A field manual on contextualizing cyber threats, vulnerabilities, and risks to connected cars through penetration testing and risk assessment
Hacking Connected Cars deconstructs the tactics, techniques, and procedures (TTPs) used to hack into connected cars and autonomous vehicles to help you identify and mitigate vulnerabilities affecting cyber-physical vehicles. Written by a veteran of risk management and penetration testing of IoT devices and connected cars, this book provides a detailed account of how to perform penetration testing, threat modeling, and risk assessments of telematics control units and infotainment systems. This book demonstrates how vulnerabilities in wireless networking, Bluetooth, and GSM can be exploited to affect confidentiality, integrity, and availability of connected cars.
Passenger vehicles have experienced a massive increase in connectivity over the past five years, and the trend will only continue to grow with the expansion of The Internet of Things and increasing consumer demand for always-on connectivity. Manufacturers and OEMs need the ability to push updates without requiring service visits, but this leaves the vehicle’s systems open to attack. This book examines the issues in depth, providing cutting-edge preventative tactics that security practitioners, researchers, and vendors can use to keep connected cars safe without sacrificing connectivity.
- Perform penetration testing of infotainment systems and telematics control units through a step-by-step methodical guide
- Analyze risk levels surrounding vulnerabilities and threats that impact confidentiality, integrity, and availability
- Conduct penetration testing using the same tactics, techniques, and procedures used by hackers
From relatively small features such as automatic parallel parking, to completely autonomous self-driving cars - all connected systems are vulnerable to attack. As connectivity becomes a way of life, the need for security expertise for in-vehicle systems is becoming increasingly urgent. Hacking Connected Cars provides practical, comprehensive guidance for keeping these vehicles secure.
Table of Contents
About the Author v
Acknowledgments vii
Foreword xv
Introduction xix
Part I Tactics, Techniques, and Procedures 1
Chapter 1 Pre-Engagement 3
Penetration Testing Execution Standard 4
Scope Definition 6
Architecture 7
Full Disclosure 7
Release Cycles 7
IP Addresses 7
Source Code 8
Wireless Networks 8
Start and End Dates 8
Hardware Unique Serial Numbers 8
Rules of Engagement 9
Timeline 10
Testing Location 10
Work Breakdown Structure 10
Documentation Collection and Review 11
Example Documents 11
Project Management 13
Conception and Initiation 15
Definition and Planning 16
Launch or Execution 22
Performance/Monitoring 23
Project Close 24
Lab Setup 24
Required Hardware and Software 25
Laptop Setup 28
Rogue BTS Option 1: OsmocomBB 28
Rogue BTS Option 2: BladeRF + YateBTS 32
Setting Up Your WiFi Pineapple Tetra 35
Summary 36
Chapter 2 Intelligence Gathering 39
Asset Register 40
Reconnaissance 41
Passive Reconnaissance 42
Active Reconnaissance 56
Summary 59
Chapter 3 Threat Modeling 61
STRIDE Model 63
Threat Modeling Using STRIDE 65
Vast 74
Pasta 76
Stage 1: Define the Business and Security Objectives 77
Stage 2: Define the Technical Scope 78
Stage 3: Decompose the Application 79
Stage 4: Identify Threat Agents 80
Stage 5: Identify the Vulnerabilities 82
Stage 6: Enumerate the Exploits 82
Stage 7: Perform Risk and Impact Analysis 83
Summary 85
Chapter 4 Vulnerability Analysis 87
Passive and Active Analysis 88
WiFi 91
Bluetooth 100
Summary 105
Chapter 5 Exploitation 107
Creating Your Rogue BTS 108
Configuring NetworkinaPC 109
Bringing Your Rogue BTS Online 112
Hunting for the TCU 113
When You Know the MSISDN of the TCU 113
When You Know the IMSI of the TCU 114
When You Don’t Know the IMSI or MSISDN of the TCU 114
Cryptanalysis 117
Encryption Keys 118
Impersonation Attacks 123
Summary 132
Chapter 6 Post Exploitation 133
Persistent Access 133
Creating a Reverse Shell 134
Linux Systems 136
Placing the Backdoor on the System 137
Network Sniffing 137
Infrastructure Analysis 138
Examining the Network Interfaces 139
Examining the ARP Cache 139
Examining DNS 141
Examining the Routing Table 142
Identifying Services 143
Fuzzing 143
Filesystem Analysis 148
Command-Line History 148
Core Dump Files 148
Debug Log Files 149
Credentials and Certificates 149
Over-the-Air Updates 149
Summary 150
Part II Risk Management 153
Chapter 7 Risk Management 155
Frameworks 156
Establishing the Risk Management Program 158
SAE J3061 159
ISO/SAE AWI 21434 163
HEAVENS 164
Threat Modeling 166
STRIDE 168
PASTA 171
TRIKE 175
Summary 176
Chapter 8 Risk-Assessment Frameworks 179
HEAVENS 180
Determining the Threat Level 180
Determining the Impact Level 183
Determining the Security Level 186
EVITA 187
Calculating Attack Potential 189
Summary 192
Chapter 9 PKI in Automotive 193
VANET 194
On-board Units 196
Roadside Unit 196
PKI in a VANET 196
Applications in a VANET 196
VANET Attack Vectors 197
802.11p Rising 197
Frequencies and Channels 197
Cryptography 198
Public Key Infrastructure 199
V2X PKI200
IEEE US Standard 201
Certificate Security 201
Hardware Security Modules 201
Trusted Platform Modules 202
Certificate Pinning 202
PKI Implementation Failures 203
Summary 203
Chapter 10 Reporting 205
Penetration Test Report 206
Summary Page 206
Executive Summary 207
Scope 208
Methodology 209
Limitations 211
Narrative 211
Tools Used 213
Risk Rating 214
Findings 215
Remediation 217
Report Outline 217
Risk Assessment Report 218
Introduction 219
References 220
Functional Description 220
Head Unit 220
System Interface 221
Threat Model 222
Threat Analysis 223
Impact Assessment 224
Risk Assessment 224
Security Control Assessment 226
Example Risk Assessment Table 229
Summary 230
Index 233