Embedded Systems Security: The Need for a Holistic Approach
Stephen Checkoway!Johns Hopkins University!Department of Computer Science
1
Computers are everywhere
2
Computers are everywhere
2
Trends
✤ Mechanical systems replaced by software-controlled embedded systems!✤ Elevators!✤ Slot machines!✤ Planes, trains, and automobiles!✤ Etc.!
✤ Embedded systems gain external connectivity!✤ Wi-fi!✤ Bluetooth!✤ Ethernet!✤ “Sneakernet” 3
PC security is hard (a timeline)
4
Prehistory
Key
Very vulnerable
Somewhat vulnerable
Not vulnerable
Internet usage becomes common
2000 2015…
Miscreants realize they can make money!
All PCs are very vulnerable
Attacks on embedded systems
5Steel mill hack!Germany 2014
Tram hack!Poland 2008
Stuxnet!Iran 2010
But can miscreants make money?
✤ Linux.Darlloz worm!✤ Targets Linux on x86, PowerPC, MIPS, and ARM!✤ Mines cryptocurrencies: Mincoin, Dogecoin
6
Embedded systems I’ve examined
✤ Electronic voting machines!
✤ Automobile computers!
✤ Webcams in laptops!
✤ X-ray scanners used in airports!
✤ Computers used in general aviation
7
Thesis
8
Embedded systems are insecure because we fail to evaluate the systems both adversarially and
holistically.
Talk outline
✤ Introduction!✤ Controlling your car from afar!✤ Defeating your airport security!✤ Conclusions
9
Automobiles
✤ Cars are cyberphysical systems: software controlling the physical world!
✤ Vulnerabilities in automotive systems can be life-threatening
Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, Kohno. Comprehensive Experimental Analyses of Automotive Attack Surfaces. USENIX Security, 2011.
Koscher, Czeskis, Roesner, Patel, Kohno, Checkoway, McCoy, Kantor, Anderson, Shacham, and Savage. Experimental Security Analysis of a Modern Automobile. IEEE Symposium on Security
and Privacy (“Oakland”), 2010
10
The Evolution of the Automobile
Air/Fuel Mix
Exhaust
Transmission
Brake Line
11
The Evolution of the AutomobileExhaust
Engine Control Unit
Transmission
Brake Line
11
The Evolution of the AutomobileExhaust
Engine Control Unit
TCU
Transmission
Brake LineABS
Airbag Control Unit
Body Controller!Locks/Lights!
Anti-Theft
Keyless Entry
Radio HVAC
11
The Evolution of the AutomobileExhaust
Engine Control Unit
TCU
Transmission
Brake LineABS
Radio
Keyless Entry
Anti-Theft
Body Controller!Locks/Lights!
Airbag Control Unit
HVAC
12
The Evolution of the AutomobileExhaust
Engine Control Unit
TCU
Transmission
Brake LineABS
Radio
Keyless Entry
Anti-Theft
Body Controller!Locks/Lights!
Airbag Control Unit
HVAC
12
The Evolution of the AutomobileExhaust
Engine Control Unit
TCU
Transmission
Brake LineABS
Radio
Telematics _
Internet/!PSTN
Keyless Entry
Anti-Theft
Body Controller!Locks/Lights!
Airbag Control Unit
HVAC
12
The Evolution of the AutomobileExhaust
Engine Control Unit
TCU
Transmission
Brake LineABS
Radio
Telematics _
Internet/!PSTN
Keyless Entry
Anti-Theft
Body Controller!Locks/Lights!
Airbag Control Unit
HVAC
12
✤ Engine on/off!
✤ Brakes on/off!
✤ Horn!
✤ Locks!
✤ Lights!
✤ HVAC!
✤ Telematics!
✤ Instrument panel!
✤ Wipers!
✤ Antitheft measures!
✤ Car alarm!
✤ Starter motor!
✤ Radio!
✤ Etc.
Car components under attacker control
13
✤ Engine on/off!
✤ Brakes on/off!
✤ Horn!
✤ Locks!
✤ Lights!
✤ HVAC!
✤ Telematics!
✤ Instrument panel!
✤ Wipers!
✤ Antitheft measures!
✤ Car alarm!
✤ Starter motor!
✤ Radio!
✤ Etc.
Car components under attacker control
13
✤ Engine on/off!
