本文探讨了安全渗透测试的重要性,特别是在考虑到未来可能发生的大型黑客攻击中,汽车可能成为目标,而不仅仅是传统的安全摄像头。通过深入的测试,可以识别并预防潜在的安全威胁,保护关键基础设施和用户隐私。
一次完整的安全渗透测试
But my vehicle doesn’t connect to the internet….Are you sure? Statista estimates 40% of vehicles connect to the internet as of 2019 in the US (that’s 2 out of every 5 vehicles capable of accessing the internet!), and this is expected to rise to 74% (3 out of 4 vehicles) by 2023.
但是我的车辆无法连接到互联网...。确定吗? Statista估计,截至2019年,美国有40%的车辆连接到互联网(这是每5辆能够访问互联网的车辆中就有2辆!),到2023年,这一比例预计将上升到74%(4辆汽车中有3辆) 。
Even if you are not using in-car wifi, you might be using an entertainment system, or your car might be updating apple car play software. All of these need the internet. And even if you are not actively using these features, unless the car manufacturer or chip manufacturer took the ‘necessary’ precautions (we will get to multiple reasons of why that is just not the case, and why necessary is in quotes), you are at risk!
即使您没有使用车载wifi,您可能正在使用娱乐系统,或者您的汽车可能正在更新apple car play软件。 所有这些都需要互联网。 即使您没有积极使用这些功能,除非汽车制造商或芯片制造商采取了“必要”的预防措施(我们将获得多种解释,说明为何并非如此,以及为什么需要用引号引起来),有一定风险!
I’ve broadly heard 2 opinions on this: 1) Yes, but this is all hearsay 2) I’ve been convinced, and you’ve strengthened my convictions of never getting behind an internet connected car. Both of these are not right or useful in my opinion. In the first case, this is just not true. Read below for a short history on connected vehicle hacking:
我对此普遍有2种意见:1)是,但这只是传闻2)我已经说服了,并且您坚定了我的信念,即永不落后于联网汽车。 我认为这两者都不正确或无用。 在第一种情况下,情况并非如此。 请阅读以下有关联网车辆黑客攻击的简短历史记录:
It all started in 2010. Atleast that’s as far back as I’ll go for this article, and it’s a good point to start. A group of researchers from UW and UCSD posed an interesting problem: for 80 years or so, automobiles have remained mostly static, containing an internal combustion engine, wheels, gearshift, throttle, and brake. However since the 1970’s, 10’s of millions of code have been introduced, spread among 50–70 independent computers, called Electronic Control Units (ECU’s). Why was this done? It started with California. California being the pioneer, started to introduce strict pollutant regulations, and it made sense to electronically monitor and dynamically adjust fuel/oxygen ratios- which had the added benefit of improving efficiency and being more cost effective. Thus the ECU was born. Back in the day, California was clearly allowed to pioneer auto emission rules, and it wasn’t such a controversy. Subsequently there was a boom in ECUs as manufacturers started to realize the benefits of electronically monitoring and controlling throttle, brakes, airbag deployments, entertainment, lighting, climate, so on and so forth.
一切都始于2010年。Atleast可以回溯到我写这篇文章的时候,这是一个很好的起点。 威斯康星大学和加州大学圣地亚哥分校的一组研究人员提出了一个有趣的问题:大约80年来,汽车一直保持静止状态,其中包含内燃机,车轮,变速杆,油门和制动器。 但是,自1970年代以来,已经引入了数以千万计的代码,这些代码分布在50-70台称为电子控制单元(ECU)的独立计算机之间。 为什么要这样做? 它始于加利福尼亚。 加利福尼亚是先驱,开始引入严格的污染物法规,并且电子监控和动态调整燃料/氧气比率是有意义的,这具有提高效率和更具成本效益的额外好处。 因此,ECU诞生了。 时光倒流,加利福尼亚显然被允许开创汽车排放法规的先河,而这并没有引起争议。 随后,随着制造商开始意识到电子监控节气门,制动器,安全气囊展开,娱乐,照明,气候等方面的好处,ECU出现了繁荣。
These ECU’s then could communicate with each other using a developed standard vehicle communication protocol, called the CAN bus. However, while the ECU and CAN systems were matured, it wasn’t designed to be secure from outside interference in the first place, which is what the 2010 paper posed: did these designs properly anticipate an adversary that could take control of your computers? And what could the possible damage be?
然后,这些ECU可以使用称为CAN总线的已开发标准车辆通信协议相互通信。 但是,尽管ECU和CAN系统已经成熟,但它最初并不是为了防止外界干扰而设计的,这就是2010年的论文所提出的:这些设计是否恰当地预见了可以控制您计算机的对手? 可能造成的损害是什么?
