Hacking Connected Cars – Tactics, Techniques, and Procedures

About the Author v Acknowledgments vii Foreword xv Introduction xix Part I Tactics, Techniques, and Procedures 1 Chapter 1 Pre-Engagement 3 Penetration Testing Execution Standard 4 Scope Definition 6 Architecture 7 Full Disclosure 7 Release Cycles 7 IP Addresses 7 Source Code 8 Wireless Networks 8 Start and End Dates 8 Hardware Unique Serial Numbers 8 Rules of Engagement 9 Timeline 10 Testing Location 10 Work Breakdown Structure 10 Documentation Collection and Review 11 Example Documents 11 Project Management 13 Conception and Initiation 15 Definition and Planning 16 Launch or Execution 22 Performance/Monitoring 23 Project Close 24 Lab Setup 24 Required Hardware and Software 25 Laptop Setup 28 Rogue BTS Option 1: OsmocomBB 28 Rogue BTS Option 2: BladeRF + YateBTS 32 Setting Up Your WiFi Pineapple Tetra 35 Summary 36 Chapter 2 Intelligence Gathering 39 Asset Register 40 Reconnaissance 41 Passive Reconnaissance 42 Active Reconnaissance 56 Summary 59 Chapter 3 Threat Modeling 61 STRIDE Model 63 Threat Modeling Using STRIDE 65 VAST 74 PASTA 76 Stage 1: Define the Business and Security Objectives 77 Stage 2: Define the Technical Scope 78 Stage 3: Decompose the Application 79 Stage 4: Identify Threat Agents 80 Stage 5: Identify the Vulnerabilities 82 Stage 6: Enumerate the Exploits 82 Stage 7: Perform Risk and Impact Analysis 83 Summary 85 Chapter 4 Vulnerability Analysis 87 Passive and Active Analysis 88 WiFi 91 Bluetooth 100 Summary 105 Chapter 5 Exploitation 107 Creating Your Rogue BTS 108 Configuring NetworkinaPC 109 Bringing Your Rogue BTS Online 112 Hunting for the TCU 113 When You Know the MSISDN of the TCU 113 When You Know the IMSI of the TCU 114 When You Don't Know the IMSI or MSISDN of the TCU 114 Cryptanalysis 117 Encryption Keys 118 Impersonation Attacks 123 Summary 132 Chapter 6 Post Exploitation 133 Persistent Access 133 Creating a Reverse Shell 134 Linux Systems 136 Placing the Backdoor on the System 137 Network Sniffing 137 Infrastructure Analysis 138 Examining the Network Interfaces 139 Examining the ARP Cache 139 Examining DNS 141 Examining the Routing Table 142 Identifying Services 143 Fuzzing 143 Filesystem Analysis 148 Command-Line History 148 Core Dump Files 148 Debug Log Files 149 Credentials and Certificates 149 Over-the-Air Updates 149 Summary 150 Part II Risk Management 153 Chapter 7 Risk Management 155 Frameworks 156 Establishing the Risk Management Program 158 SAE J3061 159 ISO/SAE AWI 21434 163 HEAVENS 164 Threat Modeling 166 STRIDE 168 PASTA 171 TRIKE 175 Summary 176 Chapter 8 Risk-Assessment Frameworks 179 HEAVENS 180 Determining the Threat Level 180 Determining the Impact Level 183 Determining the Security Level 186 EVITA 187 Calculating Attack Potential 189 Summary 192 Chapter 9 PKI in Automotive 193 VANET 194 On-board Units 196 Roadside Unit 196 PKI in a VANET 196 Applications in a VANET 196 VANET Attack Vectors 197 802.11p Rising 197 Frequencies and Channels 197 Cryptography 198 Public Key Infrastructure 199 V2X PKI 200 IEEE US Standard 201 Certificate Security 201 Hardware Security Modules 201 Trusted Platform Modules 202 Certificate Pinning 202 PKI Implementation Failures 203 Summary 203 Chapter 10 Reporting 205 Penetration Test Report 206 Summary Page 206 Executive Summary 207 Scope 208 Methodology 209 Limitations 211 Narrative 211 Tools Used 213 Risk Rating 214 Findings 215 Remediation 217 Report Outline 217 Risk Assessment Report 218 Introduction 219 References 220 Functional Description 220 Head Unit 220 System Interface 221 Threat Model 222 Threat Analysis 223 Impact Assessment 224 Risk Assessment 224 Security Control Assessment 226 Example Risk Assessment Table 229 Summary 230 Index 233