carOS-Benesky
-
Upload
sapari-vel -
Category
Documents
-
view
215 -
download
0
Transcript of carOS-Benesky
-
8/12/2019 carOS-Benesky
1/31
Car Operating Systems
Ryan Benesky
-
8/12/2019 carOS-Benesky
2/31
The Beginning of Car Computers 1970s Was the beginning of the EPA and regulations to
clean up the environment.
In the late 1970s car manufactures were under pressure toincrease fuel mileage and decrease pollution by theCalifornia Clean Air Act.
Manufactures moved towards Fuel injection based systemswhich require computers to control the system. Virtually allcars by the 1980s where fuel injected.
-
8/12/2019 carOS-Benesky
3/31
Electronic Control Unit (ECU)
An ECU is an embedded system that controls/monitorssystems in a car.
Combination of ECUs is known as the cars computer.
The cars computer is not one system but a large numberof small subsystems connected together by a network.
Modern vehicles have up to 75+ ECUs.
-
8/12/2019 carOS-Benesky
4/31
Typical ECUs
Engine Control Module (ECM)Determine parameters for an Internalcombustion engine.
Electronic Stability Control (ESC)Improves vehicle safety bypreventing loss of control.
Anti-Lock Braking System (ABS)Improves safety by preventing thebrakes from locking.
-
8/12/2019 carOS-Benesky
5/31
The Engine Control Module ECM
-
8/12/2019 carOS-Benesky
6/31
Electronic Control Module
Controls the parameters of an internalcombustion engine.
Has developed into a closed-loop system, feeds
data back into the car to make decisions Embedded System, resources are limited.
Early systems entirely look-up table based.
Current designs are able to compute manyparameters on-the-fly but there is still a fewlook up tables.
-
8/12/2019 carOS-Benesky
7/31
ECM Running Modes
Open-loop : This is when the ECM is not using inputdata from sensors.
This occurs in certain circumstances where usinginput data would not be beneficial. Such as:
when the engine is cold, or wide open throttle. Closed-loop: This uses post-combustion data to
compute changes for pre-combustion parameters.
This change was implemented as the
microprocessors got faster and EPA standardsgot tighter. Some use data from short period oftime 1trip others keep track of data for months.
-
8/12/2019 carOS-Benesky
8/31
Some ECM Parameters
Engine Load - Computed from Air Flow Rate into the engine and IntakeManifold air pressure
Engine Speed - Reported by the Crankshaft Position Sensor
Coolant Temperature - Reported by the engine coolant sensor, a thermistorthat varies its resistance according to the engine coolant temperature
Throttle Position - Throttle position sensor creates a voltage signal thatvaries in proportion to the throttle valve opening angle
Intake Air Temperature - Measured by another thermistor located in theMass Air Flow Sensor unit
Battery Voltage - Battery voltage affects the speed at which the fuel injectorsopen and must be taken into account in computing the fuel injector pulselength, or injector open time
Oxygen Sensor - The oxygen density in the exhaust emissions is detected
and generates acontrol signal back to the ECU indicating the burned air/fuelratio.
-
8/12/2019 carOS-Benesky
9/31
Sensors
The ECM uses specially designed sensors toobtain information.
-
8/12/2019 carOS-Benesky
10/31
ECM
http://www.motoiq.com/magazine_articles/articletype/articleview/articleid/1539/understanding-the-efi-process.aspx
-
8/12/2019 carOS-Benesky
11/31
Look-up Table
-
8/12/2019 carOS-Benesky
12/31
Using ECUs as Diagnostic tool
OBD-IIstandard diagnostic testing.
Diagnostic ProblemAn error occurs but whereis really?
Logging takes place in trips, an error may notbe presented to the driver until the same errorhas occurred for a number of trips.
-
8/12/2019 carOS-Benesky
13/31
OBD-II Diagnostic
http://www.4x4wire.com/toyota/4Runner/tech/OBDII_ECU/
-
8/12/2019 carOS-Benesky
14/31
Controller Area Network (CAN)
Wikipedia: Controller
area network(CANor CAN-bus) is a vehicle busstandard designed to allow microcontrollersand devices tocommunicate with each other within a vehicle without a hostcomputer.
Multi-master broadcast bus
Shared medium,
Any device can broadcast as long as the line is free
If two messages broadcast simultaneously, the message with the more-dominated id will propagate to each node and overwrite the messageof the less dominate id.
Bit rates of up to 1Mbit/s are possible < 40m
http://en.wikipedia.org/wiki/Vehicle_bushttp://en.wikipedia.org/wiki/Microcontrollerhttp://en.wikipedia.org/wiki/Host_computerhttp://en.wikipedia.org/wiki/Host_computerhttp://en.wikipedia.org/wiki/Host_computerhttp://en.wikipedia.org/wiki/Host_computerhttp://en.wikipedia.org/wiki/Microcontrollerhttp://en.wikipedia.org/wiki/Vehicle_bus -
8/12/2019 carOS-Benesky
15/31
Network types.
