Hacking Connected Cars

Alissa Knight has worked in cybersecurity for more than 20 years. For the past ten years, she has focused her vulnerability research into hacking connected cars, embedded systems, and IoT devices for clients in the United States, Middle East, Europe, and Asia. She continues to work with some of the world’s largest automobile manufacturers and OEMs on building more secure connected cars. Alissa is the Group CEO of Brier & Thorn and is also the managing partner at Knight Ink, where she blends hacking with content creation of written and visual content for challenger brands and market leaders in cybersecurity. As a serial entrepreneur, Alissa was the CEO of Applied Watch and Netstream, companies she sold in M&A transactions to publicly traded companies in international markets. Her passion professionally is meeting and learning from extraordinary leaders around the world and sharing her views on the disruptive forces reshaping global markets. Alissa’s long-term goal is to help as many organizations as possible develop and execute on their strategic plans and focus on their areas of increased risk, bridging silos to effectively manage risk across organizational boundaries, and enable them to pursue intelligent risk taking as a means to long-term value creation. You can learn more about Alissa on her homepage at http://www.alissaknight.com, connect with her on LinkedIn, or follow her on Twitter @alissaknight.

About the Author v

Acknowledgments vii

Foreword xv

Introduction xix

Part I Tactics, Techniques, and Procedures 1

Chapter 1 Pre-Engagement 3

Penetration Testing Execution Standard 4

Scope Definition 6

Architecture 7

Full Disclosure 7

Release Cycles 7

IP Addresses 7

Source Code 8

Wireless Networks 8

Start and End Dates 8

Hardware Unique Serial Numbers 8

Rules of Engagement 9

Timeline 10

Testing Location 10

Work Breakdown Structure 10

Documentation Collection and Review 11

Example Documents 11

Project Management 13

Conception and Initiation 15

Definition and Planning 16

Launch or Execution 22

Performance/Monitoring 23

Project Close 24

Lab Setup 24

Required Hardware and Software 25

Laptop Setup 28

Rogue BTS Option 1: OsmocomBB 28

Rogue BTS Option 2: BladeRF + YateBTS 32

Setting Up Your WiFi Pineapple Tetra 35

Summary 36

Chapter 2 Intelligence Gathering 39

Asset Register 40

Reconnaissance 41

Passive Reconnaissance 42

Active Reconnaissance 56

Summary 59

Chapter 3 Threat Modeling 61

STRIDE Model 63

Threat Modeling Using STRIDE 65

Vast 74

Pasta 76

Stage 1: Define the Business and Security Objectives 77

Stage 2: Define the Technical Scope 78

Stage 3: Decompose the Application 79

Stage 4: Identify Threat Agents 80

Stage 5: Identify the Vulnerabilities 82

Stage 6: Enumerate the Exploits 82

Stage 7: Perform Risk and Impact Analysis 83

Summary 85

Chapter 4 Vulnerability Analysis 87

Passive and Active Analysis 88

WiFi 91

Bluetooth 100

Summary 105

Chapter 5 Exploitation 107

Creating Your Rogue BTS 108

Configuring NetworkinaPC 109

Bringing Your Rogue BTS Online 112

Hunting for the TCU 113

When You Know the MSISDN of the TCU 113

When You Know the IMSI of the TCU 114

When You Don’t Know the IMSI or MSISDN of the TCU 114

Cryptanalysis 117

Encryption Keys 118

Impersonation Attacks 123

Summary 132

Chapter 6 Post Exploitation 133

Persistent Access 133

Creating a Reverse Shell 134

Linux Systems 136

Placing the Backdoor on the System 137

Network Sniffing 137

Infrastructure Analysis 138

Examining the Network Interfaces 139

Examining the ARP Cache 139

Examining DNS 141

Examining the Routing Table 142

Identifying Services 143

Fuzzing 143

Filesystem Analysis 148

Command-Line History 148

Core Dump Files 148

Debug Log Files 149

Credentials and Certificates 149

Over-the-Air Updates 149

Summary 150

Part II Risk Management 153

Chapter 7 Risk Management 155

Frameworks 156

Establishing the Risk Management Program 158

SAE J3061 159

ISO/SAE AWI 21434 163

HEAVENS 164

Threat Modeling 166

STRIDE 168

PASTA 171

TRIKE 175

Summary 176

Chapter 8 Risk-Assessment Frameworks 179

HEAVENS 180

Determining the Threat Level 180

Determining the Impact Level 183

Determining the Security Level 186

EVITA 187

Calculating Attack Potential 189

Summary 192

Chapter 9 PKI in Automotive 193

VANET 194

On-board Units 196

Roadside Unit 196

PKI in a VANET 196

Applications in a VANET 196

VANET Attack Vectors 197

802.11p Rising 197

Frequencies and Channels 197

Cryptography 198

Public Key Infrastructure 199

V2X PKI200

IEEE US Standard 201

Certificate Security 201

Hardware Security Modules 201

Trusted Platform Modules 202

Certificate Pinning 202

PKI Implementation Failures 203

Summary 203

Chapter 10 Reporting 205

Penetration Test Report 206

Summary Page 206

Executive Summary 207

Scope 208

Methodology 209

Limitations 211

Narrative 211

Tools Used 213

Risk Rating 214

Findings 215

Remediation 217

Report Outline 217

Risk Assessment Report 218

Introduction 219

References 220

Functional Description 220

Head Unit 220

System Interface 221

Threat Model 222

Threat Analysis 223

Impact Assessment 224

Risk Assessment 224

Security Control Assessment 226

Example Risk Assessment Table 229

Summary 230

Index 233