X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=docs%2F2_Architecture_Guides%2F2.2_Security_Blueprint%2F7_Connectivity%2F1.2.7.2_Wireless.md;h=ce0259e3e46f4cb7e2598fa60c597ecae3dd1c2f;hb=da6cd0b6c26ca9a3760d8a89ce68baf83eeaa1b1;hp=1be314d5603d5af9de4e21684b520af2f2ebbc38;hpb=eefc3ab6cbb8a5901632f46d99e13c8d90b2415d;p=AGL%2Fdocumentation.git diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.2_Wireless.md b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.2_Wireless.md index 1be314d..ce0259e 100644 --- a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.2_Wireless.md +++ b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.2_Wireless.md @@ -1,12 +1,7 @@ --- -edit_link: '' title: Wireless -origin_url: >- - https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-7/2-Wireless.md --- - - # Wireless In this part, we talk about possible remote attacks on a car, according to the @@ -46,16 +41,21 @@ Connectivity-Wireless-1 | Add communication channels (RFID, ZigBee?). -------------------------------------------------------------------------------- For existing automotive-specific means, we take examples of existing system -attacks from the _IOActive_ document ([A Survey of Remote Automotive Attack Surfaces](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf)) -and from the ETH document ([Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars](https://eprint.iacr.org/2010/332.pdf)). +attacks from the _IOActive_ document ([A Survey of Remote Automotive Attack +Surfaces](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf)) +and from the ETH document ([Relay Attacks on Passive Keyless Entry and Start +Systems in Modern Cars](https://eprint.iacr.org/2010/332.pdf)). - [Telematics](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A40%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) -- [Passive Anti-Theft System (PATS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A11%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C574%2C0%5D) +- [Passive Anti-Theft System + (PATS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A11%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C574%2C0%5D) -- [Tire Pressure Monitoring System (TPMS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A17%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) +- [Tire Pressure Monitoring System + (TPMS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A17%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) -- [Remote Keyless Entry/Start (RKE)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A26%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) +- [Remote Keyless Entry/Start + (RKE)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A26%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) - [Passive Keyless Entry (PKE)](https://eprint.iacr.org/2010/332.pdf) @@ -85,10 +85,11 @@ We can differentiate existing attacks on wifi in two categories: Those on - **WPA** attacks: - **Beck and Tews**: Exploit weakness in **TKIP**. "Allow the attacker to - decrypt **ARP** packets and to inject traffic into a network, even - allowing him to perform a **DoS** or an **ARP** poisoning". + decrypt **ARP** packets and to inject traffic into a network, even allowing + him to perform a **DoS** or an **ARP** poisoning". - [KRACK](https://github.com/kristate/krackinfo): (K)ey (R)einstallation - (A)tta(ck) ([jira AGL SPEC-1017](https://jira.automotivelinux.org/browse/SPEC-1017)). + (A)tta(ck) ([jira AGL + SPEC-1017](https://jira.automotivelinux.org/browse/SPEC-1017)). ### Recommendations @@ -110,9 +111,9 @@ Connectivity-Wireless-Wifi-5 | Device | Upgraded easily in software -See [Wifi attacks WEP WPA](https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf) -and [Breaking wep and wpa (Beck and Tews)](https://dl.aircrack-ng.org/breakingwepandwpa.pdf) -for more information. +See [Wifi attacks WEP WPA](https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf) and +[Breaking wep and wpa (Beck and +Tews)](https://dl.aircrack-ng.org/breakingwepandwpa.pdf) for more information. -------------------------------------------------------------------------------- @@ -132,7 +133,8 @@ for more information. features but is limited by the transmitting power of class 2 Bluetooth radios, normally capping its range at 10-15 meters. - **Bluejacking** is the sending of unsolicited messages. -- **BLE**: **B**luetooth **L**ow **E**nergy [attacks](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf). +- **BLE**: **B**luetooth **L**ow **E**nergy + [attacks](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf). - **DoS**: Drain a device's battery or temporarily paralyze the phone. ### Recommendations @@ -142,8 +144,8 @@ for more information. - Monitoring. - Use **BLE** with caution. - For v2.1 and later devices using **S**ecure **S**imple **P**airing (**SSP**), - avoid using the "Just Works" association model. The device must verify that - an authenticated link key was generated during pairing. + avoid using the "Just Works" association model. The device must verify that an + authenticated link key was generated during pairing. @@ -157,10 +159,13 @@ Connectivity-Wireless-Bluetooth-5 | Anti-scanning | Used, inter alia, to slow do -See [Low energy and the automotive transformation](http://www.ti.com/lit/wp/sway008/sway008.pdf), -[Gattacking Bluetooth Smart Devices](http://gattack.io/whitepaper.pdf), -[Comprehensive Experimental Analyses of Automotive Attack Surfaces](http://www.autosec.org/pubs/cars-usenixsec2011.pdf) -and [With Low Energy comes Low Security](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf) +See [Low energy and the automotive +transformation](http://www.ti.com/lit/wp/sway008/sway008.pdf), [Gattacking +Bluetooth Smart Devices](http://gattack.io/whitepaper.pdf), [Comprehensive +Experimental Analyses of Automotive Attack +Surfaces](http://www.autosec.org/pubs/cars-usenixsec2011.pdf) and [With Low +Energy comes Low +Security](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf) for more information. -------------------------------------------------------------------------------- @@ -177,7 +182,8 @@ for more information. the service provider's real towers, it is considered a man-in-the-middle (**MITM**) attack. -- Lack of mutual authentication (**GPRS**/**EDGE**) and encryption with **GEA0**. +- Lack of mutual authentication (**GPRS**/**EDGE**) and encryption with + **GEA0**. - **Fall back** from **UMTS**/**HSPA** to **GPRS**/**EDGE** (Jamming against **UMTS**/**HSPA**). @@ -197,7 +203,8 @@ Connectivity-Wireless-Cellular-2 | UMTS/HSPA | Protected against Jamming. -See [A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications](https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf) +See [A practical attack against GPRS/EDGE/UMTS/HSPA mobile data +communications](https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf) for more information. -------------------------------------------------------------------------------- @@ -234,7 +241,8 @@ Connectivity-Wireless-Radio-1 | RDS | Only audio output and meta concernin ### Recommendations -- Should implements protection against relay and replay attacks (Tokens, etc...). +- Should implements protection against relay and replay attacks (Tokens, + etc...). - Disable unneeded and unapproved services and profiles. - NFC should be use encrypted link (secure channel). A standard key agreement protocol like Diffie-Hellmann based on RSA or Elliptic Curves could be applied