plug n pwned comprehensive vulnerability analysis of obd
play

Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles - PowerPoint PPT Presentation

Dec 08, 2022 •18 likes •278 views

Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT Haohuang Wen 1 , Qi Alfred Chen 2 , Zhiqiang Lin 1 1 Ohio State University 2 University of California, Irvine USENIX

  1. Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT Haohuang Wen 1 , Qi Alfred Chen 2 , Zhiqiang Lin 1 1 Ohio State University 2 University of California, Irvine USENIX Security 2020

  2. OBD-II Dongle in Automotive IoT OBD-II Dongle ► On-Board Diagnostics (OBD) is a standard widely adopted for vehicle to report its internal working status. ► OBD-II dongles: run OBD protocol and convert commands into human-readable information ► They can be inserted into vehicles’ OBD -II port ► A device can connect with these dongles and control vehicles Automotive IoT ► Remote vehicle control ► Remote vehicle diagnosis ► Remote status monitoring 1/19

  3. OBD-II Dongle in Automotive IoT CAN Bus Message CAN Bus Message Vehicle Data Vehicle Data Workflow ► Devices send CAN bus message CAN bus ► CAN bus: the network in the car; ► dongles forward it to the CAN bus; 1/19

  4. OBD-II Dongle in Automotive IoT CAN Bus Message CAN Bus Message Vehicle Data Vehicle Data Dongles can enhance vehicle safety, but it also provides a new remote attack interface 1/19

  5. Wireless Attacks on an OBD-II Dongle ► Vulnerabilities in the authentication and message filtering process (2017) ► They allow attackers to remotely stop the engine of a moving vehicle 2/19

  6. Motivation Repair Technician Auto Insurance Company Driver ► Are dongles really secure against remote attacks? 3/19

  7. Contributions Comprehensive vulnerability analysis . They conducted the first vulnerability analysis 1 on 77 wireless OBD-II dongles on Amazon US and implemented an automatic testing tool DongleScope. Vulnerability discovery and quantification . They identified 5 types of 2 vulnerabilities across 3 attack stages . They show that each of the dongles has at least two vulnerabilities. Attack case-study . Then they constructed 4 classes of concrete attacks and 3 validated them on a testing vehicle , which can lead to privacy leakage, property theft, and even safety threats. 4/19

  8. Attack Model Attack stage Nearby Attacker OBD-II Dongle Target Vehicle (I) Broadcast Stage 1 Broadcast Information 2 Connect (II) Connection Stage 3 Inject Messages Deliver Messages (III) CommunicationStage to CAN Bus Goal: exploit the new vehicle attack surface exposed by wireless OBD-II dongles and thus achieves wireless attacks onto the CAN bus of a victim vehicle. 5/19

  9. DONGLESCOPE: Broadcast Information Collection Dynamic Analysis Static Analysis (1) Broadcast Information Collection OBD-II Dongle Attack Surface (I) Broadcast Stage (II) Connection Stage (III) CommunicationStage Apps Stage Measurement Objective(s) (I) Broadcast information: including network type, SSID, Unique ID; 6/19

  10. Connection Setup Dynamic Analysis Static Analysis (1) Broadcast (2) Connection Setup Information Collection OBD-II Dongle Attack Surface (I) Broadcast Stage (III) CommunicationStage (II) Connection Stage Apps Stage Measurement Objective(s) 2 If connection can be established. (II) 3 If multiple access allowed: establish connections with multiple mobile devices 7/19

  11. Predefined Message Generation Dynamic Analysis Static Analysis (1) Broadcast (4) Predefined Message (2) Connection Setup (3) CAN Bus Message Test Information Collection Generation OBD-II Dongle Attack Surface (I) Broadcast Stage (III) CommunicationStage (II) Connection Stage Apps Stage Measurement Objective(s) 4 If predefined message can beinjected: legal messages defined by developer (III) 5 If other message can beinjected: vehicle control and other safety related functions 9/19