They did a bunch of experiments connecting a laptop to the OBD II port, and wrote a custom software, CARSHARK to communicate with ECUs through the OBD-II port. Ultimately, they found that they could send packets of data to ECUs without any authentication. More scary, was that through reverse engineering of what packets corresponded to what outcome, they were able to control the radio, even disable the engine, locked brakes and control the HVAC. A particularly scary scenario was the ‘Self-Destruct’ mode where they could display a 60 second countdown on the dash, and after that all functions seized and the car came to an abrupt halt. They showed that these attacks could in principle occur wirelessly, when another car could connect to the laptop in the test car, that in turn was connected to the OBD II port.
他们进行了一系列实验,将笔记本电脑连接到OBD II端口,并编写了自定义软件CARSHARK,以通过OBD-II端口与ECU通信。 最终,他们发现无需任何身份验证即可将数据包发送到ECU。 更可怕的是,通过对哪些数据包对应什么结果进行反向工程,他们能够控制无线电,甚至禁用发动机,锁定制动器并控制HVAC。 一种特别可怕的情况是“自毁”模式,他们可以在仪表板上显示60秒倒计时,此后,所有功能都被抓住,汽车突然停下来。 他们表明,这些攻击原则上可以以无线方式发生,当另一辆车可以连接到测试车中的笔记本电脑时,又将其连接到OBD II端口。
You might have thought that this was enough to cause the entire automotive industry to seriously consider revising old protocols to make more cybersecure vehicles. However, it didn’t. Their criticism was that this hack required physical access to the OBD II port, and someone might as well just slash the tires or heck even cut vehicle cables.
您可能以为这足以使整个汽车行业认真考虑修订旧协议,以制造更多具有网络安全性的车辆。 但是,事实并非如此。 他们的批评是,这种入侵需要物理上进入OBD II端口,而且有人不妨砍掉轮胎,甚至砍断车辆电缆。
The same group did a systematic analysis of attack vectors and showed bluetooth, radio, wireless, etc were all sources of potential exploits. They didn’t make their methods public because understandably potential bad actors that could wreak havoc. Again this landed on deaf ears from the automotive industry.
同一小组对攻击媒介进行了系统分析 ,并显示蓝牙,无线电,无线等都是潜在漏洞的来源。 他们没有公开他们的方法,因为可以理解的潜在坏演员可能造成严重破坏。 汽车行业再次对此置若de闻。
Next, Charlie Miller and Chris Valasek obtained funding from DARPA in 2012 to develop a library of tools to aid in automotive security research and ultimately make vehicles safer. The response from the auto industry was again more of the same carpet statement — we believe car systems to be robust and secure.
接下来,查理·米勒(Charlie Miller)和克里斯·瓦拉塞克(Chris Valasek)于2012年获得了DARPA的资助,用于开发工具库,以协助汽车安全研究并最终使车辆更安全。 汽车行业的React再一次是地毯式的声明-我们相信汽车系统是坚固且安全的。
Then, in 2015, Miller and Valasek famously showed that they could gain complete remote access of a Jeep Grand Cherokee through vulnerabilities in the UConnect entertainment system. The key first step it turns out, the UConnect system was connected to Sprint, and any Sprint device can connect to another one. All they needed to do was to connect a cheap Sprint device to a laptop, scan for other devices, and potentially locate one on board a Jeep Grand Cherokee. They were even able to send messages, and ultimately these messages were relayed to the vehicle ECUs through the CAN bus. Notoriously, the CAN bus does not know where messages are coming from, and treats all messages as legit. Along with a reporter from Wired, in a demonstration, they showed they could blast music, swerve the car, and completely stop it, while the poor driver (Wired reporter Andy Greenberg) had no control! Finally, this caused a stir in the auto industry, and Jeep recalled 1.4 Million vehicles.
然后,在2015年, 米勒和瓦拉塞克著名地表明,他们可以通过UConnect娱乐系统中的漏洞获得吉普大切诺基的完全远程访问。 事实证明,关键的第一步是将UConnect系统连接到Sprint,并且任何Sprint设备都可以连接到另一个设备。 他们所需要做的就是将廉价的Sprint设备连接到笔记本电脑,扫描其他设备,并有可能在吉普大切诺基上找到一个设备。 他们甚至能够发送消息,最终这些消息通过CAN总线中继到车辆ECU。 众所周知,CAN总线不知道消息来自何处,并将所有消息视为合法消息。 在演示中,他们与Wired的一名记者一起展示了他们可以爆破音乐,使汽车转向并完全停车,而可怜的驾驶员(Wired记者Andy Greenberg)则无法控制! 最终,这在汽车行业引起了轰动,吉普汽车召回了140万辆汽车。
These incidents spurred a flurry of research on other manufacturers including Tesla and each manufacturer was found to have their own vulnerabilities. The possibilities of vehicle compromise are seemingly endless.
