+Who Killed My Parked Car?�
Faculty: Kang G. Shin Grad students: Kyong-Tak Cho, Arun Ganesan,
Daniel Chen, Mert Pese
The University of Michigan
+Vehicle Cyber Attacks
Security Risks!
Remote Access Points
In-Vehicle Networks
+Vehicle Cyber Attacks
Source: K. Koscher et al, “Experimental Security Analysis of a Modern Automobile”, IEEE S&P’10
+Attacks Possible/Effective on Parked Cars?
Integrity/Authenticity/… Availability
Ignition ON
Ignition OFF
• Koscher et al. [S&P’10] • Checkoway et al. [USENIX Sec’
13] • Miller et al. [Defcon’13,
BlackHat’14, BlackHat’15] • Cho and Shin [USENIX’15, CCS’
17] • …
• Cho and Shin [CCS’16]
• …
? ? ? Is it even possible/effectiv
e to attack a vehicle when its
ignition is OFF?
+
“Sleep Mode” ! Extremely low current (u
A) ! Can be awakened !!!
Waking up ECUs
Reference: hollisbrothersauto
Reference: Lexus
+CAN Transceivers with Wake-up
+Standardized Wake-up
+Standardized Wake-up
+
Terminal 30 ECUs’ consumption in Sleep Mode: 3
0mA
Max. # days in Sleep Mode: 41 days
“Can an attacker increase this
power consumption?”
Battery life…
+Threat Model
OBD-II devices: Some have external power supply, e.g., battery)
Telematic Units: These are considered to be the most “vulnerable” one!
" An adversary has remote access to CAN bus and can
control
+Two Novel (Immobilization) Attacks�
Battery Drain
Attack
Denial-of- Body contro
l Attack
+
Zzzz…..
Attack 1: Battery Drain Attack
Inject CAN message!
• Bus wake-up via simple signal patterns? GOO
D!
• Fast “standardized” wake-up mechanism nee
ded? EVEN BETTER!
• How can the attacker drain the vehicle batter
y?
+Battery Drain Attack
Multimeter
Laptop
Car Battery
Experiment on
2017 Year-model
Vehicle
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up HSCAN, MSCAN 40mA 12.5 days
Change power mode 75mA 8.3 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
+Battery Drain Attack
In our 2017 year-model test vehicle, when attemptin
g to wake up ECUs
+Battery Drain Attack
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 75mA 8.3 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 75mA 8.3 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 74.5mA 5.02 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
While the ignition is off…
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 74.5mA 5.02 days
Unlock/lock driver’s door 100mA 5 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 74.5mA 5.02 days
Unlock/lock driver’s door 101.1mA 3.7 days
Open trunk 150mA 3.3 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
+Battery Drain Attack
Control Drained Current
Max #days with ignition off*
(None) 12.2mA 30.7 days
“Parasitic Drain” threshold : 30mA
Wake up ECUs 42.0mA 8.92 days
Change power mode 74.5mA 5.02 days
Unlock/lock driver’s door 101.1mA 3.7 days
Open trunk 153.3mA 2.44 days
* 60Ah battery, Min. SoC for cold start: 50% (Worst Case), Usual SoC: 70%
+
What do people normally do before starting their car
?
Probably…
1) Open the door
2) Start the car (change in power mode…)
3) Or perhaps… open the trunk!
Driver-context-based Reverse Engineering�
Q. How do we know which message ID to use in order to control such functions?
=> Driver-Context-Based Reverse Engineering
+Driver-context-based Reverse Engineering�
Q. How do we know which message ID to use in order to control such functions?
=> Driver-Context-Based Reverse Engineering
[Ignition OFF]
CAN traffic (~30 msgs)
[Ignition ON]
CAN traffic (~60 msgs)
Compare traffic!
+Battery Drain Attack
In other vehicles…
2008–2017 model-year (compact and mid-size) sedans, coupe, crossover, PHEV (Plug-in Hybrid Electric Vehicle), SUVs, truck, and an electric vehicle
+Some Example Vehicles
+Attack 2: Denial-of-Body control Attack
RFA BCM
“Remote Keyless Entry (RKE) System”
+CAN Protocol : Error Handling
Error Active
Error Passive
Bus Off
TEC > 127 (or) REC > 127
TEC > 255Reset (Auto/Manual)
TEC ≤ 127 (and) REC ≤ 127
• Disconnection from bus • Shutdown of entire system
+CAN Protocol : Error Handling
ISO 11898
"A node can start the recovery from
bus-off state only upon a user request.”
! Depends on the Software Config.
+Denial-of-Body control (BoD) Attack " One simple procedure (of many others…)
1. Wait for all ECUs to go to sleep after ignition is OFF
2. Wake up ECUs
3. Change bit rate (e.g., 500kbps #250 kbps)
" Consequence
1. All awakened ECUs on the bus continuously experience and incur errors
2. All enter the bus-off state, i.e., shut-down
3. Depending on the software configuration, some ECUs recover from the bus-off state
whereas some don’t…
+Denial-of-Body control (BoD)Attack
In our 2017 year-model test vehicle,
RCM (Remote Control Module) did not recover from the bus-off, i.e., remained shut down
most probably due to its distinct recovery policy configuration (perhaps for anti-theft/engine-immobilizer purposes).
+Denial-of-Body control (BoD)Attack " Symptoms
1) Remote key does not work (even attempting with its RFID)
2) Door cannot be opened
3) Trunk does not open/close
" Problems… 1) Vehicle owners won’t even know what
happened
2) They cannot even start the car
3) Maybe, the car has to be towed
4) Order a new key fob
+Denial-of-Body Attack
The key was with us inside the car!
Not even injecting any msg right now…
+Conclusion
" Wake-up function is there for the attacker to use which is too easy/simple…
" Vehicle ECUs can not only be “awakened” but also be “controlled/attacked”, while the ignition is off…
" State-of-the-art defense schemes do not consider such a possibility
" Possibility of “immobilizing” or shutting down an ECU “forever(?)”
+
Thank you!