4. Telematics
“integrated use of telecommunications and informatics”
ECU
=
Electronic
C
BCM=Brake
ECU=Engine
ontrol
CCU=Convenience
ontrol
ACU=Airbag
CC ontrol
odule
CTM=Central
Ciming
Module
GEM=General
Electronic
M
SCM=Suspension
ontrol
U odule
TCM=Transmission
M Module
BCM=Body
CCTontrol
ontrol
odule
ECM=Engine
ontrol
CUodule
M
PCM=Powertrain
CC Mnit
MUnit
CCM=Central
ontrol
ontrol
nit odule
~100
Bosch,
Siemens,
Delphi..
5. Infotainment
• Tech fragmentation • Full featured browser
– Cost – Torch
– Long dev cycle – Netfront
• Apps for the car • OS
– HTML5 – Blackberry
– JavaScript – Windows
• App stores – Android
– Blackberry App World • Smartphones on
– Android Market wheels?
– Mbrace?
6. Telematics
“integrated use of telecommunications and informatics”
ECU
=
Electronic
C
BCM=Brake
ECU=Engine
ontrol
CCU=Convenience
ontrol
ACU=Airbag
CC ontrol
odule
CTM=Central
Ciming
Module
GEM=General
Electronic
M
SCM=Suspension
ontrol
U odule
TCM=Transmission
M Module
BCM=Body
CCTontrol
ontrol
odule
ECM=Engine
ontrol
CUodule
M
PCM=Powertrain
CC Mnit
MUnit
CCM=Central
ontrol
ontrol
nit odule
~100
Bosch,
Siemens,
Delphi..
7. Telematics
“integrated use of telecommunications and informatics”
ECU
=
Electronic
C
BCM=Brake
ECU=Engine
ontrol
CCU=Convenience
ontrol
ACU=Airbag
CC ontrol
odule
CTM=Central
Ciming
Module
GEM=General
Electronic
M
SCM=Suspension
ontrol
U odule
TCM=Transmission
M Module
BCM=Body
CCTontrol
ontrol
odule
ECM=Engine
ontrol
CUodule
M
PCM=Powertrain
CC Mnit
MUnit
CCM=Central
ontrol
ontrol
nit odule
~100
Bosch,
Siemens,
Delphi..
9. Eh, What's up Doc?
• The Car
• Transport
• Server
• Client
10. The Car - Research
• Experimental Security Analysis of a
Modern Automobile
– OBD-II
• Comprehensive Experimental Analyses of
Automotive Attack Surfaces
– CD
– OBD-II (PassThru)
– Bluetooth
– GSM
11. The Car – Reality
• War Texting: Identifying and Interacting
with Devices on the Telephone Network
– Method for attacking telematics
• In general: GSM Baseband + uC Chip
• UART -> RE -> Firmware -> Vulnerability
– How2 find targets?
• FindMe
• WhoIs
12. The Car – Reality
• Put it to the test
– Zoombak Tracking Device
• Zoombak Scanner
• Ask nicely via SMS
– Subaru Outback 1998
• after market telematics unit
• unlock and start engine
• http://youtu.be/bNDv00SGb6w
13. Transport - GSM
• A5/1
• SRLabs
– CCC 2009, BlackHat 2010
– Rainbow tables (100.000 years to 1 month)
– Decode voice
• 100-300m upstream
• 5-35km downstream
16. Server
• Car interface
– Proprietary protocol
• ASN.1 – Touring complete
• GPRS, EDGE, SMS and data over voice
– “We use a Private APN”
• Generic Routing Encapsulation
• Node to Node communication
• Operator web application
• Smartphone interface: REST/JSON
17. Client - browser
• Web application
– no news
– move on
– there is nothing to see
– DriveBy Trojan Download & Install
• Starring Windows
• Guest appearance by Mac OSX
18. Client – smart phone
• Few real vulnerability tests performed
• iOS
– Continous Jailbreak
– iOS 5.0.1 - iPhone 4GS and iPad2
– iOS 5.1.x – iPad3 – no public (i0n1c, pod2g)
• Android
– Rouge apps
– Android Market - ‘Bouncer’
19. Conclusion
• All components are possible targets
• Very few has the complete picture
• Activity in the security arena
• This is going to get worse before it gets
better
– 2012 models CAN bus is unprotected
– New tools arriving every day
– Larger attack surface than ever
• Use fast shoes