter Identification Information (TII) database • The TII database provides a cross-reference between transmitter identifiers & geographic location of the transmitters • Potential for buffer overflows where fixed size buffers are allocated to store these databases that are downloaded over DAB by the receiver 28

  29. Implications for other vehicle systems • System architecture is often insecure: • Direct access to CAN bus, or via D-Bus • D-Bus bound to all network interfaces • D-Bus messages used to directly disable ADAS features Parking Lane-Keep Blind Spot AEB ACC Sensor Assist Monitoring Indication Disable ADAS features 29

  30. Implications of DAB as a broadcast medium Multiple vehicles can be attacked simultaneously Scenario #1 • Attacker uses a high power transmitter to replicate a public DAB ensemble and overpowers the public transmission • Major disadvantage: Not stealthy – would likely be spotted quickly Scenario #2 • Attacker uses a low power transmitter and creates a new DAB ensemble on an unused local frequency • Most DAB receivers constantly re-tune • Attacker chooses station name to entice target audience 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Trend of Digital Broadcasting in Japan February 12 th 2004 Broadcasting Technology Division

The Trend of Digital Broadcasting in Japan February 12 th 2004 Broadcasting Technology Division

The Trend of Digital Broadcasting in Japan February 12 th 2004 Broadcasting Technology Division Information and Communications Policy Bureau MPHPT Digital Terrestrial Television Broadcasting Topics now Dec. 1st 2003 Start of Digital

694 views • 35 slides
Popular Communication Operations - One-one sending/one-all broadcasting - All-all broadcasting P

Popular Communication Operations - One-one sending/one-all broadcasting - All-all broadcasting P

CS140, 2014 II-1 Popular Communication Operations - One-one sending/one-all broadcasting - All-all broadcasting P 0 P 1 P 2 P 0 P 2 P 1 - Accumulation (or gather) P 0 . . . P 2 P n P 1 - Reduction I nitially : V 0 V 1 . . . V p

385 views • 6 slides
Telecommunication and Broadcasting Regulation in Europe - A need for convergent Regulation?

Telecommunication and Broadcasting Regulation in Europe - A need for convergent Regulation?

Telecommunication , Broadcasting and Tajikistans WTO Commitments Conference Organized by the Ministry of Economic Development and Trade and the OSCE Office in Tajikistan (OiT) Telecommunication and Broadcasting Regulation in Europe - A need

411 views • 12 slides
Good Morning! MCS1450/ BMS1301 Introduction to Broadcasting Ulrich Werner History and

Good Morning! MCS1450/ BMS1301 Introduction to Broadcasting Ulrich Werner History and

Good Morning! MCS1450/ BMS1301 Introduction to Broadcasting Ulrich Werner History and development of broadcasting, including the influence of broadcasting media in the democratic society. Course description in the curriculum.

853 views • 31 slides
Educational Programming Jim Princivalle The Corporation for Public Broadcasting The Public

Educational Programming Jim Princivalle The Corporation for Public Broadcasting The Public

The Evolution of Educational Programming Jim Princivalle The Corporation for Public Broadcasting The Public Broadcasting Act of 1967 Signed into law by Lyndon B. Johnson Established the Corporation for Public Broadcasting (CPB)

347 views • 12 slides
Broadcasting & ICT in the MENA Countries -Prospects & Investment Opportunities-

Broadcasting & ICT in the MENA Countries -Prospects & Investment Opportunities-

Broadcasting & ICT in the MENA Countries -Prospects & Investment Opportunities- Chairmans Introduction Dr. Fares Lubbadeh Statu tus s of TV Broadcasting adcasting in the Arab ab World rld In accordance with ASBU latest

329 views • 11 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Prospects of Digital Broadcasting and Convergence Services - The Essential and Expanding Role of

Prospects of Digital Broadcasting and Convergence Services - The Essential and Expanding Role of

Prospects of Digital Broadcasting and Convergence Services - The Essential and Expanding Role of Broadcasting - September 02, 2010 Keiya Motohashi Purpose of Digitalization Japans Nation-wide IT Promotions Integrated and Advanced

