it s easier to br e ak e than to patch
play

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack - PowerPoint PPT Presentation

Feb 18, 2023 •292 likes •788 views

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari, Stefano Zanero Politecnico di Milano Acknowledgments: Matteo Penco, Michele Carminati, Andrea Palanca, Eric Evenchick, Federico Maggi $whoami Stefano

  1. It’s Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari, Stefano Zanero Politecnico di Milano Acknowledgments: Matteo Penco, Michele Carminati, Andrea Palanca, Eric Evenchick, Federico Maggi

  2. $whoami Stefano Longari is a PhD Stefano Zanero is an student at Politecnico di associate professor at Milano, his research Politecnico di Milano, focuses on automotive on-board and has over 20 years of experience security. in the security field. He has founded a security services company that delivers security assessment services worldwide. 2 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  3. Controller Area Network De-facto standard in the automotive World 3 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  4. Is CAN key to automotive attacks? 4 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  5. What weaknesses are commonly abused? Keyless Engine Body Ignition Control Control Module Module Module CANH 120Ω 120Ω CANL Broadcast Frame Injection Unauthenticated 5 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  6. Can we detect these attacks? 6 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  7. How do automotive IDS work? Industrial secret, however we can make an educated guess at some methods Frequency based ● CAN messages are usually periodic ○ Specification based ● Set rules for the data field of the message ○ Potentially dynamic depending from message history ○ Machine Learning based ● Generally similar to specification based ones ○ Mainly Academic ○ 7 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  8. How to evade an automotive IDS Specification based: Comply with the rules ● Frequency based: Comply with the frequency ● ML based: difgerent forms of mimicry attacks ● 8 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  9. The perfect crime What if we manipulate/substitute a real frame? Specification based: Comply with the rules ● Frequency based: Comply with the frequency ● ML based: difgerent forms of mimicry attacks ● 9 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  10. How could you possibly do that? Keyless Engine Body Ignition Control Control Module Module Module CANH 120Ω 120Ω CANL 10 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  11. CAN specs overview µ controller Engine Body CAN Control Control controller Module Module TXD RXD CAN transceiver CANH 120Ω 120Ω CANL 11 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  12. CAN specs overview Creates data frames to be sent µ controller Engine Body CAN Control Control controller Module Module TXD RXD CAN transceiver CANH 120Ω 120Ω CANL 12 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  13. CAN specs overview µ controller Engine Body Implements CAN specifications CAN Control Control controller - Handles Errors Module Module TXD RXD CAN transceiver CANH 120Ω 120Ω CANL 13 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  14. CAN specs overview µ controller Engine Body CAN Control Control controller Module Module TXD RXD CAN Translates digital bits into transceiver CAN compliant electrical signals CANH 120Ω 120Ω CANL 14 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  15. Data frames 15 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  16. CAN bus values 5V 2,5V 0V 0 1 0 1 1 0 0 1 1 1 0 1 1 0 0 0 16 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  17. Dominant beats recessive - arbitration Loses Arbitration ECU1 Loses Arbitration ECU2 ECU3 Time 17 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  18. CAN error handling µ controller CAN controller TXD RXD CAN transceiver CAN Error Frame Reasons: CANH Transceiver Fail ● 120Ω CRC Computation error ● Channel Noise ● CANL Faulty Device ● ... ● 18 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  19. CAN fault confinement Can send error active flags “000000” ERROR ACTIVE 19 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  20. CAN fault confinement Can send error active flags Can send error passive flags “000000” “111111” counter > 127 ERROR ERROR ACTIVE PASSIVE reset or counter < 128 20 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  21. CAN fault confinement Can send error active flags Can send error passive flags Shuts itself ofg the bus “000000” “111111” counter > 127 counter > 255 ERROR ERROR BUS OFF ACTIVE PASSIVE reset or counter < 128 reset or detect 11 sequential “1” x128 bit times 21 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  22. How do we Exploit this? How do we convince the target ECU to kick itself ofg the network? Keyless Engine Body Ignition Control Control Module Module Module 120Ω 120Ω 22 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  23. How do we Exploit this? µ controller CAN controller TXD RXD CAN transceiver CAN Error Frame CANH 120Ω … For example like this. CANL 0 overwrites 1. 23 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  24. How do we Exploit this? µ controller CAN controller TXD RXD CAN transceiver CAN Error Frame 120Ω The attacker can write that 0 over a 1. We just deleted the packet 24 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  25. Steps 1) Discover the ID of the victim e.g., Reverse engineer the CAN IDs of an identical vehicle 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times 25 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  26. Steps 1) Discover the ID of the victim e.g., read all IDs passing on the bus 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times 26 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  27. Steps 1) Discover the ID of the victim CRC delimiter is “1” by design 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times 27 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  28. Steps 1) Discover the ID of the victim This triggers an error generated by the victim 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times 0 28 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  29. Steps 1) Discover the ID of the victim This kind of error adds +8 to the counter of the victim 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 8x32 = 256 Counter > 127 Counter > 255 Error Error Bus Ofg 5) Repeat 32 consecutive times Active Passive 29 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  30. Proof of Concept Implementation 30 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  31. Testbed Experiment 31 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  32. Proof of Concept Implementation 32 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  33. Alfa Giulietta Exploited 33 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  34. Alfa Giulietta Exploited 34 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  35. Alfa Giulietta Exploited https://is.gd/candos 35 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  36. Is it preventable? - Based on the protocol specs Not really… - Hard to retrieve logs to distinguish between real failures and attacks 36 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  37. Attack scenarios Denial of Service for the sake of Denial of Service e.g. Ransomware Turn On! 120Ω 120Ω Nope! Keyless Engine Ignition Control Module Module 37 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  38. Attack scenarios Detection avoidance for spoofing attacks - Shut down the victim ECU - Send spoofed data 38 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  39. Can we detect the DoS? We can read data from the bus We can detect the attacker once he tries to spoof data after the DoS Keyless Engine Body Ignition Control Control Module Module Module CANH 120Ω 120Ω CANL 39 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  40. We need to study more CAN specs! :( List of rules that change the counters: 40 40 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