There is a myriad of ECUs operating in the car
Some systems are very critical to the operationof the car including driver safety.
Such as the ECM, ABS, and TCM
Other systems such as the Radio, Door Locks,etc. These are not necessary for the operation
of the car and are on a slower network.
-
8/12/2019 carOS-Benesky
16/31
Experimental Security Analysis of a Modern Automobile
-
8/12/2019 carOS-Benesky
17/31
cnslab.snu.ac.kr/twiki/bin/view/Main/Research
-
8/12/2019 carOS-Benesky
18/31
Modern ECUs
Drive-by-Wire
Variable Control Transmissions
Magnetic Dampers
autospeed.com.au/cms/title_Magnetic-Dampers/A_110995/article.html
-
8/12/2019 carOS-Benesky
19/31
-
8/12/2019 carOS-Benesky
20/31
Future Networking Infrastructure
VANETVehicular Ad-hoc Networks.
-
8/12/2019 carOS-Benesky
21/31
Security
Experimental Analysis of a Modern Automobile
By: Joint Paper between researchers at University ofWashington and University of California San Diego.
Paper highlighting what a malicious user could accomplishif they could gain access to the car networks andcomputers.
-
8/12/2019 carOS-Benesky
22/31
Potential Vectors
Physical AccessA person can attach amodule to the standard OBD-II port on any car.
Component can stay attached
It is also possible to flash another modulefrom the port.
Malicious componentA module (even the FMradio) can be replaced by one with malicious
firmware.
Network AccessResearchers identified noless than 5 networks on the test car.
-
8/12/2019 carOS-Benesky
23/31
CAN Security
BroadcastAll packets are physically and logicallysent to all ECU's.
Denial of ServicePriority based protocol allowsmalicious packets to dominate the network.
No AuthenticationPackets are not authenticated, nosource information is stored in CAN packets.
Ease of AccessVariety of tools available to accesscomponents and change settings or even re-flash thecomponent.
Poor Network SegregationCar critical componentsneed to be isolated but bridging the networks is easilyaccomplished.
-
8/12/2019 carOS-Benesky
24/31
CAN Security
-
8/12/2019 carOS-Benesky
25/31
ECU Security
ECU re-flashingCar manufactures need the ability to re-flash the ECUs to perform maintenance.
ECUs are required to implement security featuresthat only allow authorized personnel to re-flash
the ECU Diagnostic AbilitiesECUs are required to report (possible
too much) information about the components
Communication SafteyManufactures don't follow
standards that state ECUs must remain in a safe-stateeven if instructed to do otherwise.
-
8/12/2019 carOS-Benesky
26/31
Attack Methodology
Packet SniffingCarShark was used to monitorthe CAN packets while components werecycled to determine information.
FuzzingCAN packets have a small validpacket range therefore randomly selectingpackets can do a significant amount of damage.
Reverse-EngineeringComponents were
purchased from resellers and then dumped ontoa debugging platform for reverse engineering.
-
8/12/2019 carOS-Benesky
27/31
ECU Security
-
8/12/2019 carOS-Benesky
28/31
R lt C t
-
8/12/2019 carOS-Benesky
29/31
Results Cont.
-
8/12/2019 carOS-Benesky
30/31
Conclusions Car Computers are here to stay.
Infact, with many modern cars the computershave more control then the driver.
Plenty of new/cool work that can be done.
Open source ECU Projects Customization
Car Computer security is poor.
Today, for must users this does not pose a
problem
As communications infrastructure increases thismay pose a bigger problem
Major problem is the lack of standards and the
lack of implementation of standards.
-
8/12/2019 carOS-Benesky
31/31
Sources/Links
Toyota Training Series
http://www.autoshop101.com/autoshop15.html
Experimental Security Analysis of a Modern Automobile
www.autosec.org/pubs/cars-oakland2010.pdf DIY EFI
www.diyefi.org
Understanding OBDII Engine Systems and Fuel Mixture Control
http://www.4x4wire.com/toyota/4Runner/tech/OBDII_ECU/
Recent blog by someone hacking there car (good CAN finding info)
http://marco.guardigli.it/2010/10/hacking-your-car.html
http://www.autoshop101.com/autoshop15.htmlhttp://www.autosec.org/pubs/cars-oakland2010.pdfhttp://www.diyefi.org/http://www.4x4wire.com/toyota/4Runner/tech/OBDII_ECU/http://www.4x4wire.com/toyota/4Runner/tech/OBDII_ECU/http://www.4x4wire.com/toyota/4Runner/tech/OBDII_ECU/http://www.diyefi.org/http://www.diyefi.org/http://www.autosec.org/pubs/cars-oakland2010.pdfhttp://www.autosec.org/pubs/cars-oakland2010.pdfhttp://www.autosec.org/pubs/cars-oakland2010.pdfhttp://www.autosec.org/pubs/cars-oakland2010.pdfhttp://www.autoshop101.com/autoshop15.htmlhttp://www.autoshop101.com/autoshop15.html