535 views • 20 slides
COMMUNITY BROADCASTING ASSOCIATION OF AUSTRALIA www.cbaa.org.au ABOUT THE CBAA The Community

COMMUNITY BROADCASTING ASSOCIATION OF AUSTRALIA www.cbaa.org.au ABOUT THE CBAA The Community

COMMUNITY BROADCASTING ASSOCIATION OF AUSTRALIA www.cbaa.org.au ABOUT THE CBAA The Community Broadcasting Association of Australia (CBAA) champions community broadcasting by building stations capability and by creating a healthy

522 views • 24 slides
A Report on Migration from Analogue to Digital Broadcasting in Ghana Broadcasting Policy, Legal

A Report on Migration from Analogue to Digital Broadcasting in Ghana Broadcasting Policy, Legal

NATIONAL MEDIA COMMISSION A Report on Migration from Analogue to Digital Broadcasting in Ghana Broadcasting Policy, Legal & Regulatory Environment Policies NMC National Media Policy, 2000 National Telecommunications Policy

693 views • 24 slides
Chapter 5 Popular Radio and the Origins of Broadcasting As a medium for mass communication,

Chapter 5 Popular Radio and the Origins of Broadcasting As a medium for mass communication,

Chapter 5 Popular Radio and the Origins of Broadcasting As a medium for mass communication, radio broadcasts offered the possibility of sending voice and music to thousands of people. broadcasting: the transmission of radio waves or

196 views • 15 slides
REQUEST FOR BID / PROPOSAL Middle East Broadcasting Networks, Inc. (MBN) Springfield, VA

REQUEST FOR BID / PROPOSAL Middle East Broadcasting Networks, Inc. (MBN) Springfield, VA

REQUEST FOR BID / PROPOSAL Middle East Broadcasting Networks, Inc. (MBN) Springfield, VA Broadcast Graphics Presentation System for Alhurra TV Background Middle East Broadcasting Networks, Inc. (MBN) is a 501(c)(3) non-profit corporation

228 views • 9 slides
An architecture for time-critical IP broadcasting in the cloud Miguel Poeira Software Developer

An architecture for time-critical IP broadcasting in the cloud Miguel Poeira Software Developer

An architecture for time-critical IP broadcasting in the cloud Miguel Poeira Software Developer @ MOG Technologies Live Remote Production France Portugal Venue Studio OB SDI ... TV Germany Production Outside Broadcasting Vans Inside

453 views • 34 slides
ZMCL Venturing into Radio Broadcasting Business 23 rd November 2016 Transaction Summary

ZMCL Venturing into Radio Broadcasting Business 23 rd November 2016 Transaction Summary

ZMCL Venturing into Radio Broadcasting Business 23 rd November 2016 Transaction Summary Reliance Broadcasting Network Limited (RBNL) will transfer 45 (operational) and 14 licenses (new, non- operational) to newly incorporated SPVs: a)

172 views • 15 slides
Optimal Broadcasting Strategies for Conjunctive Queries over Distributed Data Bas Ketsman, Frank

Optimal Broadcasting Strategies for Conjunctive Queries over Distributed Data Bas Ketsman, Frank

Optimal Broadcasting Strategies for Conjunctive Queries over Distributed Data Bas Ketsman, Frank Neven Hasselt University & transnational University of Limburg Outline 1. Setting and Context 2. Oblivious Broadcasting Functions 3.

