Vehicle Electronic Security
and "Hacking" Your Car
Jeremy Daily, Ph.D., P.E. Associate Professor of Mechanical Engineering
James Johnson
Ph.D. Candidate in Computer Science
Andrew Kongs
Undergraduate in Electrical Engineering
Overview
• Introduction – How we got involved in vehicle electronics through crash testing
– What is Hacking?
– What does Cyber Security mean to Automotive systems?
• Technology Overview – Controller Area Network (CAN) fundamentals
– Connecting Hardware to the Network
– Reverse Engineering Signals
• Automotive Security Testing and Vulnerabilities – Literature Review
– Security Analysis Tools (Fuzzing, Debugging, etc)
• Digital Forensics for Automotive Systems – Sensor Simulators
– Chip Level Examination
The University of Tulsa
• Private co-ed doctoral university with
about 4500 students.
• TU is in the top 100 among national
doctoral universities
• Institutions for information security
– designated by the NSA as one of its
Centers of Academic Excellence in
Information Assurance Education.
• Many privately funded research
consortia
4
• Crash testing around the country
• Leverage on-board sensors for data acquisition
• CAN bus monitoring
• 8 SAE Publications
• Videos on website:
http://tucrrc.utulsa.edu/
What is a “Hacker?”
• A technically inclined person who is really curious about how things work but don’t have the manual (or don’t use it)
• Most engineer’s are hackers to some extent.
• Hacker + complicated kids toy = dad at Christmas
• Hacker + patent attorney = inventor
• Hacker + business opportunity = entrepreneur
• Hacker + university = researcher
• Hacker + prankster = drain on society
• Hacker + evil empire = national security threat
• Outcome depends on the context of the “Hack” and the ethics of the “hacker”
• Tuners and Street Racers
• Event Data Recorders – Third party EDR testing
and verification
• CAN Data Interpretation – Decoding library is
proprietary
• Things Unpleasant – Stealing Cars
– Breaking and Entering
– Or worse…
Hacking Cars
8
Consequences of Unpleasant Hacks
• Public paranoia has commercial implications – Customers may start pushing for improved security
• Attribution is difficult – We don’t know who the perpetrator is.
• Consequences can be scary – Unintended Accelerations
– Loss of brakes
– Pulling the steering wheel
• Remote interfaces eliminate the need for physical access.
Why Cars are Hackable? Its the Network!
• Introduction to Automotive Networks
• Measurement and Control Systems
– System Models
– Sensing and Converting
• Controller Area Network Basics
• Standards and Protocols
– J1939, J1708, J1587
• Demonstrations
• Enable optimal operation across broader ranges
– Fuel map changes with altitudes
• Enable compliance with stricter environmental
regulations
• Improve economy and performance
• Increase longevity and enable machine condition
monitoring
• Enable data logging for warranty disputes
• Provide fleet management tools and safety monitoring
Purpose of Measurement and Control
12
• Functional Block Diagram
Sensing and
Control
Controller Sensor Transmitter Signal Conditioner
Data Logger
Actuator Plant (Process)
CAN Bus
13
• Considerations
– Rate, Range and Resolution
• Signal Sampling (Rate)
– Converts a continuous signal into a discrete signal
– Frequency?
• Range
– Amplify or attenuate signal to match A/D converter electronics
– Example: Voltmeters don’t operate at 120 V
• Quantization (Resolution)
– Converts a discrete signal into a digital word
– Quantizing bits, N
– Number of combinations: 2N
– 12 bit = 212 = 4096
– 16 bit = 216 = 65536
– Least Significant Bit Value = Full Scale Range / 2N
Converting Analog to Digital
14
• Binary: Represented by ones and zeros (bits) – Native computer language
– Cumbersome and long
• Hexadecimal: 0-F – 16 values
– 4 binary bits (nibble)
– 2 hex values = 8 bits = 1 byte (256 values)
• Quantizing Table
27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1
217decimal = 1101 1001binary = D9hex
Digital Concepts
15
• Since computers speak binary, we need conversions – ASCII: American Standard Code for Information
Interchange
– SAE Standards for Heavy Trucks • J1939 (many parts)
• J1708
• J1587
– ISO11992
• Standards compliant vehicles contain common elements
• Useful for Horizontal Integration
Standards and
Protocols
• Controller Area Network (CAN) serial bus introduced by
Bosch in mid 1980s
• A 2-wire bus with multi-master capability with Collision
Detection, Arbitration, and Error Checking
– Result: nearly 100% data integrity in harsh environments
• Implemented using CAN transceiver hardware
– Inexpensive
– Single quantity prices around $4.00 with big benefits in
economies of scale
CAN Basics
17
• Bosch CAN Specification is free online.