  12. Experiment Setup Dynamic Analysis ► 77 wireless OBD-II dongles on US Amazon in February 2019. ) 44 Wi-Fi dongles ) 3 Bluetooth classic dongles ) 30 Bluetooth Low Energy (BLE) dongles 10/19

  13. Experiment Setup Dynamic Analysis ► 77 wireless OBD-II dongles on US Amazon in February 2019. ) 44 Wi-Fi dongles ) 3 Bluetooth classic dongles ) 30 Bluetooth Low Energy (BLE) dongles ► Testing vehicle: 2015 Honda Civic 10/19

  14. Experiment Setup App Name Category #Download Dongle-specific? Torque Lite Communication 5,000,000 DashCommand Communication 1,000,000 EOBD Facile Auto &Vehicles 1,000,000 ScanMaster Communication 1,000,000 Car Scanner Auto &Vehicles 1,000,000 C OBDLink Communication 1,000,000 C BlueDriver Auto &Vehicles 500,000 OBD AutoDoctor Auto &Vehicles 500,000 C Carly forToyota Auto &Vehicles 100,000 C FIXD Auto &Vehicles 100,000 C Carista Auto &Vehicles 100,000 C ZUS Liftstyle 100,000 C Automatic Liftstyle 50,000 C RepairSolutions Auto &Vehicles 10,000 OBD Fusion Communication 10,000 C Kiwi OBD Tools 5,000 C Automate Tools 1,000 C HaulGauge Auto &Vehicles 500 C ArtiBox Tools 500 C JDiag FasLinkM2 Auto &Vehicles 100 C DODYMPS Tools 100 They also collected 21 mobile apps, which can be mapped to all 77 OBD-II dongles; 10/19

  15. Vulnerability in Connection Stage (I) Broadcast Stage (II) Connection Stage (III) Communication Stage V1.1 Nearly all dongles have no connection-layer authentication ► 71 (92.21%) dongles can be arbitrarily connected by nearby devices ► With this vulnerability, an attacker can perform Dos attack by keeping connected with the target dongle V1.2 Only 1 dongle has application-layer authentication ► Implying that 76 dongles can be directly compromised once the connection is established 12/19

  16. Vulnerability in Connection Stage (I) Broadcast Stage (II) Connection Stage (III) Communication Stage V2. 29 dongles allow unauthorized access even when another device isconnected ► This vulnerability increases the flexibility for attacks ► Only Wi-Fi dongles have such vulnerability attackers can attack these dongles even when the vehicle owner’s device is connected 12/19

  17. Vulnerability in Communication Stage (I) Broadcast Stage (II) Connection Stage (III) Communication Stage V3. 67% of the dongles fail to filter out undefined CAN bus messages ► First uncovered in the Bosch dongle [Kov17] but never quantified before ► Dangerous CAN bus messages (e.g., vehicle control related ones) can be injected they send an undefined CAN bus message which should not be accepted by the dongle and delivered to the CAN bus. 13/19

  18. Vulnerability in Communication Stage (I) Broadcast Stage (II) Connection Stage (III) Communication Stage V4. 3 dongles are vulnerable to over-the-air firmware subverting orextraction ► Three dongle firmware images can be extracted from their mobile apps ► Two dongles are vulnerable to firmware subverting Firmware DongleName Vulnerable? Available? Automatic Pro C C Carly WiFi GEN2 C BlueDriver Pro OBDII C C Innova 3211a Drive 13/19

  19. Vulnerability in Broadcast Stage (I) Broadcast Stage (II) Connection Stage (III) Communication Stage V5. Vulnerability status of half of the dongles can be fingerprinted with broadcast information ► Broadcast information includes: Wi-Fi SSID, UUID, Device name,etc. ► Increase success rate of attacks Vulnerability Connection Name Type # Dongle V1.1 V1.2 V2 V3 V4 C C C C V-Link Wi-Fi 4 C C C FastLink M2 BLE 4 C C C OBDBLE BLE 3 C C C V-checker BLE 2 C C C C OBDII SCANNER Wi-Fi 1 C C OBDLink MX Wi-Fi 1 11/19