✤ Brakes on/off!
✤ Horn!
✤ Locks!
✤ Lights!
✤ HVAC!
✤ Telematics!
✤ Instrument panel!
✤ Wipers!
✤ Antitheft measures!
✤ Car alarm!
✤ Starter motor!
✤ Radio!
✤ Etc.
Car components under attacker control
13
✤ Engine on/off!
✤ Brakes on/off!
✤ Horn!
✤ Locks!
✤ Lights!
✤ HVAC!
✤ Telematics!
✤ Instrument panel!
✤ Wipers!
✤ Antitheft measures!
✤ Car alarm!
✤ Starter motor!
✤ Radio!
✤ Etc.
Reflash most ECUs!(even while driving)
Car components under attacker control
13
Security assumption
Physical access to the car is required to tamper with its
computer systems
14
Indirect physical
✤ Definition:!✤ Attacks over physical interfaces!✤ Constrained: Adversary may not directly access the physical
interfaces herself!✤ Extends attack surface
to that of the device
15
Short-range wireless
Definition: Attacks via short-range wireless communications (meters range or less)
16
Long-range wireless
Definition: Attacks via long-range wireless communications (miles, global-scale)
17
Attack vectors explored in depth
✤ Components we compromised!✤ Indirect physical: diagnostic tool!✤ Indirect physical: media player!✤ Short-range wireless: Bluetooth !✤ Long-range wireless: cellular !!
✤ Every attack vector leads to complete car compromise
18
Insert a CD, take over the car
✤ Attack 1: Vestigial radio reflash from CD code!✤ Attack 2: WMA parsing bug; tricky overflow
19
Telematics networking stack
20
3G
PPP
SSL
Tele-matics
Telematics networking stack
20
Telematics networking stack
20
3G
PPP
SSL
Tele-matics
Cell phone
Voice channel
Software modem
Tele-matics
Telematics networking stack
20
Cell phone
Voice channel
Software modem
Tele-matics
Dest
Src
Boundrary
memcpy()
Telematics networking stack
20
Call the car, take over the car
✤ Call telematics unit!
✤ Transmit malicious payload!
✤ Instantiation 1. Implement modem protocol!
✤ Instantiation 2. Play MP3 into phone
21
Call the car, take over the car
✤ Call telematics unit!
✤ Transmit malicious payload!
✤ Instantiation 1. Implement modem protocol!
✤ Instantiation 2. Play MP3 into phone
21
Post-compromise control
✤ External connectivity enables additional command and control!✤ IRC chat client on the telematics unit enables controlling multiple
cars simultaneously
22
Car theft
23
✤ Compromise car
Car theft
23
✤ Compromise car
✤ Locate car (via GPS)
Car theft
23
✤ Compromise car
✤ Locate car (via GPS)
✤ Unlock doors
Car theft
23
✤ Compromise car
✤ Locate car (via GPS)
✤ Unlock doors
✤ Start engine
Car theft
23
✤ Compromise car
✤ Locate car (via GPS)
✤ Unlock doors
✤ Start engine
✤ Bypass anti-theft
Car theft
23
Surveillance
24
Surveillance
24
✤ Compromise car
Surveillance
24
✤ Compromise car
✤ Continuously report GPS coordinates
Surveillance
24
✤ Compromise car
✤ Continuously report GPS coordinates
✤ Stream audio recorded from the in-cabin mic
What went wrong with the car?
✤ Lack of adversarial pressure (this has started to change)!
✤ Subsystems evaluated in isolation, not holistically!
✤ Manufacturers are really integrators
25
No adversarial testing
✤ Manufacturers provide vendors incomplete functional specifications!
✤ Minimal conformance testing!✤ Spec says “on input A, perform action X”; test that!✤ Spec says nothing about input B; no tests!
✤ All computers on the bus implicitly trusted!
✤ No notion of an adversary
26
Isolated evaluation
✤ Heterogeneous, distributed, multi-vendor system!✤ Internals of components frequently opaque!✤ Incorrect assumptions between different suppliers!✤ Almost all bugs found at component boundaries!
✤ Formerly disconnected systems now connected!✤ No analysis of implications
27
Talk outline
✤ Introduction!✤ Controlling your car from afar!✤ Defeating your airport security!✤ Conclusions
28
Full-body, X-ray Scanners
✤ Another cyberphysical system!
