+ Who Killed My Parked Car? Faculty: Kang G. Shin Grad students: - - PowerPoint PPT Presentation

+

Who Killed My Parked Car?

Faculty: Kang G. Shin Grad students: Kyong-Tak Cho, Arun Ganesan, Daniel Chen, Mert Pese The University of Michigan

+Vehicle Cyber Attacks

Security Ris ks!

Remote Acces s Points

In-Vehicle Networks

+Vehicle Cyber Attacks

Source: K. Koscher et al, “Experimental Security Analysis of a Modern Automobile”, IEEE S&P’10

+Attacks Possible/Effective on Parked

Cars?

Integrity/Authenticity/… Availability Ignition ON Ignition OFF

• Koscher et al. [S&P’10]
• Checkoway et al. [USENIX Sec’

13]

• Miller et al. [Defcon’13,

BlackHat’14, BlackHat’15]

• Cho and Shin [USENIX’15, CCS’

17]

• …
• Cho and Shin

[CCS’16]

• …

? ? ?

Is it even possible/effectiv e to attack a vehicle when its ignition is OFF?

+

“Sleep Mode” Extremely low current (u A) Can be awakened !!!

Waking up ECUs

Reference: hollisbrothersauto Reference: Lexus

+CAN Transceivers with Wake-up

+Standardized Wake-up

+Standardized Wake-up

+

Terminal 30 ECUs’ consumption in Sleep Mode: 3 0mA

• Max. # days in Sleep Mode: 41 days

“Can an attacker increase this power consumption?”

Battery life…

+Threat Model

OBD-II devices: Some have exter nal power supply, e.g., battery) Telematic Units: These are consider ed to be the most “vulnerable” one!

An adversary has remote access to CAN bus and can control

+Two Novel (Immobilization) Attacks Battery Drai n Attack Denial-of- Body contro l Attack

+

Zzzz…..

Attack 1: Battery Drain Attack Inject CAN message!

• Bus wake-up via simple signal patterns? GOO

D!

• Fast “standardized” wake-up mechanism nee

ded? EVEN BETTER!

• How can the attacker drain the vehicle batter

y?

+Battery Drain Attack

Multimeter Laptop Car Battery

Experiment on 2017 Year-model Vehicle

+Battery Drain Attack

Control Drained Current Max #days with ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up HSCAN, MSCAN 40mA 12.5 days Change power mode 75mA 8.3 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

+Battery Drain Attack

In our 2017 year-model test vehicle, when attemptin g to wake up ECUs

+Battery Drain Attack

+Battery Drain Attack

Control Drained Current Max #days with ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 75mA 8.3 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

+Battery Drain Attack

Control Drained Current Max #days with ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 75mA 8.3 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

+Battery Drain Attack

Control Drained Current Max #days with ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

While the ignition is off…

+Battery Drain Attack

Control Drained Current Max #days with ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 100mA 5 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

+Battery Drain Attack

Control Drained Current Max #days with ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 101.1mA 3.7 days Open trunk 150mA 3.3 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

+Battery Drain Attack

Control Drained Current Max #days with ignition off* (None) 12.2mA 30.7 days “Parasitic Drain” threshold : 30mA Wake up ECUs 42.0mA 8.92 days Change power mode 74.5mA 5.02 days Unlock/lock driver’s door 101.1mA 3.7 days Open trunk 153.3mA 2.44 days * 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual So C: 70%

+

What do people normally do before starting their car ? Probably… 1) Open the door 2) Start the car (change in power mode…) 3) Or perhaps… open the trunk!

Driver-context-based Reverse Engineering

• Q. How do we know which message ID to use in
• rder to control such functions?

=> Driver-Context-Based Reverse Engineering

+Driver-context-based Reverse

Engineering

• Q. How do we know which message ID to use in
• rder to control such functions?

=> Driver-Context-Based Reverse Engineering [Ignition OFF] CAN traffic (~30 msgs) [Ignition ON] CAN traffic (~60 msgs)

Compare traffic!

+Battery Drain Attack

In other vehicles…

2008–2017 model-year (compact and mid-size) sedans , coupe, crossover, PHEV (Plug-in Hybrid Electric Veh icle), SUVs, truck, and an electric vehicle

+Some Example Vehicles

+Attack 2: Denial-of-Body control

Attack

RFA BCM

“Remote Keyless Entr y (RKE) System”

+CAN Protocol : Error Handling

Error Active Error P assive

Bus Off

TEC > 127 (or) REC > 1 27 TEC > 255 Reset

(Auto/Manual)

TEC ≤ 127 (and) REC ≤ 127

• Disconnection from bus
• Shutdown of entire system

+CAN Protocol : Error Handling ISO 11898

"A node can start the recovery from bus-off state only upon a user request.” Depends on the Software Config.

+Denial-of-Body control (BoD)

Attack

One simple procedure (of many others…)

• 1. Wait for all ECUs to go to sleep after ignition is OFF
• 2. Wake up ECUs
• 3. Change bit rate (e.g., 500kbps 250 kbps)

Consequence

• 1. All awakened ECUs on the bus continuously experience

and incur errors

• 2. All enter the bus-off state, i.e., shut-down
• 3. Depending on the software configuration, some ECUs

recover from the bus-off state

whereas some don’t…

+Denial-of-Body control

(BoD)Attack

In our 2017 year-model test vehicle, RCM (Remote Control Module) did not recov er from the bus-off, i.e., remained shut down most probably due to its distinct recovery polic y configuration (perhaps for anti-theft/engine-i mmobilizer purposes).

+Denial-of-Body control

(BoD)Attack

Symptoms

1)

Remote key does not work (even attempting with its RFID)

2)

Door cannot be opened

3)

Trunk does not open/close

Problems…

1)

Vehicle owners won’t even know what happened

2)

They cannot even start the car

3)

Maybe, the car has to be towed

4)

Order a new key fob

+Denial-of-Body Attack

The key was with us inside the c ar! Not even injecting any msg right no w…

+Conclusion

Wake-up function is there for the attacker

to use which is too easy/simple…

Vehicle ECUs can not only be “awakened”

but also be “controlled/attacked”, while the ignition is off…

State-of-the-art defense schemes do not

consider such a possibility

Possibility of “immobilizing” or shutting

down an ECU “forever(?)”

+

Thank you!