Welcome back to our monthly review of some of the most interesting security research publications.
Froschle et al. Analyzing the Capabilities of the CAN Attacker, ESORICS, [proceedings]
Modern cars are made of multiple Electronic Control Units (ECUs). Those ECUs typically communicate via Controller Area Network (CAN) buses.
This paper is a must read for anyone wishing to understand how CAN buses work. It’s not like TCP/IP! You will find in this paper things like the format of messages.
Image source: Wikipedia
Then, the paper details possible attacks on CAN buses, assuming the attacker has full access to an ECU and can run code on it, but without necessarily having physical access to the car.
The study is interesting because it details which attacks are possible. For instance, removing a message on a CAN bus is not trivial, and they explain how it can be done.
S. Skorobogatov, Challenging real-world targets: from iPhone to insulin pump, Hardwear.io, [slides]
From a research point of view, the teardown of an iPhone or an Audi smart key or a connected insulin pump have at least one common point: the fact that their vendors claim they are unbreakable.
iPhone 5C NAND mirroring
This was said to be impossible by the FBI.The speaker explains his steps. An iPhone 5C is bought from Ebay, and opened using a hot air gun.The NAND chip is desoldered using, again, a hot air gun.Finally, the NAND chip is separated from the PCB: it is manually wired back to the main PCB so that it is possible to act on the NAND chip itself while having the phone boot.Unfortunately, this did not work straight away, as the phone would no longer boot because the NAND had been corrupted. After several steps it finally worked and an oscilloscope and logic analyser was attached to understand the NAND.Finally, at the end, after designing a custom hardware board to read the NAND, he was able to clone it.
Audi smart key
The speaker details again the hardware teardown of the key.He concluded with two facts: (1) the key uses weak security (2) a spare plastic key is provided to owners, but they are unaware that this key is fully functional.
The hardware reverse engineering of this insulin pump was done for an open source project to create an artificial pancreas (which is related to Type 1 diabetes.)As usual for IoT, there is little technical documentation.He opens the device with a circular saw and analyses the hardware.He decapsulates the IC, and finds there is a Freescale chip inside. He locates the debug interface and attempts to use it to extract the firmware, but security is activated and the extraction is impossible – only an erase is possible.
This keynote is amazing. Although these attacks require high skills and some equipment, they do prove that nothing is “impossible.” It seems to me that the iPhone and the insulin pump were relatively well secured – only the smart key really seemed to have a weak implementation. Finally, this talk only considered hardware reverse engineering. I wouldn’t be surprised that some of these devices would turn out to be easier to attack from their software layers.
CHES conference slides
Craig Smith, Metasploit Hardware Bridge Hacking at Hardwear.io and Troopers.
— the Crypto Girl