tinfoil attack
play

Tinfoil attack A study on the security threats and weaknesses of - PowerPoint PPT Presentation

Jun 11, 2023 •227 likes •440 views

Tinfoil attack A study on the security threats and weaknesses of GSM-based communication in BMW cars Thijs Houtenbos Jurgen Kloosterman thijs.houtenbos@os3.nl jurgen.kloosterman@os3.nl February 7, 2013 Thijs Houtenbos, Jurgen Kloosterman

  1. Tinfoil attack A study on the security threats and weaknesses of GSM-based communication in BMW cars Thijs Houtenbos Jurgen Kloosterman thijs.houtenbos@os3.nl jurgen.kloosterman@os3.nl February 7, 2013 Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  2. Introduction Evolution of cars Mobile communication eCall What security threats are introduced by connecting cars by means of a GSM-module to the Internet and can weaknesses be identified in the implementation in a 2011 BMW 5 Series? Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  3. Research target Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  4. Background - ConnectedDrive in the Netherlands Convenience Entertainment Safety Google local search News Manual S.O.S call Information request Weather Automatic S.O.S call MyInfo My news Send-to-car Buienradar Country information Office BMW Routes BMW Internet Streetview. Ski sites Snapshots Webcams Table : Overview of ConnectedDrive services Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  5. GSM in a nutshell Network identified by two numbers (MCC/MNC) and a name Pre-shared key between provider and SIM-card for encryption Network dictates all security parameters Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  6. Software used for test network Open-source software from the Osmocom project 1 nanoBTS Radio interface OpenBSC Operator systems OsmoSGSN Data connectivity in the network OpenGGSN Exit point for the data 1 http://osmocom.org/ Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  7. Connectivity in the car Combox responsible for IVI and connectivity Difficult to remove if you are not a BMW mechanic Sticker on one of its sides contains some details we wanted Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  8. Connectivity in the car Initially it was assumed that the provider was Vodafone DE as SIM-number often match the MNC Later the IMSI-number revealed the provider to be T-Mobile The combox supports the 850, 900, 1800 and 1900MHz frequencies with support for GPRS and EDGE network types Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  9. Research - Connection Biggest challenge was to let the car connect to test network Three attempts needed before result: Power (fuses, battery, connector) 1 Block radio spectrum (jammer) 2 Tinfoil (Faraday cage) 3 Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  10. Research - Connection Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  11. Research - Connection Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  12. Research - Traffic inspection Traffic between the combox and manufacturer systems is sent with HTTP through a proxy Basic authentication is used to authenticate to proxy The traffic is compressed to decrease transfer times Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  13. Research - Browser Car browser is Access NetFront User-Agent identifies as Mozilla Firefox 3.5 on Windows 7 X-Forwarded-For header by proxy reveals internal IP-addresses 16-bit range registered with BMW AG, but not advertised on public Internet. Subnet for cars? Setup own proxy on their proxy IP to let the browser connect to Internet via us Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  14. Research - Registration Registration at manufacturer with VIN-number Includes own IP and a port accepting connections Used to remotely activate services? Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  15. Research - Provisioning Provisioning service in the car requests XML-file with settings Contains server addresses with port numbers, usernames, passwords and telephone numbers Special APN name with login details Used by the car to directly connect to the manufacturer? The provisioning information is sent compressed but unencrypted. Signed? Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  16. Research - Provisioning Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  17. Research - Applications News, weather, sports, etc Requested at special server but just HTML Again, no encryption just compression Setup own webserver with edited news feed and redirected proxy requests Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  18. Research - Applications Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  19. Conclusion What security threats are introduced by connecting cars by means of a GSM-module to the Internet and can weaknesses be identified in the implementation in a 2011 BMW 5 Series? The interesting features are not yet available in NL :( Easy to take over network in theory, a lot harder in practice No security found in the current systems, but impact is limited Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

  20. Questions Thank for your presence. Are there any questions? Thijs Houtenbos, Jurgen Kloosterman RP1 Car Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security of Near Field Communication: Does My Phone Need A Tinfoil Hat? Thomas Harren University

Security of Near Field Communication: Does My Phone Need A Tinfoil Hat? Thomas Harren University

Security of Near Field Communication: Does My Phone Need A Tinfoil Hat? Thomas Harren University of Minnesota, Morris April 30, 2015 1 / 45 Have you used NFC? Note: The communication standard used in UCard was not verifjed 2 / 45 1 meter

1.56k views • 121 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler Federal Office for Information Security (BSI), Germany Lausanne, September 7, 2009 Outline r Introduction and Motivation r The Attack r Basic attack

514 views • 25 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack Summary : The attack was severe and sophisticated; categorized as a catastrophic attack. It was highly strategic with regard to timing

