Short overview of the current security status on the automotive telematics security arena. Presented at the ISACA Scandinavian Conference April 23-24th 2012
6. Eh, What's up Doc?
• The Car
• Transport
• Server
• Client
7. The Car - Research
• Experimental Security Analysis of a
Modern Automobile
– OBD-II
• Comprehensive Experimental Analyses of
Automotive Attack Surfaces
– CD
– OBD-II (PassThru)
– Bluetooth
– GSM
8. The Car – Reality
• War Texting: Identifying and Interacting
with Devices on the Telephone Network
– Method for attacking telematics
• In general: GSM Baseband + uC Chip
• UART -> RE -> Firmware -> Vulnerability
– How2 find targets?
• FindMe
• WhoIs
9. The Car – Reality
• Put it to the test
– Zoombak Tracking Device
• Zoombak Scanner
• Ask nicely via SMS
– Subaru Outback 1998
• after market telematics unit
• unlock and start engine
• http://youtu.be/bNDv00SGb6w
10. Transport - GSM
• A5/1
• SRLabs
– CCC 2009, BlackHat 2010
– Rainbow tables (100.000 years to 1 month)
– Decode voice
• 100-300m upstream
• 5-35km downstream
13. Server
• Car interface
– Proprietary protocol
• ASN.1 – Touring complete
• GPRS, EDGE, SMS and data over voice
– “We use a Private APN”
• Generic Routing Encapsulation
• Node to Node communication
• Operator web application
• Smartphone interface: REST/JSON
14. Client - browser
• Web application
– no news
– move on
– there is nothing to see
– DriveBy Trojan Download & Install
• Starring Windows
• Guest appearance by Mac OSX
15. Client – smart phone
• Few real vulnerability tests performed
• iOS
– Continous Jailbreak
– iOS 5.0.1 - iPhone 4GS and iPad2
– iOS 5.1 – iPad3
• Android
– Rouge apps
– Android Market - ‘Bouncer’
16. Conclusion
• All components are possible targets
• Very few has the complete picture
• Activity in the security arena
• This is going to get worse before it gets
better
– 2012 models CAN bus is unprotected
– New tools arriving every day
– Larger attack surface than ever
• Use fast shoes