Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack - - PowerPoint PPT Presentation

it s easier to br e ak e than to patch
SMART_READER_LITE
LIVE PREVIEW

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack - - PowerPoint PPT Presentation

Feb 18, 2023 292 likes •794 views

Its Easier to Br(e)ak(e) Than to Patch: A Stealthy DoS attack against CAN Stefano Longari, Stefano Zanero Politecnico di Milano Acknowledgments: Matteo Penco, Michele Carminati, Andrea Palanca, Eric Evenchick, Federico Maggi $whoami Stefano

slide-1
SLIDE 1

It’s Easier to Br(e)ak(e) Than to Patch:

A Stealthy DoS attack against CAN

Stefano Longari, Stefano Zanero Politecnico di Milano Acknowledgments: Matteo Penco, Michele Carminati, Andrea Palanca, Eric Evenchick, Federico Maggi

slide-2
SLIDE 2

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

Stefano Longari is a PhD student at Politecnico di Milano, his research focuses on automotive on-board security.

2

$whoami

Stefano Zanero is an associate professor at Politecnico di Milano, and has over 20 years of experience in the security field. He has founded a security services company that delivers security assessment services worldwide.

slide-3
SLIDE 3

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 3

Controller Area Network

De-facto standard in the automotive World

slide-4
SLIDE 4

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 4

Is CAN key to automotive attacks?

slide-5
SLIDE 5

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 5

What weaknesses are commonly abused?

Keyless Ignition Module Engine Control Module Body Control Module CANL CANH 120Ω 120Ω Broadcast Unauthenticated Frame Injection

slide-6
SLIDE 6

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 6

Can we detect these attacks?

slide-7
SLIDE 7

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 7

Industrial secret, however we can make an educated guess at some methods

  • Frequency based

○ CAN messages are usually periodic

  • Specification based

○ Set rules for the data field of the message ○ Potentially dynamic depending from message history

  • Machine Learning based

○ Generally similar to specification based ones ○ Mainly Academic

How do automotive IDS work?

slide-8
SLIDE 8

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 8

  • Specification based: Comply with the rules
  • Frequency based: Comply with the frequency
  • ML based: difgerent forms of mimicry attacks

How to evade an automotive IDS

slide-9
SLIDE 9

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 9

What if we manipulate/substitute a real frame?

  • Specification based: Comply with the rules
  • Frequency based: Comply with the frequency
  • ML based: difgerent forms of mimicry attacks

The perfect crime

slide-10
SLIDE 10

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 10

How could you possibly do that?

Keyless Ignition Module Engine Control Module Body Control Module CANL CANH 120Ω 120Ω

slide-11
SLIDE 11

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 11

CAN specs overview

Engine Control Module Body Control Module CANL CANH 120Ω 120Ω µcontroller

CAN controller CAN transceiver TXD RXD

slide-12
SLIDE 12

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 12

CAN specs overview

Engine Control Module Body Control Module CANL CANH 120Ω 120Ω Creates data frames to be sent µcontroller

CAN controller CAN transceiver TXD RXD

slide-13
SLIDE 13

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 13

CAN specs overview

Engine Control Module Body Control Module CANL CANH 120Ω 120Ω Implements CAN specifications

  • Handles Errors

µcontroller

CAN controller CAN transceiver TXD RXD

slide-14
SLIDE 14

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 14

CAN specs overview

Body Control Module CANL CANH 120Ω 120Ω Engine Control Module Translates digital bits into CAN compliant electrical signals µcontroller

CAN controller CAN transceiver TXD RXD

slide-15
SLIDE 15

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 15

Data frames

slide-16
SLIDE 16

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 16

CAN bus values

1 1 1 1 1 1 1 1 5V 2,5V 0V

slide-17
SLIDE 17

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 17

Dominant beats recessive - arbitration

Time ECU1 ECU2 ECU3 Loses Arbitration Loses Arbitration

slide-18
SLIDE 18

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 18

CAN error handling

CANL CANH 120Ω CAN Error Frame Reasons:

  • Transceiver Fail
  • CRC Computation error
  • Channel Noise
  • Faulty Device
  • ...

µcontroller

CAN controller CAN transceiver TXD RXD

slide-19
SLIDE 19

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 19

CAN fault confinement

ERROR ACTIVE Can send error active flags “000000”

slide-20
SLIDE 20

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 20

CAN fault confinement

ERROR ACTIVE ERROR PASSIVE Can send error active flags “000000” counter > 127 Can send error passive flags “111111” reset or counter < 128

slide-21
SLIDE 21

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 21

CAN fault confinement

ERROR ACTIVE BUS OFF ERROR PASSIVE Can send error active flags “000000” counter > 127 counter > 255 Can send error passive flags “111111” Shuts itself ofg the bus reset or counter < 128 reset or detect 11 sequential “1” x128 bit times

slide-22
SLIDE 22

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 22

How do we convince the target ECU to kick itself ofg the network?

How do we Exploit this?

Keyless Ignition Module Engine Control Module Body Control Module 120Ω 120Ω

slide-23
SLIDE 23

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 23

How do we Exploit this?

CANL CANH 120Ω CAN Error Frame … For example like this. 0 overwrites 1. µcontroller

CAN controller CAN transceiver TXD RXD

slide-24
SLIDE 24

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 24

How do we Exploit this?