• SAE J1939: Recommended Practice for a Serial
Control and Communications Vehicle Network
• J2284: High Speed CAN (HSC) for Vehicle
Applications at 250 Kbps
• J2411: Single Wire CAN Network for Vehicle
Applications
Controller Area
Networks
• Up to 40 meters of twisted pair with 120 ohm terminating
resistors.
– Linear bus with 1m stubs
• CAN is resilient; deviations may not affect performance.
Physical
Transmission Media
CAN Bus
• Pin A: Battery (-)
• Pin B: Battery (+)
• Pin C: CAN High
• Pin D: CAN Low
• Pin E: CAN Shield
• Pin F: J1708 (+)
• Pin G: J1708 (-)
• Pin H: OEM Use or 2nd CAN High
• Pin J: OEM Use or 2nd CAN Low
Connector
Standards (9-Pin)
Source: J1939-11
• Pin A: Battery (+)
• Pin B: Battery (-)
• Pin C: CAN Shield
• Pin D: CAT Data Link Hi
• Pin E: CAT Data Link Lo
• Pin F: CAN/J1939 Lo
• Pin G: CAN/J1939 Hi
• Pin H: J1708 Lo
• Pin J: J1708 Hi
17 January
2013
1
Except Caterpillar
Source: DG Technologies (www.dgtech.com)
Message
Structure
29-bit Identifier
(Arbitration)
Data Field Error Checking Control
Field
Data typically transferred up to 8 bytes at a time
• Problem:
– All have access to the bus at the same time
– Multiple devices try to send data at once
• Solution:
– CAN Arbitration where the highest Priority message comes
through
– Others wait and retry
• Arbitration
– Message Identifier (MID) determines priority
– 0 is dominant, so lowest MID wins
CAN Collisions
and Arbitration
Extended CAN
Format for J1939
• SOF = Start of Frame
• EDP = Extended Data Page
• DP = Data Page
• PDU = Protocol Data Unit
• PF = PDU Format
• PG = Parameter Group
• SRR = Substitute Remote Request
• IDE = Identifier Extension Bit
• RTR = Remote transmission request
• Light vehicles typically use “Standard” CAN
– 500 kbps (250kpbs for J1939 on heavy trucks)
– Also known as Class C, or High Speed CAN
• Example: 2010 Dodge Ram
17 January
2013
6
11-bit Identifiers
• Logic Levels
– 0 Volts = Binary 1
– 1 Volt = Binary 0 (Dominant Bit)
• Bit Stuffing
– Oscilloscope shows
Binary 0’s for decoded FF
– Used to ensure timing
– Taken care of with hardware
• Starting procedure shows many more messages when
engine is running
• Two traces: High Speed CAN and “Comfort” CAN
17 January
2013
9
Observations
17 January
2013
0
Wiring Schematic
Obtained from:
http://www.rambodybuilder.com/year.pdf
17 January
2013
6
Plot Combinations
of Bytes
0
5
10
15
20
25
30
0 10 20 30 40 50 60 70 80 90 100
Veh
icle
Sp
eed
(M
PH
)
Time (sec)
0x153 Byte 2 CAN Message
Truck-In-A-Box
and
Chip-Level Forensics
Truck-In-A-Box
• Our Truck-In-A-Box was designed to simulate a vehicle
for an ECM, including active and passive sensors
• Funded by DARPA through the Cyber Fast Track
Program
• Our first TIB simulated a vehicle for a Navistar
MaxxForce 13 ECM
• Included Instrument Cluster, ECM and simulated ABS
Computer Science / www.isec.utulsa.edu
Active Signal
Simulation
• Characterized real vehicle sensor signals
• Created programs to generate the signals
• Feed the signals to the ECM in the Truck-In-A-Box
• Recorded data during driving tests in real vehicles,
played back data to the ECM using a Truck-In-A-Box
• Also replayed J1939 traffic from the drive tests
What is it for?
• Very Flexible – Testing and research framework for
heavy vehicle ECMs
• Forensic Recovery of Functional ECM Data
• Security and Pen Testing for Vehicle Networks
• Can be used to simulate driving sequences, set hard
brake events on some ECMs (Key-on Engine-Off has
limitations)
• Much lower acquisition cost than an actual vehicle
More
Trucks-in-Boxes
• Since the first one (which got shipped away to DARPA),
we’ve build boxes for about 10 different ECMs
• Includes Detroit Diesel, Caterpillar, Cummins, Navistar
• Simplest one is the DDEC IV, most complicated so far is
Navistar
• Complexity largely depends on the ECM and what it
requires
What happens when an ECM is damaged
in a crash, but may contain valuable data?