  20. Attack Overview they construct 4 classes of concrete attacks and validated them on the testing vehicle. 14/19

  21. A1. Vehicle-related Data Leakage Location Leakage (V1.1, V1.2) ► PID 09 02 can be used to query the vehicle VIN ► Precisely locate the victim vehicle Diagnostic Data Leakage (V1.1, V1.2) ► Read vehicle diagnostic data (e.g., odometer, fuel rate, engine RPM) ► Driver behaviour fingerprinting [CPL15,ETKK16] CAN Bus Traffic Leakage (V1.1, V1.2, V3) ► Dump the CAN bus traffic with ATMAcommand ► CAN bus protocol reverse engineering 15/19

  22. A2. Property Theft (V1 and V3) 2 Disable Wireless 1 Inject 3B141A26 Door Locking The attacker can inject one CAN bus message to disable the wireless door locking. 16/19

  23. A2. Property Theft 2 Disable Wireless 1 Inject 3B141A26 Door Locking 4 Theft Leave without 3 conscious When the driver leaves the vehicle and locks the vehicle remotely with his key as usual, he may not know the locking is unsuccessful. Afterwards, the attacker can sneak into the vehicle. 16/19

  24. A3/ A4 Vehicle Control Interference (V1.1, V1.2, V3) ► With the same vulnerabilities, the attacker can also send other messages to cause vehicle control interference; In-vehicle Network Infiltration (V1.1, V1.2, V4) ► allow an unauthorized attacker to send a malicious firmware packet to subvert the dongle’s firmware 15/19

  25. Countermeasures Authentication on CAN bus . A 1 fundamental solution [VHSV11,NLJ08, Nearby Attacker OBD-II Dongle Target Vehicle GMVHV12,KMT + 14,RG16]. Firewall on the OBD-II port . Physical 2 2 Connect gateway module for Chrysler [gat]. Authentication on OBD-II dongles . 3 Secure dongle firmware (e.g., OpenXC [ope19]). 17/19

  26. Conclusion Nearby Attacker OBD-II Dongle Target Vehicle 1 Broadcast Information 2 Connect 3 Inject Messages Deliver Messages to CAN Bus DongleScope Vulnerability Analysis ► Comprehensive security analysis ► Uncovered and quantified 5 vulnerabilities ► Automatic testing tool DongleScope ► Constructed 4 concrete attacks The source code is available at https://github.com/OSUSecLab/DongleScope. 18/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HOw NOT to suck at Vulnerability Management Shellcon.io Plug (@plugxor) and Chris

HOw NOT to suck at Vulnerability Management Shellcon.io Plug (@plugxor) and Chris

HOw NOT to suck at Vulnerability Management Shellcon.io Plug (@plugxor) and Chris (@ChrisHalbersma) Current Landscape Apache Struts backend server exposed to the Internet DATABASE EXPOSED UNSECURED SERVER DATA LEAK

955 views • 57 slides
Comprehensive,Experimental, Analysis,of,Automotive, Attack,Surfaces, Checkoway,et,al ,

Comprehensive,Experimental, Analysis,of,Automotive, Attack,Surfaces, Checkoway,et,al ,

Comprehensive,Experimental, Analysis,of,Automotive, Attack,Surfaces, Checkoway,et,al , Presented(By(Lucas(Copi( Overview, Introduction, Automotive,Threat,Models, Vulnerability,analysis, Conclusion, Introduction,

464 views • 18 slides
Introducing OSGi Eclipse Plug-ins 1 Plug-in State Information Plug-in Structure

Introducing OSGi Eclipse Plug-ins 1 Plug-in State Information Plug-in Structure

Contents Eclipse Plug-ins Introducing OSGi Eclipse Plug-ins 1 Plug-in State Information Plug-in Structure Plug-in Deployment Eclipse Plug-ins Eclipse Plug-ins Eclipse isn't a single monolithic program, The behavior of

334 views • 4 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0

Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0

Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 24-1 Overview What is a vulnerability? Penetration studies Flaw Hypothesis Methodology Other methodologies Vulnerability

