Drucksache: Windows Developer 3.16 - Angriffe auf die Auto-IT
Im windows.developer 3.16 ist ein Artikel über Angriffe auf die IT-Systeme in Autos erschienen.
Die Autohersteller packen immer mehr IT in ihre Autos. Und machen die dadurch immer mehr angreifbar. Wenn die IT auf Lenkung oder Bremsen zugreifen kann, kann das unter Umständen eben auch ein Angreifer, der auf die IT zugreifen kann. Wenn die Entwickler dass nicht berücksichtigen, kann das Böse enden.
Die IT in den Autos muss dringend besser geschützt werden. Das betrifft vor allem den ODB- II-Port und die immer wieder als Einfallstor dienenden Infotainment-Systeme. Auch der CAN-Bus müsste abgesichert werden, aber wenn der Angreifer darauf keinen Zugriff erlangen kann, ist das weniger dringend.
Schon in [1] wurde ein von Charlie Miller und Chris Valasek vorgeschlagenes Intrusion Prevention System beschrieben, und auch die TU Wien arbeitet an ähnlichen Lösungen [68].
Viel wichtiger aber ist es, dass die Autohersteller und ihre Zulieferer zum einen die Sicherheit vom Anfang an im Entwicklungsprozess berücksichtigen (vergleichbar Microsofts Security Development Lifecycle, der sich sehr gut bewährt hat) und zum anderen die nötige Infrastruktur schaffen, um Fehler zügig korrigieren zu können. Beides fehlt bisher [69]. Zumindest weitgehend, denn bei Bosch scheint man bei der Absicherung der kritischen Systeme vor Angriffen schon ziemlich weit zu sein [70].
Und hier noch die Links und Literaturverweise aus dem Artikel:
- [1] Carsten Eilers: "Zu Lande, zu Wasser und in der Luft"; Entwickler Magazin 6.14 (auch online veröffentlicht)
- [2] Paul Such; Florian Gaultier; Def Con 22: "Playing with Car Firmware or How to Brick your Car" (Präsentation als PDF)
- [3] escar Asia
- [4] escar conference ¦ Embedded Security in Cars
- [5] escar EU conference 2014 ¦ Embedded Security in Cars
- [6] NCC Group: "USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems"
- [7] Carsten Eilers: "USB-Sicherheit - Ein Überblick"
- [8] escar Asia conference 2015 ¦ Embedded Security in Cars
- [9] SlideShare: "Attacking and Defending Autos Via OBD-II" from escar Asia
- [10] escar USA conference 2015 ¦ Embedded Security in Cars
- [11] Thomas Fox-Brewster; Forbes: "Hacker Says Attacks On 'Insecure' Progressive Insurance Dongle In 2 Million US Cars Could Spawn Road Carnage"
- [12] Kelly Jackson Higgins; Dark Reading: "Security MIA In Car Insurance Dongle"
- [13] ADAC: "Sicherheitslücken bei BMW Connected Drive"
- [14] Axel Kossel; Heise Security: "BMW ConnectedDrive gehackt"
- [15] Martin Holland; Heise Security: "ConnectedDrive: Der BMW-Hack im Detail"
- [16] Dieter Spaar; c't online: "Auto, öffne dich!"
- [17] BMW Pressemeldung: "BMW Group ConnectedDrive erhöht Datensicherheit. Auf Hinweise des ADAC schnell reagiert."