这些事件激起了对包括特斯拉在内的其他制造商的大量研究,发现每个制造商都有自己的漏洞。 车辆妥协的可能性似乎是无限的。
Adding to the seemingly endless methods to compromise a vehicle is another scary thought. Miller and Valasek showed that in principle, their hack could be easily scaled to a large number of compromised vehicles. In the last few years, hacking has been on the rise and large scale hacks involving millions of credit cards, accounts, SSNs etc have become common place. But what if hundreds or thousands of vehicles are hacked simultaneously? Something like this has never occurred, and the coupling of the cyber and physical realms would lead to disastrous consequences: driving in traffic is literally a very physical experience and just a small fraction of vehicles behaving badly could be life threatening. A single vehicle hack would be bad enough for one person, but multiple vehicles hacked could disrupt an entire city, or even an entire country.
另一种令人恐惧的想法是,添加了看似无穷无尽的方法来危害车辆。 Miller和Valasek表示,从原理上讲,他们的骇客攻击很容易扩展到大量受损车辆。 在过去的几年中,黑客行为呈上升趋势,涉及数百万张信用卡,帐户,SSN等的大规模黑客行为已变得司空见惯。 但是,如果同时有成百上千的车辆被黑怎么办? 诸如此类的事情从未发生过,网络和物理领域的耦合将导致灾难性的后果:在交通中驾驶实际上是一种非常物理的体验,只有一小部分表现不佳的车辆可能会危及生命。 一次黑客入侵对一个人来说已经足够严重,但黑客入侵多辆车辆可能会破坏整个城市甚至整个国家。
How does one solve this problem and make the connected vehicle society robust against such malicious actors? The first step is to first quantify potential risks of a large-scale hack of connected vehicles, and then figure out how to protect against scenarios that are particularly concerning.
如何解决这一问题并使互联的汽车社会抵御这种恶意行为者? 第一步是首先量化联网车辆大规模被盗的潜在风险,然后找出如何防范特别关注的情况。
To reveal potential risks, we developed a simple model where hacked vehicles act as obstacles on the road. This could be as a result of multiple scenarios: Accidents caused due to badly behaved hacked vehicles, or vehicles intentionally stopped, or even stopped as a failsafe. Treating hacked vehicles as obstacles allowed us to use statistical physics principles to give an estimate of how many vehicles it takes to block a road with certain number of lanes, based on the probability that hacked vehicles on adjacent lanes block the entire road.
为了揭示潜在风险,我们开发了一种简单的模型,其中被盗车辆成为道路上的障碍。 这可能是由于多种情况造成的:由于行为不当的黑客攻击车辆,故意使车辆停车或什至由于故障保险而停车导致的事故。 将砍伐的车辆视为障碍使我们能够使用统计物理原理,根据相邻车道上被砍伐的车辆阻塞整条道路的概率,来估计需要多少辆车才能阻塞具有一定数量车道的道路。
Next, we applied this to the city of Manhattan and found that it only takes 10-20% of vehicles at rush hour, corresponding to one of the four car manufacturers with the larges market share in Manhattan being hacked, that essentially freezes the entire traffic in Manhattan. Freeze as in nobody is going ANYWHERE. This is particularly concerning for emergency hospital access, etc. Once we published our study on potential large-scale impacts of a large-scale hack that cripple Manhattan transportation, we got a bunch of publicity from Forbes, arsTechnica, etc.
接下来,我们将其应用到曼哈顿市,发现高峰时段仅占用10-20%的车辆,对应于四大汽车制造商之一,该公司在曼哈顿占有很大的市场份额,这实际上冻结了整个流量在曼哈顿。 冻结,因为没人要去任何地方。 当我们发布了关于大规模黑客破坏曼哈顿交通的潜在大规模影响的研究后,我们就获得了福布斯,arsTechnica等的大量宣传。
I want to emphasize here that this as just starting the dialogue. There are of course criticisms. If the auto industry viewed the hackers that actually did the hack as not concerning, what will they think of a couple of physicists coming up with a simple model of a plausible scenario, without even specifically claiming how the hack was performed in the first place?
我想在这里强调,这只是开始对话。 当然也有批评。 如果汽车行业认为实际上进行过黑客攻击的黑客并不在意,那么他们会想到几个物理学家提出了一个简单的可行方案模型,甚至没有特别声称黑客是如何进行黑客攻击的?
Here’s the problem with that: one vehicle being hacked could be a liability. Remember the Uber incident where a pedestrian was killed? If a person or the driver was killed, due to software malfunction or say a hack, then the company would look pretty bad, but could maybe get away with it. It’s happened a lot in history where a few unfortunate people pay the ultimate price, and ultimately results in better safety regulations. Think about seat belt laws, or even the triangle shirtwaist factory fire where 123 women and 23 men died, and this led to better worker safety laws and regulations.
