Wireless

In this part, we talk about possible remote attacks on a car, according to the different areas of possible attacks. For each communication channels, we describe attacks and how to prevent them with some recommendations. The main recommendation is to always follow the latest updates of these remote communication channels.

Domain Object Recommendations
Connectivity-Wireless-1 Update Always follow the latest updates of remote communication channels.

We will see the following parts:

Domain Improvement
Connectivity-Wireless-1 Add communication channels (RFID, ZigBee?).

For existing automotive-specific means, we take examples of existing system attacks from the IOActive document (A Survey of Remote Automotive Attack Surfaces) and from the ETH document (Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars).


Wifi

Attacks

We can differentiate existing attacks on wifi in two categories: Those on WEP and those on WPA.

  • WEP attacks:

  • FMS: (Fluhrer, Mantin and Shamir attack) is a "Stream cipher attack on the widely used RC4 stream cipher. The attack allows an attacker to recover the key in an RC4 encrypted stream from a large number of messages in that stream."

  • KoreK: "Allows the attacker to reduce the key space".
  • PTW: (Pyshkin Tews Weinmann attack).
  • Chopchop: Found by KoreK, "Weakness of the CRC32 checksum and the lack of replay protection."
  • Fragmentation

  • WPA attacks:

  • Beck and Tews: Exploit weakness in TKIP. "Allow the attacker to decrypt ARP packets and to inject traffic into a network, even allowing him to perform a DoS or an ARP poisoning".

  • KRACK: (K)ey (R)einstallation (A)tta(ck) (jira AGL SPEC-1017).

Recommendations

  • Do not use WEP, PSK and TKIP.

  • Use WPA2 with CCMP.

  • Should protect data sniffing.

Domain Tech name or object Recommendations
Connectivity-Wireless-Wifi-1 WEP, PSK, TKIP Disabled
Connectivity-Wireless-Wifi-2 WPA2 and AES-CCMP Used
Connectivity-Wireless-Wifi-3 WPA2 Should protect data sniffing.
Connectivity-Wireless-Wifi-4 PSK Changing regularly the password.
Connectivity-Wireless-Wifi-5 Device Upgraded easily in software or firmware to have the last security update.

See Wifi attacks WEP WPA and Breaking wep and wpa (Beck and Tews) for more information.


Bluetooth

Attacks

  • Bluesnarfing attacks involve an attacker covertly gaining access to your Bluetooth-enabled device for the purpose of retrieving information, including addresses, calendar information or even the device's International Mobile Equipment Identity. With the IMEI, an attacker could route your incoming calls to his cell phone.
  • Bluebugging is a form of Bluetooth attack often caused by a lack of awareness. Similar to bluesnarfing, bluebugging accesses and uses all phone features but is limited by the transmitting power of class 2 Bluetooth radios, normally capping its range at 10-15 meters.
  • Bluejacking is the sending of unsolicited messages.
  • BLE: Bluetooth Low Energy attacks.
  • DoS: Drain a device's battery or temporarily paralyze the phone.

Recommendations

  • Not allowing Bluetooth pairing attempts without the driver's first manually placing the vehicle in pairing mode.
  • Monitoring.
  • Use BLE with caution.
  • For v2.1 and later devices using Secure Simple Pairing (SSP), avoid using the "Just Works" association model. The device must verify that an authenticated link key was generated during pairing.
Domain Tech name Recommendations
Connectivity-Wireless-Bluetooth-1 BLE Use with caution.
Connectivity-Wireless-Bluetooth-2 Bluetooth Monitoring
Connectivity-Wireless-Bluetooth-3 SSP Avoid using the "Just Works" association model.
Connectivity-Wireless-Bluetooth-4 Visibility Configured by default as undiscoverable. Except when needed.
Connectivity-Wireless-Bluetooth-5 Anti-scanning Used, inter alia, to slow down brute force attacks.

See Low energy and the automotive transformation, Gattacking Bluetooth Smart Devices, Comprehensive Experimental Analyses of Automotive Attack Surfaces and With Low Energy comes Low Security for more information.


Cellular

Attacks

  • IMSI-Catcher: Is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users. Essentially a "fake" mobile tower acting between the target mobile phone and the service provider's real towers, it is considered a man-in-the-middle (MITM) attack.

  • Lack of mutual authentication (GPRS/EDGE) and encryption with GEA0.

  • Fall back from UMTS/HSPA to GPRS/EDGE (Jamming against UMTS/HSPA).

  • 4G DoS attack.

Recommendations

  • Check antenna legitimacy.
Domain Tech name Recommendations
Connectivity-Wireless-Cellular-1 GPRS/EDGE Avoid
Connectivity-Wireless-Cellular-2 UMTS/HSPA Protected against Jamming.

See A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications for more information.


Radio

Attacks

  • Interception of data with low cost material (SDR with hijacked DVB-T/DAB for example).

Recommendations

  • Use the Radio Data System (RDS) only to send signals for audio output and meta concerning radio.
Domain Tech name Recommendations
Connectivity-Wireless-Radio-1 RDS Only audio output and meta concerning radio.

NFC

Attacks

  • MITM: Relay and replay attack.

Recommendations

  • Should implements protection against relay and replay attacks (Tokens, etc...).
  • Disable unneeded and unapproved services and profiles.
  • NFC should be use encrypted link (secure channel). A standard key agreement protocol like Diffie-Hellmann based on RSA or Elliptic Curves could be applied to establish a shared secret between two devices.
  • Automotive NFC device should be certified by NFC forum entity: The NFC Forum Certification Mark shows that products meet global interoperability standards.
  • NFC Modified Miller coding is preferred over NFC Manchester coding.
Domain Tech name Recommendations
Connectivity-Wireless-NFC-1 NFC Protected against relay and replay attacks.
Connectivity-Wireless-NFC-2 Device Disable unneeded and unapproved services and profiles.