- [18] Metropolitan Police Service: "Drivers urged to protect vehicles against keyless theft"
- [19] Metropolitan Police Service: "Keyless Vehicle Theft"
- [20] Matt Brian; Engadget: "London has a real problem with thieves targeting keyless cars"
- [21] U.S. Senator Ed Markey of Massachusetts: "As Wireless Technology Becomes Standard, Markey Queries Car Companies about Security, Privacy"
- [22] Dennis Fisher; Threatpost: "Markey Car Security Report Just the Start for Automakers"
- [23] U.S. Senator Ed Markey of Massachusetts: "Markey Report Reveals Automobile Security and Privacy Vulnerabilities"
- [24] Eric Evenchick; Black Hat Asia 2015: "Hopping on the CAN Bus"
- [25] CANtact - The Open-Source Car Tool
- [26] ericevenchick auf GitHub: CANard
- [27] Ford Media Center: "Ford Issues Safety Compliance Recall in North America"
- [28] BBC Technology: "Software bug prompts Range Rover recall"
- [29] Land Rover Service Bulletin: "Notification of Safety Recall P068: Vehicle door may not latch" (PDF)
- [30] Andy Greenberg; WIRED: "Hackers Remotely Kill a Jeep on the Highway—With Me in It"
- [31] Fiat Chrysler Automobiles: "Statement: Software Update"
- [32] Fiat Chrysler Automobiles: "FCA US LLC Releases Software Update to Improve Vehicle Electronic Security and Communications System Enhancements"
- [33] FCA US LLC Chronology - Select 2013-2015 Vehicles - RA3/4 Improved Vehicle Security Protection - Submitted on July 23, 2015 (PDF)
- [34] 2015 CHRYSLER 300 Recall: Radio Software Security Vulnerabilities
- [35] Andy Greenberg; WIRED: "After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix"
- [36] Gualberto Ranieri; FCA Corporate Blog: "Unhacking the hacked Jeep® SUV"
- [37] Gualberto Ranieri; FCA Corporate Blog: "Unhacking the hack: Ensuring security"
- [38] Fiat Chrysler Automobiles: "Statement: Software Update"
- [39] Samy Kamkar; Video auf YouTube: "OwnStar - hacking cars with OnStar to locate, unlock and remote start vehicles"
- [40] Andy Greenberg; WIRED: "This Gadget Hacks GM Cars to Locate, Unlock, and Start Them (UPDATED)"
- [41] Andy Greenberg; WIRED: "Patch Your OnStar iOS App to Avoid Getting Your Car Hacked"
- [42] Samy Kamkar auf Twitter: ""I've updated OwnStar to also unlock cars from and attack BMW Remote, Mercedes-Benz mbrace, and Chrysler Uconnect. https://t.co/qRsjtLnRlM""
- [43] Dennis Fisher; Threatpost: "OwnStar Attack Now Aimed at BMW, Chrysler, Mercedes Cars"
- [44] Charlie Miller, Chris Valasek; Black Hat USA 2015: "Remote Exploitation of an Unaltered Passenger Vehicle"
- [45] Charlie Miller, Chris Valasek: "Remote Exploitation of an Unaltered Passenger Vehicle" (PDF)
- [46] Samy Kamkar; DEF CON 23: "Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars"
- [47] Samy Kamkar: "Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars"
- [48] Samy Kamkar: OpenSesame
- [49] Dennis Fisher; Threatpost: "Gone in Less Than a Second"
- [50] Andy Greenberg; WIRED: "This Hacker's Tiny Device Unlocks Cars And Opens Garages"
- [51] Andy Davis; Black Hat USA 2015: "Broadcasting Your Attack: Security Testing DAB Radio in Cars"
- [52] NCC Group: "Black Hat USA 2015 presentation: Broadcasting your attack – DAB security"
- [53] Marc Rogers, Kevin Mahaffey; DEF CON 23: "How to Hack a Tesla Model S"
- [54] Kevin Mahaffey; Lookout Blog: "The new assembly line: 3 best practices for building (secure) connected cars"
- [55] Kevin Mahaffey; Lookout Blog: "Hacking a Tesla Model S: What we found and what we learned"
- [56] Ian Foster, Andrew Prudhomme, Karl Koscher, Stefan Savage: "Fast and Vulnerable: A Story of Telematic Failures" (PDF)
- [57] Lanrat: "Fast and Vulnerable: A Story of Telematic Failures"
- [58] Andy Greenberg; WIRED: "Hackers Cut a Corvette's Brakes Via a Common Car Gadget"
- [59] Graham Cluley: "Volkswagen silences talk about security flaws in luxury cars"
- [60] Roel Verdult, Flavio D. Garcia, Baris Ege: "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer" (PDF)
- [61] Graham Cluley; HOTforSecurity: "Silenced for two years by Volkswagen, car hackers reveal their paper into security hole"
- [62] Karl Thomas; eset we live security: "Car security vulnerability study finally sees light of day"
- [63] Andy Greenberg; WIRED: "GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars"
- [64] Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage; IEEE Symposium on Security and Privacy 2010: "Experimental Security Analysis of a Modern Automobile" (PDF)
- [65] Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, Tadayoshi Kohno; USENIX Security 2011: "Comprehensive Experimental Analyses of Automotive Attack Surfaces" (PDF)
- [66] Kelly Jackson Higgins; Dark Reading: "Hacking Virginia State Trooper Cruisers"
- [67] Kelly Jackson Higgins; Dark Reading: "State Trooper Vehicles Hacked"
- [68] Florian Aigner; TU Wien, Presseaussendung 121/2014: "Hilfe, mein Auto wurde gehackt!"
- [69] Stephen Cobb; eset we live security: "Cybersecurity and manufacturers: what the costly Chrysler Jeep hack reveals"
- [70] Axel Kossel; Heise Security: "Bosch-Manager: Auto-Hacks sind schwer zu kopieren"
Trackbacks