Chip Level
Forensics
• Follow on project to Truck-In-A-Box through DARPA’s
Cyber Fast Track program
• Researching ways to recover data from the ECM directly,
not over the vehicle network
• Use Trucks-in-boxes to simulate driving sequences with
ECMs, tear down the ECM, remove the chips, read the
data
• Ongoing project
Challenges
• All of the ECMs have environmental protection –
conformal coatings and sealants
• Seems as if none of them were designed to be taken
apart, much less have things recovered from them after
broken
• Getting inside the case is a big challenge
• BGA chips and Data interpretation are also difficult
Goals
• Tear down ECMs, survey the device internals in the
industry
• Develop techniques for investigators to open the devices
• Map and Identify information within the raw data
• Investigate the possibilities of tampering with data
Future Work
• Expand the breadth to encompass more devices and
models
• Add more features and improve the accuracy of the TIB’s
simulated sensors and networks
• Vulnerability analysis of extracted code running on
devices
• Improvements to the forensic extraction techniques
61
How I Learned to Quit
Worrying and Love
Hackers
Car Hacking Is Hot
• “Experimental Security Analysis of a Modern Automobile”
– Koscher et al
• “Comprehensive Security Analyses of Automotive Attack
Surfaces” – Checkoway et al
• “Adventures in Automotive Networks and Control Units”
– Miller & Valasek
2010 – A shot across the bow
• Researchers “fuzzed” an
automotive network
• Locked doors, perma-on,
disabled brakes
• Also did some scary
visual effects
2011 – Twisting the knife
• More complete
exploration of attack
surfaces
• Compromise through
service tools, music
player, Bluetooth, Cellular
• Unauthenticated remote
exploits of automobiles
2011 – Twisting the knife
• More complete
exploration of attack
surfaces
• Compromise through
service tools, music
player, Bluetooth, Cellular
• Unauthenticated remote
exploits of automobiles
• Translation: “This Is
Really Bad”
2013 – Charlie Miller
• Covered attacks possible with network access
• Attacked Prius and Ford Escape
• Controlled brakes, acceleration, and steering
• Also reverse engineered OEM maintenance software
• Obtained passwords, etc.
67
FUD: Fear, Uncertainty, and Doubt
• All this has upset the automotive industry
– …and everyone else
• “We can’t think like the hackers”
• Need to demystify hackers and hacking
Hackers Origin Story
• MIT TMRC, late 60s
• “A person who delights in
having an intimate
understanding of the
internal workings of a
system…” – RFC 1392
• Playful cleverness
• Current usage stems from
too much playfulness
Tools of the Trade
• Black Box Testing
– “Fuzzing”
– Fault injection testing
• Dynamic Analysis
• Static Analysis
Black Box Testing
• Zero knowledge of system internals
• Inject input
– Random
– Semi-random
– Replay
• Observe results
• This can best be explained by an example
• Tools: BeagleBone Black, CANCape
– Total cost ~$100
• Inject random traffic using custom Python script
– Time invested: ~1/2 hour
• Preliminary testing resulted in only slight damage to
vehicle
72
Dynamic Analysis
• Observe system in running state
• Partial knowledge of system
• Software tools
– Debuggers
– Sysinternals
– Developer tools
• Another brief example: a truck maintenance
software file format.
74
75
Static Analysis
• Detailed analysis of static code
• Most complete, safest
– Also incredibly time consuming
• Tools of the trade
– Disassemblers
– Decompilers
• Yet another example involving truck
maintenance software encryption
77
Current Trends
• Vehicles continue to get more networked
Current Trends
• Vehicles continue to get more networked
• What about heavy trucks? Bigger attack surface, more
impact.
Current Trends
• Vehicles continue to get more networked
• What about heavy trucks? Bigger attack surface, more
impact.
• Significant academic interest in vehicle security
– Telematics interfaces
– Smart grid to vehicle communications
– Example: ESCAR
Current Trends
• Vehicles continue to get more networked
• What about heavy trucks? Bigger attack surface, more
impact.
• Significant academic interest in vehicle security
– Telematics interfaces
– Smart grid to vehicle communications
– Example: ESCAR
• OEMs are beginning to take this seriously
Current Trends
• Vehicles continue to get more networked
• What about heavy trucks? Bigger attack surface, more
impact.
• Significant academic interest in vehicle security
– Telematics interfaces
– Smart grid to vehicle communications
– Example: ESCAR
• OEMs are beginning to take this seriously
• SAE J3061 is on the way!