Friday, February 28, 2014

Vehicle Cyber Security and Forensics

Update:  Today I had the wonderful pleasure of presenting to some of New York's Finest - the International Association of Financial Crimes Investigators, hosted by the United States Postal Inspection Service.  I updated the slide-deck, and replaced the older one with today's version.  I've also added a few new reference links below.  And a huge shout-out to the gentleman in the audience who enlightened me about RFID tags embedded in tires. Enjoy!

Yesterday I had the great privilege of representing the company I work for, AccessData, and presenting on the topic of “Vehicle Cyber Security and Forensics” to an esteemed audience at the New York-New Jersey Electronic Crimes Task Force.  Afterward, I received some requests to share-out the presentation, which was in fact, the impetus behind my speaking – to contribute to the community.  I double-checked with my employer, and was given a green-light to post our slide deck.  I say “our” because as I mentioned during my talk, the deck would not have been possible without a large contribution from Gloria D’Anna (our partner at Tri-Kar), and Ben LeMere (our partner at Berla Corp).

Also of interest  to the group, may be this breaking news story involving thieves breaking into cars using a mysterious electronic device, sent to me from Sergeant Christopher Then of the Morris County Prosecutor's High Tech Crime Unit, thank you Sir!

My presentation was what I call a bit of a “CliffsNotes” version of what’s been happening in the past 1-2 years with regards to vehicle cyber security and forensics.  The supporting articles are quite numerous, so I have categorized them below, along with their corresponding links.  Additionally, I played three short video snippets during the presentation; they too are listed below with their links.

If you download the PowerPoint deck, I would advise that you view the deck with the “Notes” section turned on, those were my talking points, and otherwise the slides themselves might not make a ton of sense.  I purposely create my presentations that way, so as not to cause anyone “Death By PowerPoint!”  My thinking is that the fewer slides that contain nothing but bullet-points, the better.

Lastly I should add, that below are a ton of links which take you to other Web sites of which I do not necessarily share the same opinion, nor am I responsible for their content.  I believe all of the links below to be clean, but click at your own risk.  Also, you might find that the “Comments” section of the articles add even more information to the topic, albeit keeping in mind their source might not have been vetted.


Video Links:

  • DefCon Forbes Interview:
http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video

Video Only:
http://www.youtube.com/watch?v=oqe6S6m73Zw&list=PLpndQ-APwbNW0iOqmP6EK8OOw2XCaJcTS&index=6

  • Lock and Unlock Remote Hack:
http://www.youtube.com/watch?v=bNDv00SGb6w
  • Senator Markey News Item:
http://www.dailymotion.com/video/x1802gt_ed-markey-write-letter-to-auto-makers-demanding-answers-on-car-hacking-threats_tech

DefCon Research Related Articles:

Opens to PDF:  http://illmatics.com/car_hacking.pdf

http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video

http://www.pcworld.com/article/2045895/researchers-reveal-methods-behind-car-hack-at-defcon.html

http://www.afterdawn.com/news/article.cfm/2013/07/28/white_hat_hackers_to_release_software_used_to_crack_critical_car_systems_at_def_con

http://www.caranddriver.com/features/can-your-car-be-hacked-feature

http://arstechnica.com/security/2013/07/disabling-a-cars-brakes-and-speed-by-hacking-its-computers-a-new-how-to

http://news.cnet.com/8301-1009_3-57596847-83/car-hacking-code-released-at-defcon

http://www.computerworld.com/s/article/9241352/Researchers_reveal_methods_behind_car_hack_at_Defcon

http://www.sciencefriday.com/segment/08/02/2013/hacking-under-the-hood-and-into-your-car.html

http://www.motoring.com.au/news/2013/hacker-safety-risk-for-new-cars-37930

Opens to PPTX:  http://www.canbushack.com/defcon19/workshop.pptx

http://vehicle-reverse-engineering.wikia.com/wiki/Vehicle_Reverse_Engineering_Wiki

https://autos.aol.com/article/hackers-def-con-cyber-security-ford-toyota

http://www.carknow.me

WiFi Research Related Articles:

http://www.dfinews.com/news/2013/10/israeli-tunnel-hit-cyber-attack

http://blogs.discovermagazine.com/d-brief/2013/07/30/networked-cars-and-their-hacks-are-right-around-the-corner

http://www.its.dot.gov/research/v2v.htm

http://www.its.dot.gov/research/v2i.htm

http://www.networkworld.com/research/2012/080612-car-hacking-bluetooth-and-other-security-261422.html

Police Cruiser Pen-Test:

Opens to PDF:  http://www.digitalmunition.com/OwningCopCar.pdf

http://www.theregister.co.uk/2011/05/03/cop_car_hacking

WebTech Plus Wireless Repo:

http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars

http://www.computerworld.com/s/article/9229919/Car_hacking_Remote_access_and_other_security_issues

On-Board Intelligence Systems and GPS:

Opens to PDF:  http://www.berla.co/downloads/ive_datasheet.pdf

http://www.dfinews.com/articles/2011/04/enhancing-investigations-gps-evidence

http://gizmodo.com/5540029/no-kidding-onstar-cars-can-be-hacked-remotely-controlled

http://hackaday.com/2013/10/21/can-hacking-introductions

http://hackaday.com/2013/10/22/can-hacking-the-in-vehicle-network

http://hackaday.com/2013/10/29/can-hacking-protocols
 

http://hackaday.com/2013/11/05/can-hacking-the-hardware

http://hackaday.com/2009/12/26/hacking-the-onstar-gps-v2

http://hackaday.com/2005/03/29/gm-onstar-hacking

https://sites.google.com/site/radioetcetera/home/onstar-gps

Apps:

http://www.caranddriver.com/news/ford-introduces-next-gen-connectivity-suite-called-myford-should-be-awesome-car-news

http://blog.caranddriver.com/toyota-entune-infotainment-system-to-challenge-fords-sync

http://news.cnet.com/8301-13772_3-20104962-52/ford-unveils-openxc-invites-open-source-applications

http://gigaom.com/2013/01/10/forget-apps-fords-openxc-project-will-produce-open-source-car-hardware

