Cars Penetration Testing Level 1 and Level 2

2Cars Penetration Testing Level 1: Receivers

Threat identification at Level 1 focuses more on the connections of each piece rather than connections that might be made directly to an input. The vulnerabilities that we posit at this level relate to vulnerabilities that affect what connects to the devices in a vehicle. We’ll break these down into threat groupings that relate to cellular, Wi-Fi, key fob (KES), tire pressure monitor sensor (TPMS), infotainment console, USB, Bluetooth, and controller area network (CAN) bus connections. As you can see in the following lists, there are many potential ways into a vehicle.

Cellular: An attacker could exploit the cellular connection in a vehicle to (Cars Penetration Testing Level 1):

  1. Access the internal vehicle network from anywhere
  2. Exploit the application in the infotainment unit that handles incoming calls
  3. Access the subscriber identity module (SIM) through the infotainment unit
  4. Use a cellular network to connect to the remote diagnostic system (OnStar)
  5. Eavesdrop on cellular communications
  6. Jam distress calls
  7. Track the vehicle’s movements
  8. Set up a fake Global System for Mobile Communications (GSM) base station

Wi-Fi: An attacker could exploit the Wi-Fi connection to (Cars Penetration Testing Level 1):

  1. Access the vehicle network from up to 300 yards away or more
  2. Find an exploit for the software that handles incoming connections
  3. Install malicious code on the infotainment unit
  4. Break the Wi-Fi password
  5. Set up a fake dealer access point to trick the vehicle into thinking it’s being serviced
  6. Intercept communications passing through the Wi-Fi network
  7. Track the vehicle

Key Fob: An attacker could exploit the key fob connection to:

  • Send malformed key fob requests that put the vehicle’s immobilizer in an unknown state. (The immobilizer is supposed to keep the vehicle locked so it can’t be hotwired. We need to ensure that it maintains proper functionality.)
  • Actively probe an immobilizer to drain the car battery
  • Lock out a key
  • Capture cryptographic information leaked from the immobilizer during the handshake process
  • Brute-force the key fob algorithm
  • Clone the key fob
  • Jam the key fob signal
  • Drain the power from the key fob

Tire Pressure Monitor Sensor: An attacker could exploit the TPMS connection to (Cars Penetration Testing Level 1):

  1. Send an impossible condition to the engine control unit (ECU), causing a fault that could then be exploited
  2. Trick the ECU into overcorrecting for spoofed road conditions
  3. Put the TPMS receiver or the ECU into an unrecoverable state that might cause a driver to pull over to check for a reported flat or that might even shut down the vehicle
  4. Track a vehicle based on the TPMS unique IDs
  5. Spoof the TPMS signal to set off internal alarms

Infotainment Console: An attacker could exploit the infotainment console connection to (Cars Penetration Testing Level 1):

  1. Put the console into debug mode
  2. Alter diagnostic settings
  3. Find an input bug that causes unexpected results
  4. Install malware to the console
  5. Use a malicious application to access the internal CAN bus network
  6. Use a malicious application to eavesdrop on actions taken by vehicle occupants
  7. Use a malicious application to spoof data displayed to the user, such as the vehicle location

USB An attacker could use a USB port connection to:

  1. Install malware on the infotainment unit
  2. Exploit a flaw in the USB stack of the infotainment unit
  3. Attach a malicious USB device with specially crafted files designed to break importers on the infotainment unit, such as the address book and MP3 decoders
  4. Install modified update software on the vehicle
  5. Short the USB port, thus damaging the infotainment system

Bluetooth: An attacker could use a Bluetooth connection to (Cars Penetration Testing Level 1):

  1. Execute code on the infotainment unit
  2. Exploit a flaw in the Bluetooth stack of the infotainment unit
  3. Upload malformed information, such as a corrupted address book designed to execute code
  4. Access the vehicle from close ranges (less than 300 feet)
  5. Jam the Bluetooth device

Controller Area Network: An attacker could exploit the CAN bus connection to (Cars Penetration Testing Level 1):

  1. Install a malicious diagnostic device to send packets to the CAN bus
  2. Plug directly in to a CAN bus to attempt to start a vehicle without a key
  3. Plug directly in to a CAN bus to upload malware
  4. Install a malicious diagnostic device to track the vehicle
  5. Install a malicious diagnostic device to enable remote communications directly to the CAN bus, making a normally internal attack now an external threat

LEAVE A REPLY

Please enter your comment!
Please enter your name here