reverse engineering can bus messages using obd ii and
play

Reverse-engineering CAN bus messages using OBD-II and correlation - PowerPoint PPT Presentation

Sep 24, 2022 •188 likes •419 views

Reverse-engineering CAN bus messages using OBD-II and correlation coefficients Bram Blaauwendraad & Vincent Kieberl Supervisors: Ruben Koeze & Sander Ubink, KPMG What is OBD-II? On-Board Diagnostics II High level protocol that

  1. Reverse-engineering CAN bus messages using OBD-II and correlation coefficients Bram Blaauwendraad & Vincent Kieberl Supervisors: Ruben Koeze & Sander Ubink, KPMG

  2. What is OBD-II? On-Board Diagnostics II ▸ High level protocol that provides access to status and stored error codes ▸ of vehicle sub-systems PID (hex) Description Parameter identifiers (PIDs) ▸ 05 Engine coolant temp. 0C Engine RPM 0D Vehicle speed 10 Mass Air Flow rate Source: SAE J1979 / ISO 15031-5:2015 2

  3. What is CAN? Controller Area Network ▸ Bus network: broadcast ▸ Saves on copper wiring costs ▸ CAN IDs identify message types ▸ not public information ▹ Most CAN IDs occur regularly ▸ Meant for closed systems → insecure ▸ 3

  4. Automotive IDSs Increasing amount of electronics in vehicles ▸ IDSs currently use features from traffic metadata 1 ▸ Content-based features may improve accuracy ▸ Data plausibility checks ▹ 1 Bresch, M. and Salman, N. Design and implementation of an Intrusion Detection System (IDS) for in-vehicle networks. Gothenburg: University of Gothenburg, 2017. 4

  5. Prior work: Kang et al. Automated reverse-engineering of CAN frames using OBD-II ▸ Matching OBD-II value to CAN data ▸ Process of elimination ▸ Source: T. U. Kang, H. M. Song, S. Jeong and H. K. Kim, "Automated Reverse Engineering and Attack for CAN Using OBD-II," 2018 IEEE 88th Vehicular Technology Conference 5 (VTC-Fall) , Chicago, IL, USA, 2018, pp. 1-7, doi: 10.1109/VTCFall.2018.8690781.

  6. Prior work: Kang et al. (2) Only search for one-on-one matching value ▸ Initial experiments show that in Audi A4 B7, translation is used ▸ Approach Kang et al. does not work for translated values ▸ 6

  7. Source: https://wiki.openstreetmap.org/wiki/VW-CAN 7

  8. Research question To what extent can we reverse-engineer CAN messages using OBD-II interrogations and correlation coefficients when a translation is used? 8

  9. Methodology: theory Start listening on CAN bus 1. Do OBD-II request for supported PID 2. Stop listening on CAN bus 3. Compute averages for every unique CAN ID + byte index pair 4. Calculate Pearson Correlation Coefficient [OBDdata][CANdata] 5. 9

  10. 10

  11. 11

  12. 12

  13. 13

  14. Methodology: practical Audi and Hyundai ▸ 100 / 200 interrogations ▸ Testing procedure ▸ 14

  15. Methodology: proof-of-concept Python 3 ▸ Multithreading ▸ Get CAN data asynchronously ▹ Steps Get supported PIDs 1. Get CAN and OBD data for each PID 2. Compute averages 3. Compute correlation and save to CSV 4. 15

  16. Methodology: fitting Reverse-engineer formula used on CAN data ▸ When correlation > 0.9 ▸ We assume ▸ Fit value in 8-bit integer and allow negative values ▹ E.g. COOLANT_TEMP = ▹ 16

  17. Results PIDs with High correlation on all tests ▸ Examples: ▸ PID CID + Byte Index (int 100 & 200) Correlation Audi RPM 0x280 - 3 ~0.997 Audi INTAKE_PRESSURE 0x588 - 4 ~0.999 Audi MAF 0x288 - 6 ~0.962 Hyundai COOLANT_TEMP 0x329 - 1 ~0.992 Hyundai THROTTLE_POS 0x329 - 5 ~0.972 17

  18. Results (2) PIDs with no matches (correlation < 0.9) ▸ Examples: ▸ Audi - ENGINE_LOAD ▹ Audi - INTAKE_TEMP ▹ Hyundai - AMBIENT_AIR_TEMP ▹ Hyundai - EVAPORATIVE_PURGE ▹ Potentially a combination of CAN values (e.g. 0x280-2 + 0x360-4) ▸ 18

  19. Results (3) PIDs with ambiguous result ▸ Example: ▸ COOLANT_TEMP on Audi matches on both coolant temperature and ▹ oil temperature In certain driving conditions, these behave almost identically ▹ Different testing procedure solved this problem ▹ 19

  20. Result (4) Exact formula not found, however: ▸ Close approximation when range ▹ is known Lower resolution through averages ▹ Still useful for IDS Suspected Formula ▹ Found Formula 20

