5 https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-7/2-Wireless.md
8 <!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml -->
12 In this part, we talk about possible remote attacks on a car, according to the
13 different areas of possible attacks. For each communication channels, we
14 describe attacks and how to prevent them with some recommendations. The main
15 recommendation is to always follow the latest updates of these remote
16 communication channels.
18 <!-- section-config -->
20 Domain | Object | Recommendations
21 ----------------------- | ------ | ------------------------------------------------------------------
22 Connectivity-Wireless-1 | Update | Always follow the latest updates of remote communication channels.
24 <!-- end-section-config -->
26 We will see the following parts:
30 - [Bluetooth](#bluetooth)
32 - [Cellular](#cellular)
41 ----------------------- | -------------------------------------------
42 Connectivity-Wireless-1 | Add communication channels (RFID, ZigBee?).
44 <!-- end-section-todo -->
46 --------------------------------------------------------------------------------
48 For existing automotive-specific means, we take examples of existing system
49 attacks from the _IOActive_ document ([A Survey of Remote Automotive Attack Surfaces](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf))
50 and from the ETH document ([Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars](https://eprint.iacr.org/2010/332.pdf)).
52 - [Telematics](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A40%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D)
54 - [Passive Anti-Theft System (PATS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A11%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C574%2C0%5D)
56 - [Tire Pressure Monitoring System (TPMS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A17%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D)
58 - [Remote Keyless Entry/Start (RKE)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A26%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D)
60 - [Passive Keyless Entry (PKE)](https://eprint.iacr.org/2010/332.pdf)
62 --------------------------------------------------------------------------------
70 We can differentiate existing attacks on wifi in two categories: Those on
71 **WEP** and those on **WPA**.
75 - **FMS**: (**F**luhrer, **M**antin and **S**hamir attack) is a "Stream cipher
76 attack on the widely used RC4 stream cipher. The attack allows an attacker
77 to recover the key in an RC4 encrypted stream from a large number of
78 messages in that stream."
79 - **KoreK**: "Allows the attacker to reduce the key space".
80 - **PTW**: (**P**yshkin **T**ews **W**einmann attack).
81 - **Chopchop**: Found by KoreK, "Weakness of the CRC32 checksum and the lack
82 of replay protection."
87 - **Beck and Tews**: Exploit weakness in **TKIP**. "Allow the attacker to
88 decrypt **ARP** packets and to inject traffic into a network, even
89 allowing him to perform a **DoS** or an **ARP** poisoning".
90 - [KRACK](https://github.com/kristate/krackinfo): (K)ey (R)einstallation
91 (A)tta(ck) ([jira AGL SPEC-1017](https://jira.automotivelinux.org/browse/SPEC-1017)).
95 - Do not use **WEP**, **PSK** and **TKIP**.
97 - Use **WPA2** with **CCMP**.
99 - Should protect data sniffing.
101 <!-- section-config -->
103 Domain | Tech name or object | Recommendations
104 ---------------------------- | ------------------- | -------------------------------------------------------------------------
105 Connectivity-Wireless-Wifi-1 | WEP, PSK, TKIP | Disabled
106 Connectivity-Wireless-Wifi-2 | WPA2 and AES-CCMP | Used
107 Connectivity-Wireless-Wifi-3 | WPA2 | Should protect data sniffing.
108 Connectivity-Wireless-Wifi-4 | PSK | Changing regularly the password.
109 Connectivity-Wireless-Wifi-5 | Device | Upgraded easily in software or firmware to have the last security update.
111 <!-- end-section-config -->
113 See [Wifi attacks WEP WPA](https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf)
114 and [Breaking wep and wpa (Beck and Tews)](https://dl.aircrack-ng.org/breakingwepandwpa.pdf)
115 for more information.
117 --------------------------------------------------------------------------------
125 - **Bluesnarfing** attacks involve an attacker covertly gaining access to your
126 Bluetooth-enabled device for the purpose of retrieving information, including
127 addresses, calendar information or even the device's **I**nternational
128 **M**obile **E**quipment **I**dentity. With the **IMEI**, an attacker could
129 route your incoming calls to his cell phone.
130 - **Bluebugging** is a form of Bluetooth attack often caused by a lack of
131 awareness. Similar to bluesnarfing, bluebugging accesses and uses all phone
132 features but is limited by the transmitting power of class 2 Bluetooth radios,
133 normally capping its range at 10-15 meters.