这就是问题所在:一辆被盗的车辆可能是一种责任。 还记得Uber事件中有行人被杀吗? 如果由于软件故障或黑客入侵而导致人员或驾驶员死亡,那么该公司看上去将很糟糕,但也许可以摆脱它。 历史上发生了很多事情,一些不幸的人付出了最终的代价,最终导致了更好的安全法规。 想一想安全带法律,甚至考虑三角裙裤式工厂大火,那里有123名妇女和23名男子死亡,这导致了更好的工人安全法律法规。
However… connecting the cyber and the physical leads to potential disruptions on an unprecedented scale, think about thousands of accidents happening all at once in an entire city. If an entire telecommunications network or an entire car manufacturer is hacked, the transmission of the hack is almost instantaneous, and the scale could be significant enough to cause a national calamity the size of a hurricane, and think about a hurricane that you’ve never prepared for. It’s possibly even worse since we’ve had millennia to protect against nature, but never had such an incident to deal with.
但是,……将网络和物理连接连接到前所未有的规模,可能会导致潜在的破坏,请考虑一下整个城市一次发生的数千起事故。 如果整个电信网络或整个汽车制造商都被黑客入侵,那么黑客入侵的传播几乎是瞬间的,而且规模之大可能足以引起全国性的飓风般的灾难,并考虑一下您从未经历过的飓风准备。 自从我们经历了数千年保护自然的事件以来,情况甚至可能更糟,但是从未发生过此类事件。
A month after we published our study, consumer watchdog came out with an assessment that a large-scale hack could potentially lead to loss of life on the scale of 9/11. They suggested all vehicles be equipped with a kill-switch in the event they are hacked.
在我们发布研究结果的一个月后,消费者监管机构做出了一项评估 ,即大规模黑客入侵有可能导致9/11规模的生命损失。 他们建议所有车辆在遭到黑客攻击时均应配备杀伤开关。
Another interesting incident was a hacker could hack more than 25000 accounts from GPS tracking device companies iTrack and ProTrack. They found that they could kill the engines of these vehicles, which in essence is the exact scenario we envisioned, what are the chances of that! Apparently all customers were given a default password of 123456 when they signed up. This highlights another flaw in vehicle security. You can design your vehicle telematics to be very secure, but there’s no policy preventing manufacturers to connect poorly authenticated apps to vehicles.
另一个有趣的事件是,黑客可能会入侵来自GPS跟踪设备公司iTrack和ProTrack的25,000个帐户 。 他们发现他们有可能杀死这些车辆的发动机,这实质上就是我们所设想的确切情况,那有什么机会! 显然,所有客户在注册时都会获得默认密码123456。 这突出了车辆安全性的另一个缺陷。 您可以将车辆远程信息处理设计为非常安全,但是没有政策阻止制造商将未经身份验证的应用程序连接到车辆。
我们从这里去哪里? (Where do we go from here?)
Hopefully I’ve laid out that vehicle security concerns don’t stop at preventing entry, but because vehicles are embedded in a physical world, security should be viewed from a broader perspective. The usefulness of thinking from ‘what-if’ scenarios is that this allows us to plan around the event that vehicles are hacked, without prior knowledge of how they are hacked, thereby planning for future events. Once you install a new door, there’s always risk that someone you never wanted to get access, does get access, no matter how secure you make the locks on the door. Which is why you need to be prepared and have a contingency plan to ensure safety in the unlikely event of break in. The same goes for vehicles. The internet has opened your car doors to the entire world. And we have a long way to go, with a lot of hard discussions, to make us secure against a large-scale hack of connected vehicles.
希望我已经提出,对车辆安全性的关注不会止于阻止进入,但由于车辆是嵌入在现实世界中的,因此应该从更广阔的角度看待安全性。 从“假设”场景中进行思考的有用之处在于,这使我们可以在不事先了解如何对车辆进行黑客攻击的情况下,对车辆被黑客入侵的事件进行计划,从而为将来的事件做计划。 安装新门后,无论您在门上锁的安全性如何,始终存在您永远不想进入的人确实可以进入的风险。 这就是为什么您需要做好准备并制定应急计划以确保在极少数情况下闯入的安全性的原因。车辆也是如此。 互联网为您打开了通往全世界的车门。 我们还有很长的路要走,需要进行很多艰苦的讨论,才能使我们免受联网车辆的大规模攻击。
If you are interested in this article or assessing and mitigating the impacts of a large-scale hack in your industry, please contact me at ChaosControl: skandavivek@chaoscontrol.net
如果您对本文感兴趣或评估并缓解大规模黑客入侵对您行业的影响,请通过ChaosControl与我联系:skandavivek@chaoscontrol.net
一次完整的安全渗透测试
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