  21. Discussion It works, however... Practical considerations: What parameter are you looking for ▸ Fluctuations in environment variables ▸ Amount of CAN messages in test vehicle ▸ Thus: not one optimal setup 21

  22. Conclusion Correlation can be used to map CAN ID and byte indices to OBD values ▸ and formulas can be approximated with some limitations. Limitations ▸ No correlation (possibly a formula) ▹ Testing Procedure matters ▹ 1 on 1 match will not be found (correlation = n/a) ▹ Only works on one byte values (max. 255) ▹ 22

  23. Future work Bigger sample size ▸ Limited through OBD port, (security) gateways ▹ Conclusive proof ▸ Reverse-testing ▹ Extensive testing procedure ▸ Performance ▸ 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reverse Engineering Binary Messages through Design Patterns LangSec 2020 Jared Chandler

Reverse Engineering Binary Messages through Design Patterns LangSec 2020 Jared Chandler

Reverse Engineering Binary Messages through Design Patterns LangSec 2020 Jared Chandler Kathleen Fisher Tufts University Tufts University Automatic Reverse Engineering of Binary y Messages Who does this: Why: Malware Communication

778 views • 15 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

751 views • 31 slides
Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

856 views • 18 slides
Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for .NET are easy to reverse engineer. This is not in any way a fault in the design of .NET; it is simply a reality of modern, intermediate-compiled

132 views • 10 slides
Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Overview Evidence Model Calibration Quantitative Results Reverse Engineered Shocks Conclusion Extras Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach Paolo Gelain Kevin J. Lansing Gisle J.

717 views • 50 slides
Malware Packers For Dummies Joan Calvet j04n.calvet@gmail.com Deepsec 2010 The Context (1)

Malware Packers For Dummies Joan Calvet j04n.calvet@gmail.com Deepsec 2010 The Context (1)

Tripoux: Reverse-Engineering Of Malware Packers For Dummies Joan Calvet j04n.calvet@gmail.com Deepsec 2010 The Context (1) A lot of malware families use home-made packers to protect their binaries, following a standard model: EP OEP

435 views • 43 slides
Local Council Finance and Public Perceptions of Spending in Local Areas Mo Baines Head of

Local Council Finance and Public Perceptions of Spending in Local Areas Mo Baines Head of

Local Council Finance and Public Perceptions of Spending in Local Areas Mo Baines Head of Communication and Coordination www.apse.org.uk The big picture on finance www.apse.org.uk Reductions in spending Headline on core spending 0.5%

560 views • 24 slides
Community Service Grant 101 Kate Arno Director, TV CSG Policy &amp; Review Andrew Charnik

Community Service Grant 101 Kate Arno Director, TV CSG Policy &amp; Review Andrew Charnik

Community Service Grant 101 Kate Arno Director, TV CSG Policy &amp; Review Andrew Charnik Director, Radio CSG Policy &amp; Administration 576 CSG radio and TV grantees operating 1,488 stations Photos courtesy The Nebraska Network 2 170 TV

984 views • 45 slides
Approximate Congruence Detection of Model Features for Reverse Engineering C. H. Gao, F. C.

Approximate Congruence Detection of Model Features for Reverse Engineering C. H. Gao, F. C.

Approximate Congruence Detection of Model Features for Reverse Engineering C. H. Gao, F. C. Langbein, A. D. Marshall and R. R. Martin ralph@cs.cf.ac.uk Department of Computer Science, Cardiff University, Wales, UK Congruence Detection

388 views • 28 slides
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland National Cybersecurity and Communications Integration Center Security whoami Cyber Threat Analyst at Northrop Grumman Performed wide range of

550 views • 20 slides
Researchers: Henry Coles, Steve Greenberg Sponsors: California Energy Commission (CEC)

Researchers: Henry Coles, Steve Greenberg Sponsors: California Energy Commission (CEC)

Demonstrating a Dual Heat Exchanger Rack Cooler Tower Water for IT Cooling H. Coles, S. Greenberg contact: hccoles@lbl.gov October 24, 2012 Silicon Valley Leadership Group Data Center Efficiency Summit AMD, Sunnyvale California

235 views • 23 slides
Mergers and Acquisitions Presentation at the Surveyors pre th Apri co confe nferen rence

Mergers and Acquisitions Presentation at the Surveyors pre th Apri co confe nferen rence

Mergers and Acquisitions Presentation at the Surveyors pre th Apri co confe nferen rence ce on on Fri Frida day 28 y 28 th April l 20 2017 17 at at Impe Imperial rial R Reso esort rt Hotel Hotel - En Enteb tebbe be CPA

316 views • 30 slides
Kavango Basin NAMIBIA Recon Africa | May 2019 DISCLOSURE Certain information in this

Kavango Basin NAMIBIA Recon Africa | May 2019 DISCLOSURE Certain information in this

NEWLY DISCOVERED Kavango Basin NAMIBIA Recon Africa | May 2019 DISCLOSURE Certain information in this Presentation may constitute &quot;forward looking&quot; information or statements which involve known and unknown risks, uncertainties, and

624 views • 16 slides

More recommend