Naval Jet Pen-Test:

http://www.businessinsider.com/naval-hackers-broke-into-the-f-35-logistics-system-exposing-more-huge-weaknesses-2012-11

http://www.dailykos.com/story/2012/11/16/1162245/-The-F-35-Fighter-an-example-of-failure

Cisco:

http://www.scribd.com/doc/153781644/Fedex

http://gigaom.com/2013/08/06/ciscos-remedy-for-connected-car-security-treat-the-car-like-an-enterprise

Driverless Safety and Vehicles:

http://www.forbes.com/sites/joannmuller/2013/03/21/no-hands-no-feet-my-unnerving-ride-in-googles-driverless-car

http://www.itsinternational.com/sections/nafta/features/city-safety-reduces-low-speed-accidents-on-volvos-xc60-and-s60

http://www.scmagazine.com/google-joins-with-automakers-to-put-android-connected-cars-on-road/article/328124

Opens to PDF:  http://www-nrd.nhtsa.dot.gov/pdf/esv/esv21/09-0371.pdf

http://www.techhive.com/article/2043878/driverless-cars-yield-to-reality-its-a-long-road-ahead.html

http://www.techhive.com/article/2010645/self-driving-cars-could-bring-a-new-world-of-hacking.html

http://online.wsj.com/article/SB10001424127887323407104579038832031956964.html

Lock and Unlock Remotely:

http://www.carscoops.com/2011/08/hacking-your-car-through-your-smart.html

http://www.networkworld.com/news/2011/072711-war-texting-lets-hackers-unlock.html

http://usatoday30.usatoday.com/tech/news/story/2011/08/Cars-vulnerable-to-theft-by-hacking/50057610/1

Opens to PDF:  https://www.usenix.org/sites/default/files/conference/protected-files/verdult_sec13_slides.pdf

https://www.usenix.org/conference/usenixsecurity13/dismantling-megamos-crypto-wirelessly-lockpicking-vehicle-immobilizer

http://www.washingtonpost.com/world/armored-suv-could-not-protect-us-agents-in-mexico/2012/02/13/gIQACv1KFR_story.html

ODB-II Consumer Products:

http://www.popularmechanics.com/cars/how-to/repair/every-car-can-be-connected-to-the-cloud-15657579

http://www.wired.com/autopia/2013/03/automatic-car

https://buy.garmin.com/en-US/US/prod38354.html


http://cannonfire.blogspot.com/2012/04/why-is-progressive-insurance-lying.html

University of California, San Diego Researchers:

Opens to PDF:  http://www.autosec.org/pubs/cars-usenixsec2011.pdf

http://www.nytimes.com/2011/03/10/business/10hack.html

Opens to PDF:  http://www.mcafee.com/us/resources/reports/rp-caution-malware-ahead.pdf

Opens to PDF:  http://www.autosec.org/pubs/cars-oakland2010.pdf

http://www.just-auto.com/interview/car-infotainment-hacking_id141351.aspx

http://www.informationweek.com/security/vulnerabilities/your-cars-next-enemy-malware/231600981

http://www.bbc.com/autos/story/20130621-car-hacking-gets-real

http://www.techhive.com/article/196293/car_hackers_can_kill_brakes_engine_and_more.html

http://gizmodo.com/5781966/now-cars-are-vulnerable-to-malware

http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car

http://blog.malwarebytes.org/whats-in-the-news/2013/07/hacking-cars-subverting-onboard-computers-in-modern-vehicles

Opens to PDF:  http://www.mcafee.com/us/resources/reports/rp-caution-malware-ahead.pdf

Opens to PDF:  http://www.ethernettechnologyday.com/downloads/archive/3rd/13_Wolf_Escrypt_Security.pdf

Black Boxes and Senator Markey:

http://www.nytimes.com/2013/07/22/business/black-boxes-in-cars-a-question-of-privacy.html

http://www.forbes.com/sites/kashmirhill/2011/02/09/mans-suv-shouldnt-have-been-able-to-testify-against-him

http://www.reuters.com/article/2013/12/03/us-hacking-cars-markey-idUSBRE9B213620131203

http://www.forbes.com/sites/kashmirhill/2012/04/19/hate-to-break-it-to-you-but-your-car-likely-has-a-black-box-spying-on-you-already

http://www.forbes.com/sites/andygreenberg/2013/12/04/heres-the-letter-a-senator-sent-to-20-auto-makers-demanding-answers-on-car-hacking-threats

AutoDownload Markey Full Letter: http://www.scribd.com/document_downloads/189258686?extension=pdf&from=embed&source=embed

https://www.schneier.com/blog/archives/2013/02/automobile_data.html

http://mfes.com/cdr.html

http://nakedsecurity.sophos.com/2013/12/04/car-manufacturers-quizzed-over-their-anti-hacking-measures

http://www.forbes.com/sites/kashmirhill/2013/02/19/the-big-privacy-takeaway-from-tesla-vs-the-new-york-times

http://money.cnn.com/2013/02/15/autos/tesla-model-s