Automated Cross-Platform Reverse Engineering of CAN Bus Commands From Mobile Apps

In modern automobiles, CAN bus commands are necessary for a wide range of applications such as diagnosis, security monitoring, and recently autonomous driving. However, only a small portion of CAN bus commands is standardized, and a vast majority of them is developed privately by car manufacturers. Today, the most effective way of revealing the proprietary CAN bus commands is to reverse engineer with real cars, which unfortunately is time-consuming and costly. In this paper, we propose a cost-effective (no real car needed) and automatic (no human intervention required) system, CANHUNTER, for reverse engineering of CAN bus commands using just car companion mobile apps. To achieve high effectiveness, we design an efficient technique to uncover the syntactics of CAN bus commands with backward slicing and dynamic forced execution, and a novel algorithm to uncover the semantics of CAN bus commands by leveraging code-level semantic clues. We have implemented a prototype of CANHUNTER for both Android and iOS platforms, and tested it with all free car companion apps (236 in total) from both Google Play and Apple App Store. Among these apps, CANHUNTER discovered 182, 619 unique CAN bus commands with 86.1% of them revealed with semantics, covering 360 car models from 21 car manufactures. We have also evaluated their correctness (both syntactics and semantics) using public resources, cross-platform and cross-app validation, and also realcar testing, with which over 70% of all the uncovered commands are validated. We observe no inconsistency in cross-platform and cross-app validation. While there are 3 semantic inconsistency among 241 manually validated CAN bus commands from public resources and real-car testing, we find that these three cases are actually caused by mistakes from app developers.

[1]  Tilo Müller,et al.  Anti-ProGuard: Towards Automated Deobfuscation of Android Apps , 2017, SHCIS '17.

[2]  Zhiqiang Lin,et al.  Automatic Fingerprinting of Vulnerable BLE IoT Devices with Static UUIDs from Mobile Apps , 2019, CCS.

[3]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[4]  Zhi Wang,et al.  ReFormat: Automatic Reverse Engineering of Encrypted Messages , 2009, ESORICS.

[5]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[6]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[7]  Alessandra Gorla,et al.  Automated Test Input Generation for Android: Are We There Yet? (E) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[8]  A. Tahat,et al.  Android-based universal vehicle diagnostic and tracking system , 2012, 2012 IEEE 16th International Symposium on Consumer Electronics.

[9]  Dawn Xiaodong Song,et al.  Automatic protocol reverse-engineering: Message format extraction and field semantics inference , 2013, Comput. Networks.

[10]  Li Guo,et al.  A semantics aware approach to automated reverse engineering unknown protocols , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[11]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[12]  Xiangyu Zhang,et al.  J-Force: Forced Execution on JavaScript , 2017, WWW.

[13]  Qi Alfred Chen,et al.  Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT , 2020, USENIX Security Symposium.

[14]  Amir Rahmati,et al.  ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem , 2018, USENIX Security Symposium.

[15]  Roderick Currie Hacking the CAN Bus: Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering , 2020 .

[16]  Felix C. Freiling,et al.  A structured approach to anomaly detection for in-vehicle networks , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[17]  Nan Zhang,et al.  Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[18]  R. Peter Jones,et al.  In-vehicle network level fault diagnostics using fuzzy inference systems , 2011, Appl. Soft Comput..

[19]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[20]  Guillaume Hiet,et al.  Towards automated protocol reverse engineering using semantic information , 2014, AsiaCCS.

[21]  Aaron Hunter,et al.  A Security Analysis of an In-Vehicle Infotainment and App Platform , 2016, WOOT.

[22]  Jana Dittmann,et al.  Security threats to automotive CAN networks - Practical examples and selected short-term countermeasures , 2008, Reliab. Eng. Syst. Saf..

[23]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[24]  Quan Li,et al.  Research on Fault Diagnostic System in CVT Based on UDS , 2015 .

[25]  Tzi-cker Chiueh,et al.  A Forced Sampled Execution Approach to Kernel Rootkit Identification , 2007, RAID.

[26]  Jaein Kim,et al.  Fuzzing CAN Packets into Automobiles , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[27]  Naim Asaj,et al.  Entropy-based anomaly detection for in-vehicle networks , 2011, 2011 IEEE Intelligent Vehicles Symposium (IV).

[28]  Daksh Kumar Vasistha Detecting Anomalies in Controller Area Network for Automobiles , 2017 .

[29]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[30]  Mani B. Srivastava,et al.  EchoSafe: Sonar-based Verifiable Interaction with Intelligent Digital Agents , 2017, SafeThings@SenSys.

[31]  Haibo Zeng,et al.  Understanding and Using the Controller Area Network Communication Protocol: Theory and Practice , 2012 .

[32]  Helen J. Wang,et al.  Discoverer: Automatic Protocol Reverse Engineering from Network Traces , 2007, USENIX Security Symposium.

[33]  Zhiqiang Lin,et al.  Why Does Your Data Leak? Uncovering the Data Leakage in Cloud from Mobile Apps , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[34]  Jason Staggs How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles , 2013 .

[35]  Zhiqiang Lin,et al.  Geo-locating Drivers: A Study of Sensitive Data Leakage in Ride-Hailing Services , 2019, NDSS.

[36]  Yuan Tian,et al.  SmartAuth: User-Centered Authorization for the Internet of Things , 2017, USENIX Security Symposium.

[37]  Erland Jonsson,et al.  Efficient In-Vehicle Delayed Data Authentication Based on Compound Message Authentication Codes , 2008, 2008 IEEE 68th Vehicular Technology Conference.

[38]  Angelos Stavrou,et al.  Forced-Path Execution for Android Applications on x86 Platforms , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[39]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[40]  Angelos Stavrou,et al.  Resilient and Scalable Cloned App Detection Using Forced Execution and Compression Trees , 2018, 2018 IEEE Conference on Dependable and Secure Computing (DSC).

[41]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .