Payatu Case Study | Automotive Security Assessment | EV Security Testing
Summary
TLDRThis video covers the assessment of hardware security vulnerabilities in electric vehicles (EVs), focusing on protocols like CAN, UART, JTAG, and Bluetooth. The speaker, a lead IoT security consultant, explains their process for testing EV devices, identifying critical vulnerabilities like outdated Android systems and insecure ADB access. They also discuss the use of professional tools to perform these assessments, emphasizing the importance of comprehensive testing under tight deadlines. The findings include risks that could lead to financial loss, physical harm, and trust erosion, urging companies to conduct regular security audits.
Takeaways
- 🔒 The speaker is a lead IoT security consultant and hardware security researcher, focusing on securing devices from a hardware perspective.
- 🔍 As a consultant, they conduct hardware testing of client devices, provide remediation steps, and ensure device security.
- 💻 As a researcher, they analyze various IoT devices, such as medical devices, to stay updated with vulnerabilities and improve testing processes.
- 🚗 The client operates in the EV (electric vehicle) sector, requiring a security assessment of their device, particularly its communication protocols.
- 🛡️ CAN protocol, commonly used in automotive applications, is highlighted for its speed and importance in critical communication, like airbags.
- 🔧 The hardware assessment involved identifying debug ports (e.g., UART, JTAG) that could allow firmware extraction and malicious firmware injection.
- 📡 The team also sniffed communication protocols like SPI, I2C, and CAN to detect vulnerabilities, including potential data injection over the CAN bus.
- 📱 A mobile Android app communicating with the EV dashboard was tested for sensitive data leaks and Bluetooth security issues, including replay attacks.
- ⚠️ Critical vulnerabilities included outdated Android systems on the EV hardware and unauthorized ADB shell access, posing significant security risks.
- 🚨 Four high-severity vulnerabilities were found, including DoS attacks on the CAN bus, malicious packet injection, and exposure of sensitive boot logs.
Q & A
What is the primary role of a lead IoT security consultant?
-A lead IoT security consultant is responsible for overseeing the security of client devices from a hardware perspective, conducting hardware testing, and suggesting remediation steps to enhance device security.
How does a hardware security researcher contribute to IoT device security?
-A hardware security researcher contributes by researching various devices like medical or IoT devices to identify and understand emerging vulnerabilities, ensuring that testing processes remain current and effective.
Why is it important for the EV sector to conduct security assessments?
-Security assessments are crucial in the EV sector due to the implementation of numerous communication protocols in EV devices, which if compromised, could lead to serious security and safety issues.
What is the significance of the CAN protocol in automotive security?
-The CAN protocol is significant in automotive security because it is a fast communication protocol used for critical vehicle functions, such as airbag deployment during sudden braking, requiring quick and reliable communication.
What kind of vulnerabilities were discovered during the hardware assessment of the EV device?
-The hardware assessment revealed vulnerabilities such as the possibility of firmware extraction from debug ports like UART or JTAG, and the ability to inject malicious data over communication protocols like SPI, I2C, and CAN.
How was the firmware extracted from the SPH chip during the assessment?
-The firmware was successfully extracted from the SPH chip by identifying and exploiting its vulnerabilities, which allowed for the potential patching of malicious firmware.
What tools and techniques were used to perform the hardware assessment on the EV device?
-Tools such as the exploit Nano board for firmware extraction, Bus Auditor for identifying debug ports, and Bluetooth adapters for communication sniffing were used. Techniques included checking for firmware extraction methods, sniffing wire communication, and analyzing Bluetooth data.
What challenges did the team face during the security assessment of the EV device?
-The team faced challenges such as working within tight deadlines to perform comprehensive testing, covering all areas identified in a large checklist to ensure a thorough security assessment.
What were the critical vulnerabilities found in the EV hardware during the assessment?
-Two critical vulnerabilities were identified: access to the ADB shell which provided complete device control, and the outdated Android version running on the EV hardware, which contained numerous security vulnerabilities.
How did the team approach the firmware assessment of the EV device?
-The firmware assessment was conducted using a proprietary framework, focusing on areas such as sensitive information leakage, Bluetooth communication security, and potential for malicious data injection.
What advice does the security professional give to organizations regarding EV security?
-The security professional advises organizations to conduct comprehensive security assessments of their EV systems, keep up with security updates, and perform regular assessments to ensure the devices are well protected against potential threats.
Outlines
🔍 Comprehensive EV Security Assessment
The speaker, a lead IoT security consultant and hardware security researcher, discusses their role in ensuring the security of electronic devices, particularly in the electronic vehicle (EV) sector. They highlight the importance of hardware testing and staying updated with market vulnerabilities. The client, from the EV sector, seeks a security assessment due to the numerous communication protocols implemented in EVs. The assessment includes a broad range of tests, from radio protocols to hardware and firmware, focusing on the CAN protocol's speed and its critical role in automotive communications. The team checks for vulnerabilities such as debug ports, firmware extraction, and communication protocol sniffing. They also investigate the Android application's security for potential data leaks and Bluetooth communication's susceptibility to replay attacks. Professional tools like the exploit Nano board and bus auditor are utilized in this comprehensive hardware and firmware assessment.
🚨 Critical Vulnerabilities in EV Hardware
The speaker details the challenges faced during the hardware assessment of an EV, particularly the tight deadline and the need for a comprehensive test. They categorize the vulnerabilities found in the EV based on the CVSS score, identifying two critical vulnerabilities: unrestricted access to the ADB shell and outdated Android hardware with multiple security flaws. Additionally, four high-severity vulnerabilities are found, including I2C chip data extraction, CAN protocol DoS attacks, and dashboard boot logs exposing sensitive information. The speaker emphasizes the potential disastrous impact of these vulnerabilities on organizations, possibly leading to physical harm or significant financial loss. They advise regular security assessments and keeping the EV system updated to maintain trust and safety in the market.
Mindmap
Keywords
💡IoT Security Consultant
💡Hardware Security Researcher
💡EV Market
💡CAN Protocol
💡Firmware
💡Debug Ports
💡Bluetooth Communication
💡CVSS Score
💡Black Box Assessment
💡Security Updates
Highlights
Introduction of the speaker's role as a lead IoT security consultant and hardware security researcher.
Description of the hardware testing process for client devices to ensure security.
Role of the hardware security researcher in researching vulnerabilities in various devices.
The growing market of electric vehicles (EV) and the importance of security assessment.
Explanation of the communication protocols implemented in EVs for security assessment.
The significance of the CAN protocol in automotives for fast communication.
Comprehensive list of test cases for hardware assessment of EVs.
Checking for debug ports like UART or JTAG to prevent firmware extraction.
Firmware extraction from the SPH chip and its vulnerabilities.
Sniffing wire communication protocols like SPI, I2C, and CAN for security assessment.
Assessment of the Android application for the EV's dashboard communication.
Sniffing and analyzing Bluetooth communication for potential security vulnerabilities.
Use of professional tools like exploit Nano board and Bus Auditor for hardware assessment.
Challenges faced by the team in conducting comprehensive tests within tight deadlines.
Identification of two critical vulnerabilities in the EV hardware assessment.
Finding of four high-severity vulnerabilities that could lead to device manipulation.
Recommendation for regular security assessments to ensure EV system protection.
Emphasis on the potential disastrous consequences of unaddressed vulnerabilities in EVs.
Transcripts
[Music]
thank you
my full name is
a lead iot security consultant and
Hardware security researcher so as a
consultant I takes care of the client
devices more from a hardware perspective
I do the hardware testing of those
devices and based on the report of the
testing I suggest the remediation steps
to our client to make the device more
secure from a hardware perspective as a
Hardware security researcher I take many
various devices like medical devices or
any iot devices for a research purpose
to be updated with the vulnerabilities
that is coming up in the market to keep
ourselves updated so that our testing
process should be very recent very
updated
Evie is really a very growing Market
well mostly all government is
implementing policies and incentives to
encourage people to switch on EVS to
combat the climate changes and the
emission of the greenhouse gases
the client belongs to the EV sector
electronic vehicle sector they give
their device for the assessment from a
security perspective because it's a it's
an EV so lots of communication protocol
was implemented on the device so it is
highly advisable to do the security
assessment
thank you
[Music]
this book was we have to touch every
possible Area radio protocols Hardware
firmware and the can that is being
implemented in the EV for communication
with the different modules
[Music]
can is a very fast protocol that is
mostly used in a automotives let's
suppose you applied a sudden break so
immediately uh your airbag should be
open right so this communication should
be very fast right so obviously if the
communication is happening so there must
be some protocol being implemented
between this and for this protocol to be
very fast so can is the very best option
for now that is mostly used
so we started our Hardware assessment
with a very comprehensive list of test
cases so the team assists to ensure
whether any debug Port is enabled or not
like uart or the JTAG debug post which
could lead to the extraction of the
firmware from the device and can be used
to patch any malicious firmware in the
device to make the device work
maliciously completely we check for
every component present on the
motherboard of the dashboard so we
checked for the weather in espi or i2c
chips are there we found the spha plan
we successfully extracted the data the
complete firmware out of that SPH chip
and the chip was vulnerable like we can
patch any malicious firmware back on the
chip we check for the firmware
extraction possible methods that is
possible on the motherboard of the
dashboard and we sniff the wire
communication protocols like SPI i2c so
we try to sleep those uh data being
transmitted on these protocols and
obviously the camera was there so we
tried to sleep the can protocol also and
we tried to check whether the team who
can inject any malicious data over the
canvas or not so obviously there was a
very big list of very comprehensive
checklist out of which I discussed a few
the Android was running and all the
underlying architecture of the EV there
was a Android application as well for
the TV to communicate with the dashboard
through your mobile so we checked the
mobile APK of that Android application
for to check whether any sensitive
information is not leaky
for the Bluetooth the team sniffing the
communication of the Bluetooth and we
captured the data that is being
transmitted and we analyzed those
packets so we tried to manipulate the
data and replay those data to check
whether the replay attack is possible on
this Bluetooth communication or not we
try to fudge the Bluetooth to check how
it is uh behaving when it is receiving
when it comes to resources we have lot
of professional tools developed by pioto
itself for Hardware we used our exploit
Nano board that is publicly available on
our exploit.ios tool you can go and
check over there the very complete kit
is there you can check from there so we
use this exploit Nano board for the
stacking firmware out of the device and
we used bus auditor which we used to
find the debug ports present on the
motherboard of the EVs and for like for
communication and sniffing we use the
Bluetooth adapter to snip the Bluetooth
communication so we use those tools to
perform the hardware assessment apart
from that for the firmware assessment we
have our own framework we use that
we were bounded with a tight deadlines
and we were looking to do the very
comprehensive test so the team worked
really hard in that bounded deadline to
touch each and every area that should be
assessed so this was the one of the
challenge we faced that we in the
limited time we have to do the complete
comprehensive test with all the
checklists we were having
let me divide the severality of these
vulnerabilities on the basis of the CVSs
core we found two critical
vulnerabilities the reason being I am
saying this is critical because this you
can suppose availability giving a
complete access of a device so that's
what attackers want the first was we got
the access to the ADB shell any normal
user can get the access of the education
of the evb assist and this was a very
critical vulnerability because once you
get the access to the division you got
the complete access of the device you
see the second critical vulnerability
was the Android running on the EV
Hardware was completely outdated and
there was a lot of security
vulnerabilities were present on that
version of the Android that was running
on the device so these these are the two
critical findings of that EV Hardware
that we assist so we got four high
vulnerabilities the reason I am calling
it high is because these vulnerabilities
can give you an attack surface from
where you can inject your malicious data
and once you inject your malicious data
yes so you can make the device work or
behave like the way you want
i2c mini extraction but i2c chip was
soldered on the motherboard of the EV
and we were able to extract the complete
information from that i2c chip and we
can write back any malicious data on the
itosa chip which will make the device or
behave uh maliciously the Dos attack on
the canvas
malicious packet injection on the canvas
fourth was a dashboard over giving
booting logs in the clear text and
through that log any sensitive
information could be accessed from that
log so these were the four high
vulnerabilities we found in the email
as a security professional I'll say that
the findings which we got in this uh EV
could be disastrous for an organization
could lead to a physical harm or a big
Financial loss we did the assessment
from a black box perspective let's
suppose if any attacker got the access
of the device from the whatever entry
points which we found then attacker can
make lot more changes in the complete ee
system and this could be very uh harmful
for a person who is using an EV and this
could completely come to a cost of loss
of trust often over an organization if
such vulnerable EVS are running in the
market I strongly suggest to take a
complete Security assessment of the
complete EV system and keep yourself
updated with the security updates and
please go through the regular security
assessment of the complete system to
ensure that the device is completely
protected
[Music]
[Music]
thank you
foreign
[Music]
Weitere ähnliche Videos ansehen
Penetration Tests - CompTIA Security+ SY0-701 - 5.5
CompTIA Security+ SY0-701 Course - 5.5 Explain Types and Purposes of Audits and Assessments.
Easy IDOR hunting with Autorize? (GIVEAWAY)
CompTIA Security+ SY0-701 Course - 4.3 Activities Associated With Vulnerability Management. - PART A
Simple Penetration Testing Tutorial for Beginners!
SMT 1-2 Web Security Overview
5.0 / 5 (0 votes)