CanSecWest2017

1. A visualization tool for evaluating
CAN-bus cybersecurity
Minrui Yan SkyGo Team, Qihoo 360
Jianhao Liu SkyGo Team, Qihoo 360

2. Jianhao Liu
Director
SkyGo Team
Qihoo 360
Who Are We
2
Minrui Yan
Researcher, Developer
SkyoGo Team
Qihoo 360

3. Agenda
• Vehicle cybersecurity risks
• Key point of vehicle cybersecurity
• CAN-Pick
• Design a security CAN-bus network
• Q&A
3

4. The car hacking history
• Car === > Can-bus hacking
• Connected car ===> Telematics hacking
• Autonomous car ===> Automatic system hacking
4

5. Risk
5

6. Telematics hacking - 2015
6

7. Automatic system hacking - 2016
7

8. Cybersecurity in vehicle
8
ActionDecisionPerception
Sensor Fusion
Sensor Fusion
Decision
Control
Decision
Control
Vehicle
Dynamics
Management
Vehicle
Dynamics
Management
Brake Control
Brake Control
Steering
Control
Steering
Control
Vision
Radar
Lidar
Ultrasonic
Brake
Brake
Brake
Brake
Power steering
Power steering
Cloud
感知 决策 控制
摄像头
雷达
超声波
云
激光雷达
传感器融合
传感器融合
决策控制
决策控制
车辆动力学管理
车辆动力学管理
制动控制
制动控制
转向控制
转向控制
制动
制动
制动
制动
转向
转向
信息安全 (CyberSecurity)

9. Cybersecurity in vehicle
9

10. Cybersecurity in vehicle
10

11. In-vehicle network
11

12. Attack path
12
LAN

13. The principle of CAN-bus
• Carrier Sense Multiple Access/Collision Detection
– Carrier sense
– Multiple access
– Collision detection
13
Extended ID
I
D
E
S
R
R
S
O
F
EOF
I
T
M
D
E
L
A
C
K
D
E
L
CRCData FieldDLC
r
0
r
1
R
T
R
IDBus Idle Bus Idle

14. The principle of CAN-bus
• Communication matrix
– ID
– Signal mapping
– Sending method
14

15. The principle of CAN-bus
15
- Diagnostic
- Development

16. Weakness of CAU-bus network
• Attacker model
– Credible gateway
– Send illegal message
• Vulnerability analysis
– Tapping
– Spoofing
– Replay
– Brute force
16
Powertrain Control
Body Control
Dash
board
Door
Control
Airbag
Air
Condition
Seat
Control Power
Locks
Light
Control
Engine
Control
Active
Suspension
ABS/ASR
Transmission
Control
高速CAN 低速CAN

17. Signal type
• Periodic
• On event
• If active
• Periodic and on event
• Periodic and if active
17

18. 18
• Features:
– Real-time line chart
– Replay
– Fuzzing
– UDS analysis
– Plugins
A visualization tool for evaluating CAN-bus cybersecurity
• Supports:
– Multi-platform(Linux, macOS, Windows)
– Multi hardware(USBtin, SocketCAN, etc.)
– Programming online

19. CAN-Pick architecture
19
HardwareDevice Engine
Cache
Schedule
Task Engine Web Engine
CAN-Pick Engine
Plugin Manager
Task, Message, Setting
Recv, Send
Task
Message
Setting
Task
Message
Task
Server
Sync
Replay, Analyze, Fuzz, UDS, etc.
Load

20. CAN-Pick architecture
20

21. Data visualization
• Sorted by ID
• Hex to Text
• Highlight with changing bits
• Compare multiple bits
• Line chart for displaying
21

22. Buffer management
• Diff checker
• Distinction
• Visualization for reviewing
22

23. 23
Packet A(1102)
Noise
Packet B(1007)
An action
Packet C(63)
Result
Diff

24. 24

25. 25

26. Fuzz module
• Two fuzzing modes
– Pitchfork
– Cluster bomb
26
ID
0x01
0x02
0x03
0x04
0x05
0x06
Data
1001
1002
1003
1004
1005

27. 27

28. Demo1
28

29. Replay module
• Two replaying modes
– Single message
– Full Buffer
• Customize option
– Interval
– Times
– Line range(buffer)
29

30. 30

31. 31

32. UDS module
• UDS analyze
– From buffer history
• Services scan
32

33. UDS services
• Requests
– 0x10 Diagnostic Session Control
– 0x2F I/O Control By Id
– 0x27 Security Access
– 0x3E Tester Present
• Responses
– {service_id + 0x40} Positive responses
– 0x7F Negative response
33
02 2F 03 00 00 00 00 00 0x7E0
02 50 03 00 00 00 00 00 0x7E8
02 7F 03 00 00 00 00 00 0x7E8

34. UDS services
• 0x2F - I/O control By Identifier
– DID (Data ID) Control Record Control Mask
– DID (Data ID)
• Two byte ID for the output
– Control Record
• what you want the output to do (On/Off, Up/Down, etc.)
– Control Mask
• a bitwise mask of one or more parameters that will be modified
34
02 2F 03 04 07 01 00 00 0x7E0

35. UDS services
• 0x27 - Security Access
– Service id Sub-function(Request seed)
– Seed
– Sub-function(Send key) Key
35
02 27 01 00 00 01 00 00 0x7E0
02 67 01 04 07 00 00 00 0x7E8
02 27 02 04 07 00 00 00 0x7E0
• Subfunction
– 0x01 Request
– 0x02 Send key

36. 36

37. 37

38. Holo module
• Programming online
• Auto-Generate front code
• Download via server(TODO)
• Share your masterpiece(TODO)
38

39. Security design
39

40. Security design
• MAC(message authentication code)
– Light(only 1 or 2 byte)
• Common Secret Key
– Anti-tamper
– Preassigned
40
CAN message data MAC

41. Security design
• Omission ratios
– Randomness
• Delay
– No waste in send and authorize
• Store space L*T
• Low hardware complexity
41
0 10 20 30 40 50 60 70 80 90 100
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
连 续 帧 数 量 n
漏检率Pn
Pa
=0.1
Pa
=0.3
Pa
=0.5
Pa
=0.7
Pa
=0.9
100 120 140 160 180 200 220 240 260 280 300
3
4
5
6
7
8
9
10
11
广 播 周 期 T
广播时间Tc
/ms

42. Security design
• Advantages
– In theory it can defense all kind of attacking and faking message
– Unnecessary to change hardware architecture and protocol
• Disadvantages
– A little modify in ECU
– Guarantee communication effectiveness
• Solution
– ECU firmware
42

43. Acknowledgements
• Tsinghua University
– Prof. Jian Wang
• SkyGo Team, Qihoo 360
– All team member
• CANToolz
43

44. Thanks!
Jianhao Liu liujianhao@360.cn
Minrui Yan minruiyan@gmail.com
https://github.com/360SkyGo/CAN-Pick (Release soon…)