1.23k views • 73 slides
Multi-Resolution Broadcasting Over the Grassmann and Stiefel Manifolds Mohammad T. Hussien ,

Multi-Resolution Broadcasting Over the Grassmann and Stiefel Manifolds Mohammad T. Hussien ,

Introduction Multi-Resolution Broadcasting Conclusions Multi-Resolution Broadcasting Over the Grassmann and Stiefel Manifolds Mohammad T. Hussien , Karim G. Seddik , Ramy H. Gohary , Mohammad Shaqfeh , Hussein Alnuweiri , and

354 views • 24 slides
The Database as a Value Rich Hickey Complexity Out of the Tar Pit Moseley and Marks (2006)

The Database as a Value Rich Hickey Complexity Out of the Tar Pit Moseley and Marks (2006)

The Database as a Value Rich Hickey Complexity Out of the Tar Pit Moseley and Marks (2006) Complexity caused by state and control Close the loop - process DB Complexity Stateful, inextricably Same query, different results

626 views • 33 slides
Basic ics of f DL Prof. Leal-Taix and Prof. Niessner 1 What we assume you know Linear

Basic ics of f DL Prof. Leal-Taix and Prof. Niessner 1 What we assume you know Linear

Basic ics of f DL Prof. Leal-Taix and Prof. Niessner 1 What we assume you know Linear Algebra & Programming! Basics from the Introduction to Deep Learning lecture PyTorch (can use TensorFlow ) You have trained already

1.21k views • 76 slides
Initial Characterization of I/O in Large-Scale Deep Learning Applications Fahim Chowdhury,

Initial Characterization of I/O in Large-Scale Deep Learning Applications Fahim Chowdhury,

Initial Characterization of I/O in Large-Scale Deep Learning Applications Fahim Chowdhury, Jialin Liu, Quincey Koziol, Thorsten Kurth, Steven Farrell, Suren Byna, Prabhat, and Weikuan Yu November 12, 2018 - 1 - Outline Objectives DL

412 views • 17 slides
Re Relational Con Constraint So Solving ng in in SMT SMT Paul Meng , Andrew Reynolds, Cesare

Re Relational Con Constraint So Solving ng in in SMT SMT Paul Meng , Andrew Reynolds, Cesare

Re Relational Con Constraint So Solving ng in in SMT SMT Paul Meng , Andrew Reynolds, Cesare Tinelli, Clark Barrett Midwest Verification Day September 2018 Re Relational Re Reasoning Many problems can be modeled relationally

750 views • 53 slides
Foundations of Chemical Kinetics Lecture 28: Diffusion-influenced reactions, Part I Marc R.

Foundations of Chemical Kinetics Lecture 28: Diffusion-influenced reactions, Part I Marc R.

Foundations of Chemical Kinetics Lecture 28: Diffusion-influenced reactions, Part I Marc R. Roussel Department of Chemistry and Biochemistry The encounter pair One of the major differences between gas-phase and solution-phase kinetics is

176 views • 14 slides
Minimal Taylor Algebras Zarathustra Brady Taylor algebras Definition A is called a set if all

Minimal Taylor Algebras Zarathustra Brady Taylor algebras Definition A is called a set if all

Minimal Taylor Algebras Zarathustra Brady Taylor algebras Definition A is called a set if all of its operations are projections. Otherwise, we say A is nontrivial . Taylor algebras Definition A is called a set if all of its operations are

1.11k views • 82 slides
SBND INSTALLATION & COMMISSIONING PLAN Elizabeth Worcester (BNL) SBND/DUNE Cold Electronics

SBND INSTALLATION & COMMISSIONING PLAN Elizabeth Worcester (BNL) SBND/DUNE Cold Electronics

SBND INSTALLATION & COMMISSIONING PLAN Elizabeth Worcester (BNL) SBND/DUNE Cold Electronics Review October 12-14, 2016 Overview Charge question: Is the proposed joint ProtoDUNE-SP/ SBND production, installation, and commissioning plan

666 views • 18 slides
35T Electronics Qa/Qc Overview Alan Hahn FNAL 6/2/16 35 T LL Review 1 General Organization

35T Electronics Qa/Qc Overview Alan Hahn FNAL 6/2/16 35 T LL Review 1 General Organization

35T Electronics Qa/Qc Overview Alan Hahn FNAL 6/2/16 35 T LL Review 1 General Organization A brief description of the components and the test setup we used at DAB (D0 Assembly Building) The Qa/Qc that that was done for the major

424 views • 28 slides

More recommend