  41. Not all of them... List of rules that change the counters: 26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of Generate-And- Validate Patch Genera8on System Zichao Qi , Fan Long, Sara Achour, and Mar8n Rinard MIT

323 views • 29 slides
La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong Zhang 1 , Chenguang Zhu 2 , Yi Li 3 , Jianmei Guo 1 , Lihua Liu 1 , and Haobo Gu 1 1. Alibaba Group 2. University of Texas at Austin 3. Nanyang

462 views • 7 slides
1 of 68 Easier to ask forgiveness slides 4/25/19, 9:11 PM 2 of 68 Easier to ask forgiveness

1 of 68 Easier to ask forgiveness slides 4/25/19, 9:11 PM 2 of 68 Easier to ask forgiveness

1 of 68 Easier to ask forgiveness slides 4/25/19, 9:11 PM 2 of 68 Easier to ask forgiveness slides 4/25/19, 9:11 PM Naomi Ceder, @naomiceder Chair, Python Software Foundation Quick Python Book, 3rd ed Dick Blick Art Materials 3 of 68

813 views • 65 slides
Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

5/21/2015 Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and Dermatology Irritation of Post-Market Dermatology Irritation Evaluation Change and Generic Drug Evaluation Presented by Mark Liu,

529 views • 22 slides
How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to Aws console 2. Select launch instance 3. Select your OS 4. Choose instance type 5. Select VPC 6. Add storage 7. Tag your instance 8. Configure security

185 views • 14 slides
Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas)

Great Pacific Garbage Patch What is it and why is it occuring? -600,000 Square Miles (twice the size of Texas) -1.8 Trillion pieces of microplastic (not biodegradable) -88,000 Tons -Comprised of the Western Garbage Patch (near Japan) and

388 views • 6 slides
The key to doing more business online. DESIGNED INSTANT BY BROKERS DOCUMENTS EASIER MULTIPLE

The key to doing more business online. DESIGNED INSTANT BY BROKERS DOCUMENTS EASIER MULTIPLE

The key to doing more business online. DESIGNED INSTANT BY BROKERS DOCUMENTS EASIER MULTIPLE VEHICLE TYPES FULL CYCLE DEDICATED SUPPORT TEAM EASIER PRICE BEST ONLINE QUICKER SLICKER FULL FLEET NCD EASIER RATED RATED EASIER

327 views • 16 slides
Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym:

COMPOSITE MPOSITE PATCH PATCH REPAIR REPAIR CO OF METALLIC MARINE STRUCTURES OF METALLIC MARINE STRUCTURES Collaborative Project Call ID FP7-SST-2008-RTD-1 Proposal N 233969 Acronym: &quot;Co-Patch www.co-patch.com Duration: 36

663 views • 21 slides
DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @

DIY Patch Management F L O R I A N J U N G E ( @ S H A N T YC O D E ) I N G O B E N T E ( @ I N G O B E N T E ) B S I D E S M U N I C H 2 0 1 8 Patching Isnt that solved? Nope, its not. R E M E M B E R T H O S E R A N S O M

635 views • 48 slides
PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX

PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 11/2012 PATCH PLANER EX Series UNIVERSAL CUTTER ES Series by Chris Goebel 03/2013 EX Patch Planer for Excavators EX Patch Planer for Excavators EX Patch Planer for

1.27k views • 80 slides
Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett

Versions all the way down Versioning commits and patches with git-series Josh Triplett josh@joshtriplett.org LinuxCon North America 2016 RFC: feature RFC: feature Development git commit git format-patch -3 git format-patch -3 [PATCH 1/3]

1.19k views • 105 slides
The protectors that make operations easier Our mission: Smart Protector Make work easier for

The protectors that make operations easier Our mission: Smart Protector Make work easier for

The protectors that make operations easier Our mission: Smart Protector Make work easier for personal involved in pipe logistic and rig operations. Guarantee reliability of logistic data. Easy inventory without handling Geo localization

621 views • 47 slides
0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan

0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan

BLACKHAT Europe 2008 0-Day Patch 0-Day Patch Exposing vendors (in)security performance BlackHat Europe 2008 Amsterdam Stefan Frei + Bernhard Tellenbach Communication Systems Group ETH Zurich Switzerland http://www.csg.ethz.ch