1.76k views • 148 slides
An innovative and comprehensive framework for Social Driven Vulnerability Assessment 20

An innovative and comprehensive framework for Social Driven Vulnerability Assessment 20

An innovative and comprehensive framework for Social Driven Vulnerability Assessment 20 November 2014 Who are we? Enrico o Frument nto Rober erto Puricelli lli (twitter: enricoff) (twitter: robywankenoby) ICT Security Specialist @

895 views • 67 slides
Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Vulnerability to Disasters: A Gendered Analysis on Water Availability and Livelihoods in Nadu Colony, Kovalam, Chennai, India Group No: 02 Sumaia Kashem Shreeya Lohani Shanmuga Priya. G Meththa Prabodhani Menike

834 views • 40 slides
Advancing Equity Analysis in Scenario Planning Social Vulnerability and Neighborhood Effects

Advancing Equity Analysis in Scenario Planning Social Vulnerability and Neighborhood Effects

Advancing Equity Analysis in Scenario Planning Social Vulnerability and Neighborhood Effects Analysis Tools Robert Goodspeed, AICP, University of Michigan Chicago Open Heat Vulnerability Mapper Bev Wilson and Arnab Chakraborty, University of

830 views • 78 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
The Vulnerability Continuum Prescriptive Assets Method Neutralisation Analysis Qualitative

The Vulnerability Continuum Prescriptive Assets Method Neutralisation Analysis Qualitative

Malcolm Baker Jeremy Edwards Robert Rodger Kevin Thompson Jonathan Scott The Vulnerability Continuum Prescriptive Assets Method Neutralisation Analysis Qualitative Threats Method Table-top Exercises Adversary Vulnerability Sequence

191 views • 15 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
WALL PLUG PLUG-IN SWITCH & POWER METERING MANY FEATURES IN A SINGLE DEVICE The FIBARO Wall

WALL PLUG PLUG-IN SWITCH & POWER METERING MANY FEATURES IN A SINGLE DEVICE The FIBARO Wall

WALL PLUG PLUG-IN SWITCH & POWER METERING MANY FEATURES IN A SINGLE DEVICE The FIBARO Wall Plug is a remotely controlled plug-in switch with the built-in ability to measure power and energy consumption. FIBARO smart plug makes it possible

673 views • 21 slides
Comprehensive Energy Analysis IGEN Comprehensive Energy Analysis Funding Information Funding

Comprehensive Energy Analysis IGEN Comprehensive Energy Analysis Funding Information Funding

Illinois Green Economy Network (IGEN) Comprehensive Energy Analysis IGEN Comprehensive Energy Analysis Funding Information Funding provided from the Illinois Department of Commerce and Economic Opportunity through a legislative

238 views • 13 slides
Pwned: Protecting Yourself in the 2019 By Dallin Warne 1 Why are you a target? 99% Money

Pwned: Protecting Yourself in the 2019 By Dallin Warne 1 Why are you a target? 99% Money

Pwned: Protecting Yourself in the 2019 By Dallin Warne 1 Why are you a target? 99% Money 1% Everything else (revenge, activism, hate, espionage, etc) Why do they do it? Because it works. 3% 5% clicks on phishing links, down

581 views • 23 slides
Plug-In Folly Part 5 by Pat Murphy, Plan Curtail Part 5A: Conclusion Plug-In Vehicles the

Plug-In Folly Part 5 by Pat Murphy, Plan Curtail Part 5A: Conclusion Plug-In Vehicles the

Plug-In Folly Part 5 by Pat Murphy, Plan Curtail Part 5A: Conclusion Plug-In Vehicles the Score C1 A 2012 Congressional Budget Office report on plug-ins says that the lifetime costs to consumers of an electric vehicle are generally

405 views • 9 slides
How to Assign Weights to Towards a Theoretical . . . Different Factors in Towards a More . . .

How to Assign Weights to Towards a Theoretical . . . Different Factors in Towards a More . . .

