The company has recruited a year, the main content of the work is carried out for the yard networking vehicle safety testing and vehicle networking related (or unrelated) security technology research. This year's entry process is mainly to study and exploration of, for automotive safety have some of their own understanding.
Automotive Safety Testing
In recent years, many automakers have had some tests for vehicle safety requirements, the cause of this increase in demand mainly two: 1, more powerful vehicle terminal with more features. 2, a large number of vehicles have a networking function. Vulnerabilities type depot are most concerned about, or traditional server-side vulnerabilities, including server APP, TBox, HU visit. The server and non-server networked car is no different, and therefore tend to be less relevant to the needs of automotive safety knowledge can dig vulnerabilities; second is the number of non-contact attacks latitude, such as Bluetooth, NFC, WiFi, 4G , GPS, and the difficulty of digging these vulnerabilities to attack the difficulty is high, manufacturers are relatively concerned, but generally do not have any output in limited circumstances test of time; and contact-level tests, such as debug port, USB, cAN bus (OBD), the back door is a relatively low priority number of test items. In addition, safety testing not only need to be tested can be used directly for the function of the external, but also internal security system of some existing risks (vulnerability) for analysis. Because some loopholes in internal systems or components can not be directly accessed by external direct, but after the system is compromised can cause further risk. So in the process of safety testing for car, we can test the contents of roughly divided into three parts: 1, publicly known vulnerability scanning; 2, unknown vulnerability discovery; 3, the security risk was found. The following were to explore for these three areas.
Publicly known vulnerability detection
Publicly known vulnerabilities: publicly known vulnerabilities can be said that one car network security testing process is very important too, whether the cloud, on-board terminal, there are a large number of third-party applications, code and libraries. For the cloud is the use of Web engines, Web framework, Web plug-ins are third-party components. On-board terminal, the operating system used, SDK, open source libraries belong to the category of third parties. Publicly known vulnerabilities found, the main method used is identified accurately using the version number of the related items of its program, combined with the vulnerability vulnerability information database, publicly known vulnerabilities found in the object to be measured exists. The workflow may substantially as follows:
In the discovery process disclosed throughout known vulnerabilities, the most important part of the component version identification, to accurately identify the version of the component can be found vulnerabilities present in the assembly. There are many ways for version identification of the components. First, based on information Banner interaction may be based on the difference when interacting with a specific function, may be identified according to the identification information and the firmware version information of the components. Therefore identify known vulnerabilities disclosed is the most important part of the establishment of characteristics of the database, select a common system in the vehicle and the target vulnerable components, such components and their characteristics were collected vulnerability information, and select the appropriate method as version identification discovery and assembly methods, each component can be done in a single test script. These scripts and aggregated into an integrated publicly known vulnerability scanning tools.
