Tpms (Tire Pressure Monitoring System)
Páginas: 5 (1231 palabras)
Publicado: 19 de julio de 2011
Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study
Presenter: Wenyuan Xu
Ishtiaq Rouf, Rob Miller, Hossen Mustafa, Travis Taylor, Sangho Oh Wenyuan Xu, Marco Gruteser, Wade Trappe, Ivan Seskar
Dept. of CSE, University of South Carolina WINLAB, Rutgers University
Computer Science and Engineering
Wireless in Automobiles
•Wireless increasingly connected to CAN bus in automobiles
– Web-based vehicle-immobilization system – MyRate from insurance companies to collect data – “iChange” controls the car via an iPhone – More in-car wireless sensor networks
Computer Science and Engineering
2
Tire Pressure Monitoring System (TPMS)
• What is TPMS?
– – – – • Monitors tire-pressure in real time Alerts drivers ifunderinflated To increase safety and fuel economy Indirect TPMS vs. direct TPMS
National Highway Transportation Safety Administration (NHTSA) mandates TPMS. Virtually, all new cars sold or manufactured after 2007 in US are equipped with wireless TPMS.
Computer Science and Engineering
3
Misuse 1: Car Tracking
Computer Science and Engineering
4
Misuse 2: Trick The Driver To StopStop?
$$
Computer Science and Engineering
5
TPMS — To Be Discovered
• What are the communication protocol details?
– How difficult to reverse engineer? – Messages encrypted? Authenticated?
•
How easy to eavesdrop TPMS communication?
– What is the range? – Travel speeds, car’s metal body, message rate, transmission power
•
How easy to spoof TPMS communication?
– Whatis the range? – ECU filters/rejects suspicious packets? – How much damage can spoofing accomplish?
•
What can be done to protect TPMS communication?
Computer Science and Engineering
6
TPMS — From the Public Domain
• Communication protocols
– Link Sensor IDs with TPMS ECU – Sensors ECU 315/433Mhz
• ECU filters packets based on IDs
– Sensors can be waken up by
• ECU sensors125kHz • Travel at high speeds (>40 km/h)
Tire pressure sensors
Receiving antennas
TPMS electric control unit (ECU)
Computer Science and Engineering
7
Security and Privacy Analysis Step 1: Reverse-engineering
• Proprietary protocols
– Security through obscurity?
• Goal
– Modulation schemes – Encoding schemes – Message formats (encrypted?)
• Equipment
ATEQ VT55 Sensors:TPS-A and TPS-B
Agilent Vector Signal Analyzer (VSA) Universal Software Radio Peripheral (USRP) 8
Computer Science and Engineering
Reverse-Engineering Walk-Through
• Reverse engineering steps
– Capture packet transmission – Demodulate and decode data – Determine packet format
• Observations
– Reverse engineering possible – No encryption
32-bit or 28-bit
Triggered sensors at125 kHz
Responded at 315 MHz
Captured RF transmission at 315 MHz Determined Message Format
Determined Modulation ASK Encoding Scheme Manchester
How likely that two cars have the same ID? 1015 cars with Pc = 1%.
Computer Science and Engineering
9
Security and Privacy Analysis Step 2: Eavesdrop capability
• How likely to eavesdrop?
– – – – Cars travel at high speeds Cars’metal bodies shield RF TPMS message rate (1 per 60s-90s) Low transmission power (battery)
•
Eavesdropping System
– – – – Used USRP only, no VSA Used low noise amplifier (LNA) Reused decoders from RE Developed a live decoder/eavesdropper
Low noise amplifier (LNA)
Computer Science and Engineering
10
Demonstration of Live Eavesdropping
Sensor ID 884368A2
Computer Science andEngineering
11
Exp. 1: Eavesdropping Distance
• Scenarios
– USRP + cheap antenna – USRP + LNA ($75) + cheap antenna
•
Observations
– Able to decode packets, if RSS (received signal strength) > Ambient noise floor – LNA boosts the decoding range from 10.7m to 40m
Computer Science and Engineering
12
Exp. 2: Eavesdropping Distance and Angle
• Setup
– USRP at origin – Car...