134 - **Bluejacking** is the sending of unsolicited messages.
135 - **BLE**: **B**luetooth **L**ow **E**nergy [attacks](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf).
136 - **DoS**: Drain a device's battery or temporarily paralyze the phone.
140 - Not allowing Bluetooth pairing attempts without the driver's first manually
141 placing the vehicle in pairing mode.
143 - Use **BLE** with caution.
144 - For v2.1 and later devices using **S**ecure **S**imple **P**airing (**SSP**),
145 avoid using the "Just Works" association model. The device must verify that
146 an authenticated link key was generated during pairing.
148 <!-- section-config -->
150 Domain | Tech name | Recommendations
151 --------------------------------- | ------------- | ------------------------------------------------------------
152 Connectivity-Wireless-Bluetooth-1 | BLE | Use with caution.
153 Connectivity-Wireless-Bluetooth-2 | Bluetooth | Monitoring
154 Connectivity-Wireless-Bluetooth-3 | SSP | Avoid using the "Just Works" association model.
155 Connectivity-Wireless-Bluetooth-4 | Visibility | Configured by default as undiscoverable. Except when needed.
156 Connectivity-Wireless-Bluetooth-5 | Anti-scanning | Used, inter alia, to slow down brute force attacks.
158 <!-- end-section-config -->
160 See [Low energy and the automotive transformation](http://www.ti.com/lit/wp/sway008/sway008.pdf),
161 [Gattacking Bluetooth Smart Devices](http://gattack.io/whitepaper.pdf),
162 [Comprehensive Experimental Analyses of Automotive Attack Surfaces](http://www.autosec.org/pubs/cars-usenixsec2011.pdf)
163 and [With Low Energy comes Low Security](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf)
164 for more information.
166 --------------------------------------------------------------------------------
174 - **IMSI-Catcher**: Is a telephone eavesdropping device used for intercepting
175 mobile phone traffic and tracking location data of mobile phone users.
176 Essentially a "fake" mobile tower acting between the target mobile phone and
177 the service provider's real towers, it is considered a man-in-the-middle
180 - Lack of mutual authentication (**GPRS**/**EDGE**) and encryption with **GEA0**.
182 - **Fall back** from **UMTS**/**HSPA** to **GPRS**/**EDGE** (Jamming against
189 - Check antenna legitimacy.
191 <!-- section-config -->
193 Domain | Tech name | Recommendations
194 -------------------------------- | --------- | --------------------------
195 Connectivity-Wireless-Cellular-1 | GPRS/EDGE | Avoid
196 Connectivity-Wireless-Cellular-2 | UMTS/HSPA | Protected against Jamming.
198 <!-- end-section-config -->
200 See [A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications](https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf)
201 for more information.
203 --------------------------------------------------------------------------------
209 - Interception of data with low cost material (**SDR** with hijacked DVB-T/DAB
214 - Use the **R**adio **D**ata **S**ystem (**RDS**) only to send signals for audio
215 output and meta concerning radio.
217 <!-- section-config -->
219 Domain | Tech name | Recommendations
220 ----------------------------- | --------- | --------------------------------------------
221 Connectivity-Wireless-Radio-1 | RDS | Only audio output and meta concerning radio.
223 <!-- end-section-config -->
225 --------------------------------------------------------------------------------
233 - **MITM**: Relay and replay attack.
237 - Should implements protection against relay and replay attacks (Tokens, etc...).
238 - Disable unneeded and unapproved services and profiles.
239 - NFC should be use encrypted link (secure channel). A standard key agreement
240 protocol like Diffie-Hellmann based on RSA or Elliptic Curves could be applied
241 to establish a shared secret between two devices.
242 - Automotive NFC device should be certified by NFC forum entity: The NFC Forum
243 Certification Mark shows that products meet global interoperability standards.
244 - NFC Modified Miller coding is preferred over NFC Manchester coding.
246 <!-- section-config -->
248 Domain | Tech name | Recommendations
249 --------------------------- | --------- | ------------------------------------------------------
250 Connectivity-Wireless-NFC-1 | NFC | Protected against relay and replay attacks.
251 Connectivity-Wireless-NFC-2 | Device | Disable unneeded and unapproved services and profiles.
253 <!-- end-section-config -->