414 views • 17 slides
Stress and Time Management By By: Ms Ms Tahir ira - IT IS EASIER THAN YOU THINK IT IS

Stress and Time Management By By: Ms Ms Tahir ira - IT IS EASIER THAN YOU THINK IT IS

- IT IS EASIER THAN YOU THINK IT IS Stress and Time Management By By: Ms Ms Tahir ira - IT IS EASIER THAN YOU THINK IT IS Transition Chart Title Anxiety Excitement 14 5 12 5 3 4 5 10 8 8 8 7 7 6 6 4 2 0 1st Day 2nd Day

351 views • 12 slides
A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many

A Plan 9 Approach to Hierarchical Patch Dynamics John (EBo) David IWP9 2010 Seattle, WA Many Problems are Inherently Multiscale Wu &amp; David (2001) Hierarchical Patch Dynamics (HPD) ( Wu and Loucks 1995) HPD explicitly integrates

188 views • 15 slides
Bruin Patch &amp; Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Bruin Patch &amp; Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Brookings-Harbor School District 17C School-based Businesses Bruin Patch &amp; Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for success OSU Extension Office Local School District 4H Youth Bruin Patch &amp;

612 views • 12 slides
Laterality Test Dominant Hand Which hand do you prefer to use for writing, cutting, and waving?

Laterality Test Dominant Hand Which hand do you prefer to use for writing, cutting, and waving?

Laterality Test Dominant Hand Which hand do you prefer to use for writing, cutting, and waving? 1. 2. Which hand has the largest circumference? Measure by knuckles and make a fist. 3. Draw the head of a dog. Which direction does it point

553 views • 52 slides
Disclosures Disclosures Disclosures Disclosures Genetic counsellors employed by PCRM 2

Disclosures Disclosures Disclosures Disclosures Genetic counsellors employed by PCRM 2

6/24/2019 CONSUMER CONSUMER CONSUMER CONSUMER- - - -DIRECTED GENETIC TESTING DIRECTED GENETIC TESTING DIRECTED GENETIC TESTING DIRECTED GENETIC TESTING WHAT WHAT IT MEANS FOR MY PATIENT AND MY PRACTICE WHAT WHAT IT

659 views • 23 slides
Update Genetic Recessive exchange EHRC Budapest 2017, Jos Buiting, CRV-Herdbook Genetic Traits as

Update Genetic Recessive exchange EHRC Budapest 2017, Jos Buiting, CRV-Herdbook Genetic Traits as

Grand Champion B&amp;W, NRM 2017, Bons Holstein Ella 158 Update Genetic Recessive exchange EHRC Budapest 2017, Jos Buiting, CRV-Herdbook Genetic Traits as reported on the WHFF website (accessed on 28 March 2017). C = carrier F = tested free

280 views • 7 slides
What is Gene Selection? Frequency? The process by which forms of life Gene frequency is the

What is Gene Selection? Frequency? The process by which forms of life Gene frequency is the

What is Natural What is Gene Selection? Frequency? The process by which forms of life Gene frequency is the frequency having traits that better enable of occurrence or proportions of them to adapt to specific different alleles of a

512 views • 11 slides
High-Risk MDS Patient Mika Geva, Hematology unit, The Chaim Sheba medical center 39 Y/O M

High-Risk MDS Patient Mika Geva, Hematology unit, The Chaim Sheba medical center 39 Y/O M

High-Risk MDS Patient Mika Geva, Hematology unit, The Chaim Sheba medical center 39 Y/O M Pancytopenia and fever for a year BM biopsy: MDS , 3% blasts , complex karyotype : -5q, del p53 High risk MDS , IPSSR : 6 Patient with

593 views • 7 slides
Batten Disease and the Batten Disease Family Association Together we will make a difference

Batten Disease and the Batten Disease Family Association Together we will make a difference

Batten Disease and the Batten Disease Family Association Together we will make a difference Neuronal Ceroid Lipofuscinoses NCLs Autosomal recessive inheritance Classified according to the gene identified Over 400 mutations have been

556 views • 17 slides
Uncovering the wealth of grapevine genetic diversity through whole genome sequencing and assembly

Uncovering the wealth of grapevine genetic diversity through whole genome sequencing and assembly

Uncovering the wealth of grapevine genetic diversity through whole genome sequencing and assembly Dario Cant Associate Professor and Louis P. Martini Endowed Chair Grape Genomics Outline 1. Why do we need more genome references? 2. What do

651 views • 38 slides
Genome-Wide Association Studies Caitlin Collins , Thibaut Jombart MRC Centre for Outbreak Analysis

Genome-Wide Association Studies Caitlin Collins , Thibaut Jombart MRC Centre for Outbreak Analysis

Genome-Wide Association Studies Caitlin Collins , Thibaut Jombart MRC Centre for Outbreak Analysis and Modelling Imperial College London Genetic data analysis using 30-10-2014 Outline Introduction to GWAS Study design o GWAS design o

359 views • 34 slides

More recommend