Presenter: Wenyuan Xu
Ishtiaq Rouf, Rob Miller, Hossen Mustafa, Travis Taylor, Sangho Oh Wenyuan Xu, Marco Gruteser, Wade Trappe, Ivan Seskar
Dept. of CSE, University of South Carolina WINLAB, Rutgers University
Computer Science and Engineering
Wireless in Automobiles
•Wireless increasingly connected to CAN bus in automobiles
– Web-based vehicle-immobilization system – MyRate from insurance companies to collect data – “iChange” controls the car via an iPhone – More in-car wireless sensor networks
Computer Science and Engineering
2
Tire Pressure Monitoring System (TPMS)
• What is TPMS?
– – – – • Monitors tire-pressure in real time Alerts drivers ifunderinflated To increase safety and fuel economy Indirect TPMS vs. direct TPMS
National Highway Transportation Safety Administration (NHTSA) mandates TPMS. Virtually, all new cars sold or manufactured after 2007 in US are equipped with wireless TPMS.
Computer Science and Engineering
3
Misuse 1: Car Tracking
Computer Science and Engineering
4
Misuse 2: Trick The Driver To StopStop?
$$
Computer Science and Engineering
5
TPMS — To Be Discovered
• What are the communication protocol details?
– How difficult to reverse engineer? – Messages encrypted? Authenticated?
•
How easy to eavesdrop TPMS communication?
– What is the range? – Travel speeds, car’s metal body, message rate, transmission power
•
How easy to spoof TPMS communication?
– Whatis the range? – ECU filters/rejects suspicious packets? – How much damage can spoofing accomplish?
•
What can be done to protect TPMS communication?
Computer Science and Engineering
6
TPMS — From the Public Domain
• Communication protocols
– Link Sensor IDs with TPMS ECU – Sensors ECU 315/433Mhz
• ECU filters packets based on IDs
– Sensors can be waken up by
• ECU sensors125kHz • Travel at high speeds (>40 km/h)
Tire pressure sensors
Receiving antennas
TPMS electric control unit (ECU)
Computer Science and Engineering
7
Security and Privacy Analysis Step 1: Reverse-engineering
• Proprietary protocols
– Security through obscurity?
• Goal
– Modulation schemes – Encoding schemes – Message formats (encrypted?)
• Equipment
ATEQ VT55 Sensors:TPS-A and TPS-B
Agilent Vector Signal Analyzer (VSA) Universal Software Radio Peripheral (USRP) 8
Computer Science and Engineering
Reverse-Engineering Walk-Through
• Reverse engineering steps
– Capture packet transmission – Demodulate and decode data – Determine packet format
• Observations
– Reverse engineering possible – No encryption
32-bit or 28-bit
Triggered sensors at125 kHz
Responded at 315 MHz
Captured RF transmission at 315 MHz Determined Message Format
Determined Modulation ASK Encoding Scheme Manchester
How likely that two cars have the same ID? 1015 cars with Pc = 1%.
Computer Science and Engineering
9
Security and Privacy Analysis Step 2: Eavesdrop capability
• How likely to eavesdrop?
– – – – Cars travel at high speeds Cars’metal bodies shield RF TPMS message rate (1 per 60s-90s) Low transmission power (battery)
•
Eavesdropping System
– – – – Used USRP only, no VSA Used low noise amplifier (LNA) Reused decoders from RE Developed a live decoder/eavesdropper
Low noise amplifier (LNA)
Computer Science and Engineering
10
Demonstration of Live Eavesdropping
Sensor ID 884368A2
Computer Science andEngineering
11
Exp. 1: Eavesdropping Distance
• Scenarios
– USRP + cheap antenna – USRP + LNA ($75) + cheap antenna
•
Observations
– Able to decode packets, if RSS (received signal strength) > Ambient noise floor – LNA boosts the decoding range from 10.7m to 40m
Computer Science and Engineering
12
Exp. 2: Eavesdropping Distance and Angle
• Setup
– USRP at origin – Car...
Leer documento completo
Regístrate para leer el documento completo.