✤ Uses X-rays to produce naked images of subjects
29
Mowery, Wustrow, Wypych, Singleton, Comfort, Rescorla, Checkoway, Halderman, and Shacham Security Analysis of a Full-body Scanner. USENIX Security, 2014.
30
Warning: NudityThis section shows unmodified scanner
images to demonstrate the privacy implications of full body scanning.
Full-body scanners
31I M A G E : R A P I S C A N C O R P. , L - 3 C O M M U N I C AT I O N S
Full-body scanner deployment
32I M A G E : R A P I S C A N C O R P. , L - 3 C O M M U N I C AT I O N S
2008 2009 2010 2011 2012 2013 20142007
Full-body scanner deployment
32I M A G E : R A P I S C A N C O R P. , L - 3 C O M M U N I C AT I O N S
Feb 2007: TSA introduces FBSs as ‘secondary screening’
2008 2009 2010 2011 2012 2013 20142007
Full-body scanner deployment
32I M A G E : R A P I S C A N C O R P. , L - 3 C O M M U N I C AT I O N S
Feb 2007: TSA introduces FBSs as ‘secondary screening’
Dec 2009: Failed bombing of Transatlantic flight
2008 2009 2010 2011 2012 2013 20142007
Full-body scanner deployment
32I M A G E : R A P I S C A N C O R P. , L - 3 C O M M U N I C AT I O N S
Feb 2007: TSA introduces FBSs as ‘secondary screening’
Dec 2009: Failed bombing of Transatlantic flight
Dec 2009: TSA moves FBSs to primary screening
2008 2009 2010 2011 2012 2013 20142007
Full-body scanner deployment
32I M A G E : R A P I S C A N C O R P. , L - 3 C O M M U N I C AT I O N S
Feb 2007: TSA introduces FBSs as ‘secondary screening’
Dec 2009: Failed bombing of Transatlantic flight
Dec 2009: TSA moves FBSs to primary screening
Nov 2012: Secure 1000 arrives at our lab
2008 2009 2010 2011 2012 2013 20142007
Full-body scanner deployment
32I M A G E : R A P I S C A N C O R P. , L - 3 C O M M U N I C AT I O N S
Feb 2007: TSA introduces FBSs as ‘secondary screening’
Dec 2009: Failed bombing of Transatlantic flight
Dec 2009: TSA moves FBSs to primary screening
Nov 2012: Secure 1000 arrives at our lab
May 2013: TSA retires Secure 1000
2008 2009 2010 2011 2012 2013 20142007
Public debate
33
Public debate
33
Radiological Safety?
“ … T H E D O S E T O T H E S K I N M AY B E D A N G E R O U S LY H I G H . ”
— UC San Francisco
Public debate
33
Privacy?
Radiological Safety?
“ … T H E D O S E T O T H E S K I N M AY B E D A N G E R O U S LY H I G H . ”
— UC San Francisco
Public debate
33
Privacy?
Contraband!Detection?
Radiological Safety?
“ … T H E D O S E T O T H E S K I N M AY B E D A N G E R O U S LY H I G H . ”
— UC San Francisco
TSA response
34
Acquisition
35
Our contribution: The facts
1. Is the Secure 1000 radiologically safe?!
2. What privacy safeguards exist?!
3. How effective is it at detecting contraband?
36
Inside the Secure 1000
37
38
X-ray physics 101
39
Photoelectric Effect!(X-ray absorbed)
Incoming Photon
Electron
PhotoelectronIncoming Photon
Electron
Recoil electron
Scattered Photon
Compton Scattering!(X-ray scattered)
Dominant effect depends on material’s “effective atomic number”
Secure 1000 X-ray hardware
F I G U R E A D A P T E D F R O M U . S . PAT E N T 8 , 1 9 9 , 9 9 6 !R . H U G H E S , J U N E 2 0 1 2 40
Secure 1000
✤ Chopper spins!
✤ Head assembly moves vertically
41
Secure 1000
✤ Chopper spins!
✤ Head assembly moves vertically
41
Secure 1000 X-ray hardware
42
Image production
43
The results
44
Radiation safety
45
Radiation safety
✤ X-ray energy: 50 KeV at 5 mA!✤ Dose per scan: 70-80 nSv!