329 views • 16 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

December 7-8, 2001, Beverly Hills, CA. Corporation, at the Surround 2001 International Conference and Technology Showcase, .E., President of Acoustic Sciences Transcript of a seminar presented by Arthur Noxon P ASCs 5.1 Surround ATTACK Wall

243 views • 6 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com Overview of Talk l Introduction l Background material l Attack class l Example attack l Popular questions l Extensions UCD Vulnerabilities Group l

759 views • 24 slides
Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation! At least two aspects Target payloads Attack origins Future? arenas Attack Payloads Buffer overflow Format strings

535 views • 18 slides
Introduction Attack Graphs Model Creation Analysis of Attack Graphs

Introduction Attack Graphs Model Creation Analysis of Attack Graphs

EVA Evolutionary Vulnerability Analyzer A Framework for Network Analysis and Risk Assessment Dr. Melissa Danforth Department of Computer Science California State University, Bakersfield Introduction Attack Graphs Model Creation

684 views • 50 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
NETWORK TRAFFIC CHARACTERISATION USING FLOW-BASED STATISTICS Wednesday 27 th April, 2016 Petr

NETWORK TRAFFIC CHARACTERISATION USING FLOW-BASED STATISTICS Wednesday 27 th April, 2016 Petr

NETWORK TRAFFIC CHARACTERISATION USING FLOW-BASED STATISTICS Wednesday 27 th April, 2016 Petr Velan Jana Medkov, Tom Jirsk, Pavel eleda Introduction We need to be able to describe the network traffic. The researchers have to be

320 views • 17 slides
ENSC 427: Communication Networks Spring 2015 Final Project Presentation: A decade of

ENSC 427: Communication Networks Spring 2015 Final Project Presentation: A decade of

ENSC 427: Communication Networks Spring 2015 Final Project Presentation: A decade of advancement: comparing the performance of various applications over 802.11b & 802.11n WiFi using Riverbed Modeler http://www.sfu.ca/~jaridw/main.html

631 views • 26 slides
Analysis of Mobile IP Analysis of Mobile IP in in Wireless LANs Wireless LANs

Analysis of Mobile IP Analysis of Mobile IP in in Wireless LANs Wireless LANs

ENSC 835: COMMUNICATION NETWORKS ENSC 835: COMMUNICATION NETWORKS FINAL PROJECT PRESENTATIONS FINAL PROJECT PRESENTATIONS Spring 2011 Spring 2011 Analysis of Mobile IP Analysis of Mobile IP in in Wireless LANs Wireless LANs

627 views • 26 slides
Software for a smarter business. ABOUT VOLO For over a decade, VOLO has been a leader and

Software for a smarter business. ABOUT VOLO For over a decade, VOLO has been a leader and

Software for a smarter business. ABOUT VOLO For over a decade, VOLO has been a leader and innovator in the critical communications space. We have continued to deliver innovation after innovation, all while providing the best value in the

152 views • 12 slides
High-Performance GPU Clustering: GPUDirect RDMA over 40GbE iWARP Tom Reu Consulting Applications

High-Performance GPU Clustering: GPUDirect RDMA over 40GbE iWARP Tom Reu Consulting Applications

High-Performance GPU Clustering: GPUDirect RDMA over 40GbE iWARP Tom Reu Consulting Applications Engineer Chelsio Communications tomreu@chelsio.com 1 Efficient Performance Chelsio Corporate Snapshot Leader in High Speed Converged

316 views • 28 slides
IPv6 Basics APNIC Training Bali, Indonesia February, 2007 Jordi Palet

IPv6 Basics APNIC Training Bali, Indonesia February, 2007 Jordi Palet

IPv6 Basics APNIC Training Bali, Indonesia February, 2007 Jordi Palet (jordi.palet@consulintel.es) - 1 Why a New IP? Only compelling reason: more addresses! for billions of new devices, e.g., cell phones, PDAs, appliances, cars, etc.

707 views • 47 slides
Socket (Session) Aware Socket (Session) Aware Change of IP - SACIP Change of IP - SACIP network

Socket (Session) Aware Socket (Session) Aware Change of IP - SACIP Change of IP - SACIP network

Socket (Session) Aware Socket (Session) Aware Change of IP - SACIP Change of IP - SACIP network functionality network functionality Samo Poganik Key notes about SACIP Key notes about SACIP On-the-fly changes of network access point of

660 views • 30 slides
InfiniBand Trade Association Status Update Author: Rupert Dance Date: 3/17/2010

InfiniBand Trade Association Status Update Author: Rupert Dance Date: 3/17/2010

InfiniBand Trade Association Status Update Author: Rupert Dance Date: 3/17/2010 www.openfabrics.org 1 Agenda CIWG Update IBTA Plugfest 16 October 2009 IBTA Mini-Interop Event February 2010 IBTA Plugfest 17 April

470 views • 19 slides

More recommend