Need for Vulnerability . . . Vulnerability Analysis: . . . Vulnerability Analysis . . . How to Find Weights? . . . How to Assign Weights to Towards a Theoretical . . . Different Factors in Towards a More . . . General Approach . . .

166 views • 13 slides
Nanocrafter Xylem vs. r pl r lv r pl r lv r pl r lv + d - d - d + d BLIND BLIND RATINGS

Nanocrafter Xylem vs. r pl r lv r pl r lv r pl r lv + d - d - d + d BLIND BLIND RATINGS

Nanocrafter Xylem vs. r pl r lv r pl r lv r pl r lv + d - d - d + d BLIND BLIND RATINGS BLIND RATINGS CHOICE Compute desired win rate using players rating BLIND RATINGS Compute desired win rate using players rating Compute

670 views • 51 slides
Semantic Modeling with Frames Rainer Osswald & Wiebke Petersen Department of Linguistics and

Semantic Modeling with Frames Rainer Osswald & Wiebke Petersen Department of Linguistics and

Semantic Modeling with Frames Rainer Osswald & Wiebke Petersen Department of Linguistics and Information Science Heinrich-Heine-Universit at D usseldorf ESSLLI 2018 Introductory Course Sofia University 06. 08. 10. 08. 2018 SFB

921 views • 59 slides
Why the AI? Andrew J. Perrin April 27, 2007 Andrew J. Perrin () Why the AI? April 27, 2007 1

Why the AI? Andrew J. Perrin April 27, 2007 Andrew J. Perrin () Why the AI? April 27, 2007 1

Why the AI? Andrew J. Perrin April 27, 2007 Andrew J. Perrin () Why the AI? April 27, 2007 1 / 7 We have a problem. 1 Long-term increase in mean grades across the university 2 Substantial and growing systematic inequality in grading patterns

462 views • 7 slides
Plan Social issues Data and Information How the Internet works What computers cant do

Plan Social issues Data and Information How the Internet works What computers cant do

Plan Social issues Data and Information How the Internet works What computers cant do Natural Language Multimedia Search Privacy and security Sunday, 4 December 11 informatics in society 2011-09-20 informatics literacy Michael Fourman

211 views • 10 slides
Implementing the Witness protocol in Samba Gnther Deschner <gd@samba.org> (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner <gd@samba.org> (Red Hat /

Implementing the Witness protocol in Samba Gnther Deschner <gd@samba.org> (Red Hat / Samba Team) About Samba and RedHat Currently 7 Samba Team members inside RedHat Creators and users of Samba technology for authentication

836 views • 45 slides
Earl Warren Middle School Interim Housing Start Date: 4/20/2015 Completion Date 8/24/2015

Earl Warren Middle School Interim Housing Start Date: 4/20/2015 Completion Date 8/24/2015

Earl Warren Middle School Interim Housing Start Date: 4/20/2015 Completion Date 8/24/2015 As of 8/13/15 Earl Warren Middle School Interim Housing Start Date: 4/20/2015 Est. Completion Date 8/24/2015 As of 8/3/15 Earl Warren Middle

126 views • 11 slides
Identity and Streams Interim, Washington DC Martin Thomson Stream Isolation A receiver

Identity and Streams Interim, Washington DC Martin Thomson Stream Isolation A receiver

W3C stuff Identity and Streams Interim, Washington DC Martin Thomson Stream Isolation A receiver should soon be able to distinguish between streams that are isolated at the source and regular streams Sending Receiving peerIdentity

382 views • 10 slides
Case Law Update Part 2 5 th November 2020 Cornerstone Barristers Planning Week 2020 Planning

Case Law Update Part 2 5 th November 2020 Cornerstone Barristers Planning Week 2020 Planning

Case Law Update Part 2 5 th November 2020 Cornerstone Barristers Planning Week 2020 Planning Week 2020 Tuesday 3rd - 10am - Case Law Update - Part 1 Speakers: Ryan Kohli, Emma Dring, John Fitzsimons; Introduction: Josef Cannon available

511 views • 36 slides

More recommend