✤ ~24 minutes of background exposure!✤ Similar results by AAPM (2013)
46
Cyberphysical radiation safety
✤ Safety controls on radiological output!✤ Not security controls!!
✤ Simple, modular design!✤ Cannot over-irradiate scan subject without ROM replacement
47
Privacy
48
External PMT reconstruction
✤ X-rays backscatter in all directions!
✤ Allows nearby adversary to capture images
49
External PMT reconstruction
✤ X-rays backscatter in all directions!
✤ Allows nearby adversary to capture images
49
External PMT reconstruction
✤ This is a small PMT!
✤ The larger the PMT, the more detailed
50
Efficacy
51
Operator software
52
Console malware
53“Secret knock” Visible light X-ray
Console malware
53“Secret knock” Visible light X-ray
Operator’s View
Adversarial physics
54
Adversarial physics
54
Firearms
✤ Subject is carrying a .380 ACP pistol
55
Firearms
✤ Subject is carrying a .380 ACP pistol
55
Folding knife
✤ Subject is carrying a folding knife
56
Folding knife
✤ Subject is carrying a folding knife
56
Plastic explosives
Q U O T E : H T T P : / / A B C N E W S . G O . C O M / B L O G S / P O L I T I C S / 2 0 1 3 / 0 8 / O U T G O I N G - D H S - S E C R E TA RY- J A N E T-N A P O L I TA N O - WA R N S - O F - S E R I O U S - C Y B E R - AT TA C K U N P R E C E D E N T E D - N AT U R A L - D I S A S T E R /
57
Sandia: C4 detection (1992)
58R E P R O D U C E D F R O M “ E VA L U AT I O N T E S T S O F T H E S E C U R E 1 0 0 0 S C A N N I N G S Y S T E M ” !
T E C H N I C A L R E P O RT S A N D 9 1 - 2 4 8 8 , U C - 8 3 0 , S A N D I A N AT I O N A L L A B O R AT O R I E S , A P R . 1 9 9 2 .
Sandia: C4 detection (1992)
58R E P R O D U C E D F R O M “ E VA L U AT I O N T E S T S O F T H E S E C U R E 1 0 0 0 S C A N N I N G S Y S T E M ” !
T E C H N I C A L R E P O RT S A N D 9 1 - 2 4 8 8 , U C - 8 3 0 , S A N D I A N AT I O N A L L A B O R AT O R I E S , A P R . 1 9 9 2 .
Think adversarially!
59
Think adversarially!
59Plastic!
Plastic explosives
60
No contraband
vs.
Subject carrying 200+ g of C-4simulant
Plastic explosives
60
No contraband
vs.
Subject carrying 200+ g of C-4simulant
Plastic explosives
60
No contraband
vs.
Subject carrying 200+ g of C-4simulant
Efficacy results
✤ Our results imply adversaries can conceal:!✤ Knives!✤ Firearms!✤ Plastic explosive & detonators!!
✤ Access to Secure 1000 allows attack refinement
61
What went wrong with the scanner?
✤ Limited threat model!✤ Assumes naïve adversary/nonadaptive!✤ Doesn’t consider insiders!!
✤ Didn’t evaluate holistically!✤ Didn’t consider limitations of X-ray physics
62
Talk outline
✤ Introduction!✤ Controlling your car from afar!✤ Defeating your airport security!✤ Conclusions
63
How did we get here?
✤ Embedded systems not designed with a security mindset!✤ Basic flaws (e.g., buffer overflows)!✤ Few technologically-enforced access controls!✤ Insiders not considered!
✤ Components not designed with connectivity in mind!✤ Failure to evaluate systems holistically
64
What should we do about it?
✤ Embedded security must learn lessons from the PC world or it will repeat the mistakes!
✤ Embedded systems can implement defenses deemed to unacceptably degrade PC performance!
✤ Construct and use realistic threat models!
✤ Systems should be designed and audited as a whole!
✤ Updates should be pushed to devices
65
Design choices
✤ Move from federated to integrated (e.g., in aircraft avionics)!✤ Modular design with narrow data interfaces!
✤ Simplifies security analysis!✤ Limits damage from compromised components!✤ E.g., car vs. scanner!
✤ Car: modular design but ECU could be completely reprogrammed from the bus!
✤ Scanner: modular design with constrained interface (HOME, SU, SD, …)
66
Thank you!
Fin67