120Ω CAN Error Frame The attacker can write that 0 over a 1. We just deleted the packet µcontroller

CAN controller CAN transceiver TXD RXD

slide-25
SLIDE 25

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 25

1) Discover the ID of the victim 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times

Steps

e.g., Reverse engineer the CAN IDs of an identical vehicle

slide-26
SLIDE 26

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 26

Steps

e.g., read all IDs passing on the bus 1) Discover the ID of the victim 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times

slide-27
SLIDE 27

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 27

Steps

CRC delimiter is “1” by design 1) Discover the ID of the victim 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times

slide-28
SLIDE 28

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 28

Steps

This triggers an error generated by the victim 1) Discover the ID of the victim 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times

slide-29
SLIDE 29

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 29

Steps

This kind of error adds +8 to the counter of the victim 1) Discover the ID of the victim 2) Detect the ID of the victim on the bus 3) Find a “1” (recessive) bit in the packet 4) Overwrite it with a 0 5) Repeat 32 consecutive times

Error Active Bus Ofg Error Passive Counter > 127 Counter > 255 8x32 = 256

slide-30
SLIDE 30

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 30

Proof of Concept Implementation

slide-31
SLIDE 31

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 31

Testbed Experiment

slide-32
SLIDE 32

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 32

Proof of Concept Implementation

slide-33
SLIDE 33

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 33

Alfa Giulietta Exploited

slide-34
SLIDE 34

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 34

Alfa Giulietta Exploited

slide-35
SLIDE 35

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 35

Alfa Giulietta Exploited

https://is.gd/candos

slide-36
SLIDE 36

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 36

  • Based on the protocol specs
  • Hard to retrieve logs to distinguish

between real failures and attacks

Is it preventable?

Not really…

slide-37
SLIDE 37

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

Denial of Service for the sake

  • f Denial of Service

e.g. Ransomware

37

Attack scenarios

120Ω 120Ω Engine Control Module Keyless Ignition Module Turn On! Nope!

slide-38
SLIDE 38

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

Detection avoidance for spoofing attacks

  • Shut down the victim ECU
  • Send spoofed data

38

Attack scenarios

slide-39
SLIDE 39

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

Can we detect the DoS?

We can read data from the bus We can detect the attacker once he tries to spoof data after the DoS

Keyless Ignition Module Engine Control Module Body Control Module CANL CANH 120Ω 120Ω

39

slide-40
SLIDE 40

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 40

We need to study more CAN specs! :(

40

List of rules that change the counters:

slide-41
SLIDE 41

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io

Not all of them...

List of rules that change the counters:

slide-42
SLIDE 42

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 42

Rule 6

Any node tolerates up to 7 consecutive ‘dominant’ bits after sending an ACTIVE ERROR FLAG, PASSIVE ERROR FLAG or OVERLOAD FLAG. After detecting the 14th consecutive ‘dominant’ bit (in case of an ACTIVE ERROR FLAG or an OVERLOAD FLAG) or after detecting the 8th consecutive ‘dominant’ bit following a PASSIVE ERROR FLAG, and after each sequence

  • f additional 8 consecutive ‘dominant’ bits every TRANSMITTER increases

its TRANSMIT ERROR COUNT by 8 and every RECEIVER increases its RECEIVE ERROR COUNT by 8.

slide-43
SLIDE 43

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 43

Rule 6

Bus Victim 1

Cannot let the attacker bypass the whole IDS, so we always consider case 1

Attacker 1 Victim 2 Attacker 2

slide-44
SLIDE 44

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 44

Modify the CAN Controller

slide-45
SLIDE 45

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 45

Complete IDS process: CopyCAN

1) Define which ECUs/IDs to defend 2) Monitor the bus from the beginning of communication 3) Count the TEC (Transmit Error Counter) of each ECU 4) Detect when the ECU goes Bus Ofg 5) If the ECU writes on the bus again, flag as attack. 6) React?

CopyCAN: An Error-Handling Protocol based Intrusion Detection System for Controller Area Network Stefano Longari, Matteo Penco, Michele Carminati and Stefano Zanero CPS-SPC 2019 (ACM Workshop on Cyber-Physical Systems Security & Privacy) - To Appear ascarecrowhat.github.io for the draft

slide-46
SLIDE 46

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 46

Reactions

  • Switch to safe/degraded driving mode + Alert driver
  • Analyze log to prevent attack next time (swarm defense)
  • “Attack” the attacker?
slide-47
SLIDE 47

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 47

Reactions

“Attack” the attacker? Con: Really small chance to kill the ECU with a false positive Pro: Completely denies the attack, degrading it into a DoS

slide-48
SLIDE 48

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 48

Proof of Concept implementation:

Testbed to detect rules 4 and 6 “in the wild”: Tests done 50 Frames sent per test 15000 IDS Never failed

slide-49
SLIDE 49

26.9.2019 Stefano Zanero - Stefano Longari @Hardwear.io 49

Conclusions

DoS for CAN is not preventable... … but the goals of the attacker may be!

Thanks!

For any questions: < stefano.longari@polimi.it > < stefano.zanero@polimi.it > @ascarecrowhat @raistolo