Unknown vulnerabilities mining
已知漏洞的扫描几乎可以基于工具的自动化实现,而未知漏洞的挖掘则大部分需要测试人员人工测试与少量的自动化Fuzz。人工测试的目标主要是Web服务端、OTA、网络服务、蓝牙服务等。Web服务端的主要测试方式就是传统的Web测试,根据OWASP中的相关内容以及测试人员的经验对于服务端的安全性进行测试。OTA服务、网络服务、蓝牙服务、USB服务、UDS服务主要是通过对于二进制文件逆向分析进行漏洞挖掘,常见的漏洞类型为内存破坏、逻辑漏洞、命令注入等。除此之外,针对一些在车内比较常出现且容易出现漏洞的服务,可以采取Fuzz的方式对于其进行更深层次的安全测试。在此要特别区分开车载系统开发所使用的语言,如果使用的是Java(Android)语言开发,如安卓车机,则几乎不存在内存型漏洞。针对该类车机,只需对于逻辑漏洞以及命令注入类漏洞进行分析。不论是Web的漏洞还是二进制的漏洞,此类未知漏洞的挖掘的测试效果主要取决于测试人员的水平以及测试所花费的时间。
安全风险发现
安全风险发现主要根据经验所提出的一些风险点,此类风险点并不算是漏洞,往往是由于一些配置错误或者安全意识缺失产生的问题。安全风险带来的危害可大可小,如调试口开放、没有安全启动机制等问题在安全风险问题中属于危害较大的。而调试信息未去除、权限设置不当等问题则属于安全风险问题中相对比较小的。由于目前车载终端安全还没有明确的规范和标准,安全风险的定义完全是根据各个安全团队自己定义的,所以此类安全风险基本基于个人以及团队的经验积累,测试难度小,但是点相对分散。
以我目前的经验来说就把安全测试的内容大体的总结就是上面的三个方面。有机会的话会在后面的博客里针对每一方面的内容展开进行详细的介绍 。
汽车安全研究
我的另一项工作内容就是进行汽车相关的安全研究。我们花费了几个月的时间在某款豪华车的研究之上。安全研究与安全测试最大的不同就是,汽车的安全研究主要的目标是搞一些别人没搞过或者搞不定的事出来。漏洞影响面广、漏洞影响程度深、攻击方式新颖,都是在进行汽车安全研究时的目标。而测试时的全面性则是在进行安全测试事的目标。
大批量车控
目前看来,具有车联网功能的汽车,影响面相对最广的攻击方式,还是针对云端的服务进行攻击。大部分车厂对于互联网这一套东西并不是十分熟悉,也没有相应比较成熟的应急响应机制,所以出现严重漏洞的可能性一般较大,尤其是运行在内网中的服务。而如果想实现大规模的车辆控制,还需要进行进一步的分析服务端的架构,继续进行渗透,找到实际进行车辆控制的服务器才可以完成大规模的车控。这种方式车控范围大,但是对于车辆的控制还是局限于车厂设定的范围之内,一般只能开门开窗等车身舒适的操作,少数可以完成远程点火等涉及动力的操作。如果想要实现超出车厂设定的车辆控制,只能通过寻找OTA服务推送恶意的升级固件或进行汽车破解。
深入汽车破解
汽车破解目前没有一个准确的定义,我的看法就是攻击者利用车载电子系统中的漏洞,不断地提升自身控制权,知道实现整车的控制。从科恩多次破解特斯拉以及作为汽车安全开端事件的大切诺基破解来看,可以分为以下四部分:1.HU、TBox控制权。2.直连CAN总线报文权。3.Gateway控制权。4.全部CAN总线报文权。就目前的阶段来说,虽然CAN总线有其自身的局限性,但是大部分车厂还是使用CAN总线作为车内大部分ECU的通信总线。所以获得了整车CAN总线的报文权,就可以向车内绝大部分ECU发送CAN报文。也就意味着可以通过UDS服务对于ECU进行刷写,从而实现超越车辆本身的限制的车控行为。而车载以太网则是未来的发展趋势,未来车内的总线可能由以太网逐步替换掉CAN,不过考虑到成本问题可能尚需时日。总体来说2、3、4这三项的难度不大,因为一般车辆对于这三项基本没有什么防护,只是需要大量的时间对于MCU进行分析。目前看来难度最大,也是大家比较争相去研究的还是如何攻破第一道防线,获取到HU(TBox)的最高权限。从之前的很多破解案例,如2019年pwn2own中对于特斯拉HU的破解,攻击者都选择的是浏览器作为突破口。特斯拉的浏览器内核从之前的Webkit转移到了现在的v8,还是难逃被攻破的命运。除浏览器外,HU(TBox)的网络服务、USB、OTA也都出现过RCE的案例。理论上,蓝牙和WiFi也存在被攻击的可能,PJ0的人曾经实现过对于WiFi芯片的攻击,在WiFi芯片中实现了RCE并进一步转化为到AP芯片RCE的攻击路径。在真正的对于HU(TBox)中的应用、驱动、系统进行分析之前,对于它们的硬件进行硬件分析、固件提取、固件分析等步骤都是都是必不可少的,这里面同样有很大的学问。
新型攻击方式
The new attack is another direction of car safety research. In previous years, the new attacks mainly for automotive wireless attacks, including against keyless entry radio relay attack, GPS spoofing, hijacking pseudo base stations, TPMS attacks. Which have seen relatively good case for the car keys is the wireless relay attack case keyless entry system. Recently a lot of technology applied to turn the depot moved to other areas of the car, such as Bluetooth keys, cell phones NFC keys, fingerprint to unlock and other functions. The emergence of these functions, but also for the automotive attack with some new attack surface. Attacks on autopilot system is the hottest research points the past two years, but to tell the truth, the ongoing security research vehicles who have not yet autopilot scene inside to find the right entry point and attack scenarios. Laser forced to stop by the autopilot mode Tesla, Tesla sensing wipers activated by abnormal images, logos points set by ground forces Tesla to make abnormal movements, are relatively well the past two years the case study. But I feel these cases belong tasteless type cases, truly meaningful for the autopilot and attack the actual attack scenario requires further study.
summary
Car safety is a hodgepodge of traditional security, need more support from a wide range of knowledge to a variety of research on car safety. Join me now in a year at the foot of the mountain, for some aspects of automotive safety is a little shallow understanding, we hope for the friends you want to learn some automotive safety will certainly help.