Attack and Defense of Car Entertainment Control System
2019 “The 4th Annual China Automotive Cyber Security Summit” Director of the Beijing Branch of the National Engineering Laboratory for Information Security Technology of Industrial Control Systems, Distinguished Research Fellow; Mr. Hu Mingde participated in the conference and made a keynote speech. Mr. Hu has detailed the attack and defense of the car entertainment control system from some safety issues of traditional cars, various attack surfaces of new energy car entertainment systems and the status quo of tee car entertainment systems.
First, Mr. Hu told the guests about the story of Princess Diana. In the accident, the speed reached 105km/h. Is this related to the ECU? Has the ECU been modified? This is also one of the safety issues of traditional cars. Then Mr. Hu explained to us what the ECU is, the basic composition of the ECU and the purpose of the traditional automotive ECU group, and explained the modification method of the ECU through practical cases: 1. Straight brushing Factory, brush ECU procedures are basically directly exported the original data, and then re-write and increase the various functions, some ECU through the OBD interface skills to read and write, and some need to disassemble the ECU, with special equipment Read and write, that is, bdm mode. 2. External computer control, one more control module is attached to the original ECU, and the effect of changing the ECU signal is achieved by “spoofing” the original ECU. Many Japanese car ECU tuning is achieved through an external computer. 3, replacement ECU, directly change the ECU hardware equipment, is very common in the car, and usually with heavy engine hardware modification, after the modified engine's working temperature, intake air volume, fuel injection, compression ratio and other data Exceeding the original factory setting range. The other is the safety problem of the car key. Now it is convenient to unlock the car wirelessly, but it is also convenient and has security risks. With the cooperation of electronic accessories and technology, the signal of the key chain is easily intercepted or blocked by criminals. Imagine when Others open your car and drive it away without it giving any warning. 1. Relay Hack: Criminals use a relatively cheap relay box to capture the remote key signal up to 100 meters away and then transfer it to your car. 2, Keyless jamming: In this case, the hacker will block your signal, so when you issue a lock command from the key, it will not actually reach your car, your door will remain unlocked, and then others will be free to enter Your vehicle.
Mr. Hu always explained to us the various attack surfaces of the new energy car entertainment system: 1. Car Bluetooth vulnerability attack, and showed us that their team successfully obtained the root test of a domestic car brand entertainment control system through the Bluetooth port. 2, car WiFi attack: With the development and popularization of car networking technology, more and more cars and transportation infrastructure access to the Internet, they constitute a complex set of computer hardware and software systems. Any computer system must face information security problems anytime, anywhere. For the attacker, as long as you find a weakness of the system, you can achieve the purpose of the invasion, they see a point; for the defense, you must find all the weaknesses of the system, they see a complete face. It is easy for us to understand the truth, to break through a system, just to find one of the loopholes, but if you want to fully protect the system, you need to fully prevent all possible vulnerabilities of the system, so that the entire system architecture has no security-level short board. Or defects, destruction is always easier than construction, so the difficulty of information security defense technology is self-evident. Then Hu always wanted us to show the car WiFi attack process: from invading WiFi to further attacking the system through the cracked wifi to obtain system permissions, attacking the can bus to finally obtain the device permissions. 3. Sensor Vulnerabilities: Sensors use various sensors for road recognition and judgment in automatic driving. They are equivalent to human eyes and ears. The main role of the sensor is to sense, and the attacker can achieve the attack purpose by making the final perception result an error. This way the attacker can not only trigger DOS attacks, but also control the output of the sensor with malicious analog signals. Vulnerabilities often exist inside analog sensors. Once the sensor treats the erroneous data as the correct output, the vehicle's control system will be ineffective, like blind people and blind people. 4, Android attack surface analysis: through the root (using the vulnerability to obtain all permissions of the device operating system) victim's mobile phone, the hacker accesses the local login information stored, and sends it to his or her command and control server, deception The owner downloads and installs a modified version of the Internet car application containing malicious programs to obtain login details and infects a malicious program that can perform an "overlay" attack through the target device: once the vehicle application is opened, the malicious program is automatically loaded and replaced with a fake interface. To steal and transfer user credentials.
Finally, Mr. Hu explained to the guests the current status of the tee car entertainment system: tee is a security area on the mobile device's main processor, which exists in parallel with the mobile OS, providing an isolated execution environment to ensure the integrity of the isolated execution and trusted applications. Confidentiality of data, secure storage, etc. At present, TEE is not only applied on mobile phones, but also in more and more PCs and notebooks. And on the cloud platform, TEE has also received more and more attention. Due to the large trustworthy computing base of tee, the insufficient security of trusted user interaction, and the security risks of interaction with common operating systems, these design issues and startup environment issues—the interaction between most TAs and CAs currently depends on operations. System, if the operating system is compromised, then any CA can establish a connection with the TA. In response to these situations, Mr. Hu gave a detailed explanation of the following four types of attacks:
1. Physical Attack: Commonly, there are direct scan physical memory to obtain plaintext, cold boot attack using memory data residual, microscope to read chip internal data, firmware flash attack, DMA attack, etc. 2. Carrier Attack: The target of a carrier attack is to copy the data from the data carrier to another device to copy the data. The data exposure causes data non-secure deletion, OS data buffer, data cache mechanism, memory leak, and so on. 3, bootroom attack: The remote boot service intercepts the broadcast (broadcasts) of the network interface card with the RPL to issue the boot record request, re-create the server to establish a connection to respond to it, and load the malicious MS-DOS boot file into the workstation's memory. 4, firmware rollback attack (rollback): firmware rollback attack and firmware flash attack target the same, but the implementation is different, the firmware flash attack is to remove the memory chip through the physical means to brush the firmware, and the firmware rollback attack is through the use Vulnerability in firmware anti-rollback mechanism, brushing firmware with low version of vulnerability. At present, tee can't solve all security problems absolutely. Now ARM TEE is mainly supported by TrustZone. However, TrustZone still needs to be improved. For example, it has no memory encryption, and scalability needs to be improved. It is still impossible to use multiple TrustZone or multiple TEEs. Moreover, there is a single point of failure in the TEE, and the security of the entire system is out of the TEE. President Hu finally told us that we still have a lot of ways to go in the safety of cars. The safety of car network information has a long way to go.
Organizer: GRCC is a technology consulting company engaged in technology development, technology transfer, technology consulting exhibition services, conference services and other business development in the field of automotive technology. The company provides industry information, business innovation development solutions, market research, business cooperation and network development platforms, personal career development, investment and financing consulting services to senior decision-makers at leading domestic and foreign companies (mainly Fortune 500 companies).
“The 4th Annual China Automotive Cyber Security Summit (ACSS 2019)”